authenticate: encrypt & mac oauth2 callback state

- cryptutil: add hmac & tests - cryptutil: rename cipher / encoders to be more clear - cryptutil: simplify SecureEncoder interface - cryptutil: renamed NewCipherFromBase64 to NewAEADCipherFromBase64 - cryptutil: move key & random generators to helpers Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-08-02 00:10:45 +02:00 · 2019-09-19 08:56:48 -07:00 · 2019-09-19 08:56:48 -07:00 · 7c755d833f
commit 7c755d833f
parent 3a806c6dfc
26 changed files with 539 additions and 464 deletions
--- a/internal/sessions/middleware_test.go
+++ b/internal/sessions/middleware_test.go
@ -81,11 +81,13 @@ func TestVerifier(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cipher, err := cryptutil.NewCipherFromBase64(cryptutil.NewBase64Key())
+			cipher, err := cryptutil.NewAEADCipherFromBase64(cryptutil.NewBase64Key())
+			encoder := cryptutil.NewSecureJSONEncoder(cipher)
+
 			if err != nil {
 				t.Fatal(err)
 			}
-			encSession, err := MarshalSession(&tt.state, cipher)
+			encSession, err := MarshalSession(&tt.state, encoder)
 			if err != nil {
 				t.Fatal(err)
 			}
@ -96,8 +98,8 @@ func TestVerifier(t *testing.T) {
 			}

 			cs, err := NewCookieStore(&CookieStoreOptions{
-				Name:         "_pomerium",
-				CookieCipher: cipher,
+				Name:    "_pomerium",
+				Encoder: encoder,
 			})
 			if err != nil {
 				t.Fatal(err)