~mna/tulip

The tulip.crypto module. Note that this is meant for internal use, for signing and validating cookies.

#API

Assuming local crypto = require 'tulip.crypto'.

#tok, err = crypto.decode(hkey, max_age, v, ...)

Decodes v, validating the hmac authentication and returns the token on success, nil on error. Note that the returned token is base64-encoded (assuming it was when encode was called, which it should). The extra values must be the same as the ones provided to encode, in the same order.

#tok = crypto.encode(hkey, v, ...)

Encodes v with an hmac authentication created using hkey and returns the encoded token. Note that v should already be base64-encoded. The extra values are used for the hmac computation, but are not stored in the returned token. The same values in the same order must be provided to decode.

#masked = crypto.mask_token(raw_tok)

Returns a new token that is masked with a unique random token. The unique token used for masking is appended to the masked token, so the return value is twice the size of the raw_tok.

This is to mitigate the BREACH attack (http://breachattack.com/#mitigations)

#unmasked = crypto.unmask_token(masked_tok, len)

Returns the unmasked token by splitting masked_tok into the mask and the xor'ed version, and then xor'ing again to get the raw version of the token.

Back to index

About this wiki

commit 3ebfbd288b8e5c95fdf8ce2027a0e94cfa1c8976
Author: Martin Angers <martin.n.angers@gmail.com>
Date:   2021-02-25T14:07:12-05:00

Update to reflect Request:validate_body
Clone this wiki
https://git.sr.ht/~mna/tulip-wiki (read-only)
git@git.sr.ht:~mna/tulip-wiki (read/write)