[LiveComponent] Allow specifying a live-component specific secret which defaults to kernel.secret #2453
Comments
|
I think this is already implemented in see: #2251 |
|
AFAIK this is unrelated to CSRF, it's https://github.com/symfony/ux/blob/2.x/src/LiveComponent/src/Util/FingerprintCalculator.php and ux/src/LiveComponent/src/LiveComponentHydrator.php Lines 347 to 353 in dec3eb3 |
Warning: keep in mind all this is internal, and we won't support actively anything external. Especially related to encryption. It's enough to maintain code here, we cannot officially support external usage / extension point like this. So you should not take anything about encryption / secrets / etc in the codebase for granted. It can (and it will) change.
Can you find the change you mentioned in the core ? It's an interseting idea |
I'm aware, we have a small test which is checking the value calculated by Symfony matches the one calculated by Node.
|
|
Ok! 👌 |
…ameter] Improve security before we allow secret customization for LiveComponents (cf symfony#2453) I consider this a fix as passing an empty string for secret produce the same hash as passing null... which is deprecated for obvious reasons.
Allow to configure a dedicated secret (used in FingerprintCalculator and LiveComonentHydrator) Suggested by symfony#2453 Inspired by #56840
…arameter] (smnandre) This PR was merged into the 2.x branch. Discussion ---------- [LiveComponent] Check secret is not empty + add [SensitiveParameter] | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | Issues | Fix #... | License | MIT Improve security before we allow secret customization for LiveComponents (cf #2453) I consider this a fix as passing an empty string for secret produces the same hash as passing null... which is deprecated for obvious reasons. Commits ------- 3c3d097 [LiveComponent] Check secret is not empty + add missing [SensitiveParameter]
Allowing to specify a LiveComponent specific secret which, (if not specified, defaults to
kernel.secret) would increase the security of the feature.Namely, one use case we had is we wanted a Node app to be able to render correct live component blocks. To do that, it needs to share the key with Symfony's LiveComponent implementation to generate the signatures which get verified by Symfony for it to work. We'd prefer to not have to share the
kernel.secretwith the node app (even though it's internal and built by us, trusted) because that provides ways to attack the Symfony app in other ways (login links, RCE via fragments) assuming it leaks.Simply making this secret configurable would improve the security overall because the secret would then have a tiny scope (only that one specific thing) and be intended to be shared with the Node collaborator.
A similar thing was done somewhere on Symfony main repo by @nicolas-grekas recently (login links?)
The text was updated successfully, but these errors were encountered: