fix(serve/auth): handle crypto/rand.Read error in signSession#5285
Conversation
signSession() silently discarded the error from rand.Read, leaving the session nonce all-zero on failure. While this does not directly bypass authentication (forging a cookie still requires the PBKDF2-derived sessKey), it weakens the unpredictability of password-mode session cookies and is an explicit anti-pattern inconsistent with the same file's generateToken() and sessionKeyForPasswordHash(), both of which panic on rand.Read failure. Now panics with a descriptive message, matching the existing convention.
The rand.Read failure comment overstated the risk as making the cookie 'trivially forgeable and bypass authentication'. verifySession still requires the PBKDF2-derived sessKey to produce a valid HMAC, so an all-zero nonce is not an auth bypass; it weakens session token uniqueness/unpredictability. Reword to match the accurate PR description and avoid misleading future security review.
SivanCola
left a comment
There was a problem hiding this comment.
Approved. Well-scoped, worthwhile hardening fix. signSession() was discarding the rand.Read error and falling back to an all-zero nonce; it now panics with a descriptive message, matching the existing generateToken() and sessionKeyForPasswordHash() convention in the same file.
Why this fits:
- The error path is consistent with the file's established "crypto/rand.Read cannot fail on modern systems; panic" convention, rather than introducing a new silent-degradation behavior.
- Scope is a single function in
internal/serve/auth.go; no auth/session logic changed, no cache-sensitive prompt/tool surfaces touched.
The one thing I tightened was the new inline comment. The original wording said an all-zero nonce would make the cookie "trivially forgeable and bypass authentication," but verifySession still requires the PBKDF2-derived sessKey to produce a valid HMAC, so a constant nonce is not an auth bypass — it weakens session token uniqueness/unpredictability. Your PR description already had this exactly right; I pushed a one-line follow-up commit to make the code comment match it, so it doesn't mislead future security review. Original authorship on your commit is preserved.
Verified:
go test ./internal/servepassedgo vet ./internal/servepassedgofmt -l internal/serve/auth.gocleangit diff --checkclean
Thanks for catching and fixing this. Once CI stays green I'll merge it into main-v2.
signSession() silently discarded the error from rand.Read, leaving the
session nonce all-zero on failure. While this does not directly bypass
authentication (forging a cookie still requires the PBKDF2-derived
sessKey), it weakens the unpredictability of password-mode session
cookies and is an explicit anti-pattern inconsistent with the same
file's generateToken() and sessionKeyForPasswordHash(), both of which
panic on rand.Read failure.
Now panics with a descriptive message, matching the existing convention.