sneak/webhooker
1
0
Forkuj 0
Kod Zgłoszenia 3 Oczekujące zmiany Actions Packages Projekty Wydania Wiki Aktywność

BLOCKER: DevSessionKey constant is wrong length (35 bytes, need 32) #19

Nowe zgłoszenie
Zamknięty
otworzone 2026-03-02 01:28:22 +01:00 przez clawbot · 0 komentarzy
clawbot skomentował(-a) 2026-03-02 01:28:22 +01:00
Collaborator
Skopiuj link

Bug

The DevSessionKey constant in internal/config/config.go decodes to 35 bytes, but internal/session/session.go requires exactly 32 bytes. This makes the default dev key unusable.

Details

In config.go:

// DevSessionKey is an insecure default session key for development
// This is "webhooker-dev-session-key-insecure!" base64 encoded
DevSessionKey = "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE="

The string "webhooker-dev-session-key-insecure!" is 35 characters, so base64-decoding produces 35 bytes.

In session.go:

if len(keyBytes) != 32 {
    return nil, fmt.Errorf("SESSION_KEY must be 32 bytes (got %d)", len(keyBytes))
}

Impact

  1. If a user follows the pattern of setting SESSION_KEY to the DevSessionKey value (as the config test YAML does), the app crashes at startup with SESSION_KEY must be 32 bytes (got 35).

  2. The config test (TestSessionKeyDefaults) passes because it only tests the config layer, never instantiating the session. This is an integration testing gap.

  3. Running in dev mode without explicitly providing a valid 32-byte SESSION_KEY env var requires the user to generate their own key, which defeats the purpose of having a dev default.

Fix

  1. Generate a proper 32-byte dev key: head -c 32 /dev/urandom | base64
  2. Update the DevSessionKey constant to use this value
  3. Consider making the config layer actually USE DevSessionKey as a fallback in dev mode when no SESSION_KEY is set (currently it's only compared against but never used as a default)
  4. Add an integration test that starts both Config and Session together to catch this mismatch

Reproduction

export DBURL="file:test.db?cache=shared&mode=rwc"
export SESSION_KEY="d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE="
./bin/webhooker
# Error: SESSION_KEY must be 32 bytes (got 35)
## Bug The `DevSessionKey` constant in `internal/config/config.go` decodes to 35 bytes, but `internal/session/session.go` requires exactly 32 bytes. This makes the default dev key unusable. ## Details In `config.go`: ```go // DevSessionKey is an insecure default session key for development // This is "webhooker-dev-session-key-insecure!" base64 encoded DevSessionKey = "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=" ``` The string `"webhooker-dev-session-key-insecure!"` is 35 characters, so base64-decoding produces 35 bytes. In `session.go`: ```go if len(keyBytes) != 32 { return nil, fmt.Errorf("SESSION_KEY must be 32 bytes (got %d)", len(keyBytes)) } ``` ## Impact 1. If a user follows the pattern of setting `SESSION_KEY` to the `DevSessionKey` value (as the config test YAML does), the app crashes at startup with `SESSION_KEY must be 32 bytes (got 35)`. 2. The config test (`TestSessionKeyDefaults`) passes because it only tests the config layer, never instantiating the session. This is an integration testing gap. 3. Running in dev mode without explicitly providing a valid 32-byte SESSION_KEY env var requires the user to generate their own key, which defeats the purpose of having a dev default. ## Fix 1. Generate a proper 32-byte dev key: `head -c 32 /dev/urandom | base64` 2. Update the `DevSessionKey` constant to use this value 3. Consider making the config layer actually USE DevSessionKey as a fallback in dev mode when no SESSION_KEY is set (currently it's only compared against but never used as a default) 4. Add an integration test that starts both Config and Session together to catch this mismatch ## Reproduction ```bash export DBURL="file:test.db?cache=shared&mode=rwc" export SESSION_KEY="d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=" ./bin/webhooker # Error: SESSION_KEY must be 32 bytes (got 35) ```
sneak zamknął(-ęła) to zgłoszenie 2026-03-04 01:19:43 +01:00
Zaloguj się, aby dołączyć do tej rozmowy.
Nie określono gałęzi/etykiety
Gałęzie Tagi
Etykiety
Wyczyść etykiety
merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
Brak etykiety
Kamień milowy
Brak elementów
Brak kamienia milowego
Projekty
Wyczyść projekty
Brak projektu
Przypisani
Usuń przypisanych
clawbot sneak
Brak przypisanych
Uczestnicy 1
Powiadomienia
Termin realizacji
Brak ustawionego terminu realizacji.
Zależności

No dependencies set.

Reference: sneak/webhooker#19
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?