Sign session tokens with HMAC #2

New issue

Open

opened 2026-03-16 21:07:38 +00:00 by austin · 0 comments

austin commented 2026-03-16 21:07:38 +00:00

Owner

Copy link

Description

CreateSessionToken in internal/auth/oidc.go just base64-encodes a JSON blob with claims and expiry. Anyone who knows the format can forge a session as any user. This is a blocking security issue.

What needs to happen

Generate a random 32-byte secret on first startup. Store it in the data directory as a file, or in a settings table in SQLite. Use HMAC-SHA256 to sign the session payload. Token format becomes base64(payload).base64(signature). On validation, recompute the HMAC and compare.

Uses only the standard library: crypto/hmac, crypto/sha256, crypto/rand.

Consider a SessionManager struct that holds the signing key — both auth modes share it. This is a good learning exercise for understanding how JWTs work conceptually without pulling in a JWT library.

Key files

• internal/auth/oidc.go — CreateSessionToken() (line 158) and validateSession() (line 132)
• Wherever session logic is extracted to after issue #1

## Description `CreateSessionToken` in `internal/auth/oidc.go` just base64-encodes a JSON blob with claims and expiry. Anyone who knows the format can forge a session as any user. This is a blocking security issue. ## What needs to happen Generate a random 32-byte secret on first startup. Store it in the data directory as a file, or in a `settings` table in SQLite. Use HMAC-SHA256 to sign the session payload. Token format becomes `base64(payload).base64(signature)`. On validation, recompute the HMAC and compare. Uses only the standard library: `crypto/hmac`, `crypto/sha256`, `crypto/rand`. Consider a `SessionManager` struct that holds the signing key — both auth modes share it. This is a good learning exercise for understanding how JWTs work conceptually without pulling in a JWT library. ## Key files - `internal/auth/oidc.go` — `CreateSessionToken()` (line 158) and `validateSession()` (line 132) - Wherever session logic is extracted to after issue #1

austin added this to the Fix Foundation milestone 2026-03-16 21:07:38 +00:00

austin added the

enhancement

label 2026-03-16 21:07:38 +00:00

austin self-assigned this 2026-03-16 21:07:38 +00:00

austin added this to the Vektor - CLI project 2026-03-16 21:07:38 +00:00

austin added a new dependency 2026-03-16 21:08:05 +00:00

#1 Fix nil pointer panic in local auth mode

austin added a new dependency 2026-03-16 21:12:31 +00:00

#3 Add Bearer token authentication for API access

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Fix Foundation

Projects

Clear projects

No items

No project

Vektor - CLI

Assignees

Clear assignees

No assignees

austin

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks

#3 Add Bearer token authentication for API access

austin/vektor

Depends on

#1 Fix nil pointer panic in local auth mode

austin/vektor

Reference

austin/vektor#2

No description provided.