ARC-1977 - Rotating secrets in Lastpass: STORAGE_SECRET (#2123)

krazziekay · web-flow · commit 5d97c5d68b15 · 2023-05-16T13:27:36.000+10:00
- New key used for creating cookies in cookiesession-middleware.ts
diff --git a/.env.development.local.example b/.env.development.local.example
@@ -4,6 +4,7 @@
 # Github App Information
 APP_ID=
 WEBHOOK_SECRETS=
+COOKIE_SESSION_KEY=
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 # Path to github private key file (relative to root of this project). If at the root, just specify filename
diff --git a/.env.e2e.local.example b/.env.e2e.local.example
@@ -3,6 +3,7 @@
 APP_NAME=
 APP_ID=
 WEBHOOK_SECRETS=
+COOKIE_SESSION_KEY=
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 PRIVATE_KEY_PATH=
diff --git a/.env.test b/.env.test
@@ -3,6 +3,7 @@
 NODE_ENV=test
 APP_ID=113490
 WEBHOOK_SECRETS=["test","old-secret"]
+COOKIE_SESSION_KEY=ranDomValueXyz123123
 GITHUB_CLIENT_ID=Iv1.7be753472c09g9c5
 GITHUB_CLIENT_SECRET=test-github-secret
 SQS_BACKFILL_QUEUE_URL=http://127.0.0.1:4566/000000000000/test-backfill
diff --git a/.github/workflows/on-push.yml b/.github/workflows/on-push.yml
@@ -43,6 +43,7 @@ jobs:
           echo "APP_NAME=jira" >> .env
           echo "APP_ID=${{ secrets.E2E_GITHUB_APP_ID }}" >> .env
           echo "WEBHOOK_SECRETS=${{ secrets.E2E_GITHUB_WEBHOOK_SECRETS }}" >> .env
+          echo "COOKIE_SESSION_KEY=${{ secrets.E2E_COOKIE_SESSION_KEY }}" >> .env
           echo "GITHUB_CLIENT_ID=${{ secrets.E2E_GITHUB_CLIENT_ID }}" >> .env
           echo "GITHUB_CLIENT_SECRET=${{ secrets.E2E_GITHUB_CLIENT_SECRET }}" >> .env
           echo "PRIVATE_KEY_PATH=jira-test.pem" >> .env
@@ -95,6 +96,7 @@ jobs:
           echo "APP_NAME=jira-e2e" >> .env
           echo "APP_ID=${{ secrets.E2E_GITHUB_APP_ID }}" >> .env
           echo "WEBHOOK_SECRETS=${{ secrets.E2E_GITHUB_WEBHOOK_SECRETS }}" >> .env
+          echo "COOKIE_SESSION_KEY=${{ secrets.E2E_COOKIE_SESSION_KEY }}" >> .env
           echo "GITHUB_CLIENT_ID=${{ secrets.E2E_GITHUB_CLIENT_ID }}" >> .env
           echo "GITHUB_CLIENT_SECRET=${{ secrets.E2E_GITHUB_CLIENT_SECRET }}" >> .env
           echo "PRIVATE_KEY_PATH=jira-e2e-test.pem" >> .env
diff --git a/github-for-jira.sd.yml b/github-for-jira.sd.yml
@@ -214,6 +214,7 @@ config:
     PRIVATE_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-private-key-stg
     GITHUB_CLIENT_SECRET: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-client-secret-stg
     WEBHOOK_SECRETS: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-webhook-secrets-stg
+    COOKIE_SESSION_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-cookie-session-key-stg
 
     CRYPTOR_URL: http://cryptor:26272
     CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: "6CF9E6A52167B58CBB0DED180CC8B848" # https://developer.atlassian.com/platform/cryptor/integration/integrating-sidecar/#enabling-ssrf-protection
@@ -337,6 +338,7 @@ environmentOverrides:
         PRIVATE_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-private-key-ddev
         GITHUB_CLIENT_SECRET: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-client-secret-ddev
         WEBHOOK_SECRETS: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-webhook-secrets-ddev
+        COOKIE_SESSION_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-cookie-session-key-ddev
     scaling:
       instance: t2.small
       min: 1
@@ -509,6 +511,7 @@ environmentOverrides:
         PRIVATE_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-private-key
         GITHUB_CLIENT_SECRET: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-client-secret
         WEBHOOK_SECRETS: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-webhook-secrets
+        COOKIE_SESSION_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-cookie-session-key
         CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: "D92A2D7364AC3057D2A90BA9512D8CA0"
     scaling:
       instance: c5.2xlarge
diff --git a/src/config/env.ts b/src/config/env.ts
@@ -55,6 +55,7 @@ envCheck(
 	"APP_URL",
 	"APP_KEY",
 	"WEBHOOK_SECRETS",
+	"COOKIE_SESSION_KEY",
 	"GITHUB_CLIENT_ID",
 	"GITHUB_CLIENT_SECRET",
 	"SQS_BACKFILL_QUEUE_URL",
@@ -91,6 +92,7 @@ export interface EnvVars {
 	APP_URL: string;
 	APP_KEY: string;
 	WEBHOOK_SECRETS: Array<string>;
+	COOKIE_SESSION_KEY: string;
 	GITHUB_CLIENT_ID: string;
 	GITHUB_CLIENT_SECRET: string;
 	DATABASE_URL: string;
diff --git a/src/middleware/cookiesession-middleware.ts b/src/middleware/cookiesession-middleware.ts
@@ -7,7 +7,7 @@ const THIRTY_DAYS_MSEC = 30 * 24 * 60 * 60 * 1000;
 
 // TODO: replace with encryption + Cryptor
 export const cookieSessionMiddleware = cookieSession({
-	keys: [createHashWithSharedSecret(envVars.STORAGE_SECRET), envVars.GITHUB_CLIENT_SECRET],
+	keys: [envVars.COOKIE_SESSION_KEY, createHashWithSharedSecret(envVars.STORAGE_SECRET), envVars.GITHUB_CLIENT_SECRET],
 	maxAge: THIRTY_DAYS_MSEC,
 	signed: true,
 	sameSite: "none",
