Add version suffix to cookie signing salt (#1369)

This will make sure that users need to reauthenticate every time a new version is deployed. Closes https://github.com/firezone/firezone/issues/1358
2026-01-27 18:18:55 +00:00 · 2023-01-23 13:38:57 -06:00
parent 4a2864f9a1
commit 999ea1e43d
2 changed files with 9 additions and 3 deletions
--- a/apps/fz_http/lib/fz_http_web/session.ex
+++ b/apps/fz_http/lib/fz_http_web/session.ex
@@ -29,7 +29,12 @@ defmodule FzHttpWeb.Session do
  end

  defp signing_salt do
-    FzHttp.Config.fetch_env!(:fz_http, :cookie_signing_salt)
+    [vsn | _] =
+      Application.spec(:fz_http, :vsn)
+      |> to_string()
+      |> String.split("+")
+
+    FzHttp.Config.fetch_env!(:fz_http, :cookie_signing_salt) <> vsn
  end

  defp encryption_salt do
--- a/apps/fz_http/test/fz_http_web/acceptance/authentication_test.exs
+++ b/apps/fz_http/test/fz_http_web/acceptance/authentication_test.exs
@@ -65,8 +65,9 @@ defmodule FzHttpWeb.Acceptance.AuthenticationTest do
      |> fill_form(%{"email" => "foo@bar.com"})
      |> click(Query.button("Send"))
      |> assert_el(Query.text("Reset Password"))
-      |> visit(~p"/dev/mailbox")
-      |> assert_el(Query.text("Empty mailbox..."))
+
+      emails = Swoosh.Adapters.Local.Storage.Memory.all()
+      refute Enum.find(emails, &(&1.to == "foo@bar.com"))
    end

    feature "can reset password using email link", %{session: session} do