Skip to content

fix(#1136): replace localStorage with HMAC-signed session cookie (no process memory)#1235

Merged
utksh1 merged 4 commits into
utksh1:mainfrom
ionfwsrijan:fix/issue-1136-signed-session-cookie
Jun 24, 2026
Merged

fix(#1136): replace localStorage with HMAC-signed session cookie (no process memory)#1235
utksh1 merged 4 commits into
utksh1:mainfrom
ionfwsrijan:fix/issue-1136-signed-session-cookie

Conversation

@ionfwsrijan

@ionfwsrijan ionfwsrijan commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Problem

The API key was stored in localStorage under secuscan_api_key, making it accessible to any XSS attack.

Solution

Replaced localStorage with HMAC-signed session cookies — no server-side session store needed.

Key differences from previous attempt (PR #1172)

  1. No process-memory session store — cookies are self-contained HMAC-signed tokens. Survives server restarts, works across multiple processes, no external dependencies.
  2. Conditional Secure flag — only set when request is over HTTPS or carries X-Forwarded-Proto: https. HTTP localhost development works without breaking.
  3. No formatting churn in main.py — exactly 2 lines changed (import + router registration).
  4. No new dependencies — uses stdlib , hmac, hashlib, base64, json

Closes #1136

@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please review this now

@utksh1 utksh1 merged commit be400fa into utksh1:main Jun 24, 2026
19 checks passed
@utksh1 utksh1 added the gssoc:approved Admin validation: approved for GSSoC scoring label Jun 24, 2026
@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please add other labels

utksh1 added a commit that referenced this pull request Jun 25, 2026
, #1234, #1232, #1231, #1230, #1229, #1228, #1222, #1221, #1254, #1252, #1251, #1250, #1242, #1255, #1090, #1097, #1112)

Reverting all PR merges performed during this session to restore repository
to pre-session state. This reverts commits:
- e376276 (#1255)
- 18e5101 (#1222)
- e516dd5 (#1230)
- be400fa (#1235)
- d522e9a (#1243)
- bc0b1cd (#1090)
- de56660 (#1097)
- c2a5a53 (#1112)
- eb30d33 (#1254)
- f2a67f7 (#1250)
- 6579112 (#1251)
- 8751d92 (#1252)
- 3ebc935 (#1221)
- 6f5a936 (#1228)
- da15da4 (#1229)
- b66a5b0 (#1231)
- 775c5c2 (#1232)
- b529ddb (#1234)
- 965b001 (#1241)
- d46e573 (#1242)
- dd09955 (#1240)

All PRs are also being reopened and gssoc labels removed.
@utksh1 utksh1 added level:critical 80 pts difficulty label for critical or high-impact PRs type:security Security work category bonus label type:bug Bug fix work category bonus label area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests gssoc:approved Admin validation: approved for GSSoC scoring and removed gssoc:approved Admin validation: approved for GSSoC scoring labels Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests gssoc:approved Admin validation: approved for GSSoC scoring level:critical 80 pts difficulty label for critical or high-impact PRs type:bug Bug fix work category bonus label type:security Security work category bonus label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] API Key Stored in localStorage Enables Credential Theft via XSS

2 participants