-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include SHA-256 functions in Mojo::Util #1977
Conversation
As of v9.19, signed cookies now use HMAC-SHA-256 instead of HMAC-SHA1. Import the equivalent SHA-256 functions in line with the current SHA-1 functions available in Mojo::Util.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
We don't usually add functions to |
I see that Mojolicious::Controller uses |
I think we'd rather remove those than add more. Their only use anymore is basically as methods of |
I think it would be a good idea to add these from the point of view of promoting good practices by easy availability, and SHA-256 is a rather commonly used hash at this point. And if so, they should be added to Mojo::ByteStream as well. |
I'd hate to argue against my own PR, but thinking some more, I'd actually prefer performance over convenience. The business has recently moved into the cloud where memory and runtime now have a price tag on them. I'm not a profiling guru. If someone can determine whether monkey patching the sha-256 functions into Mojo::Util improves or hurts performance for code that uses them (as well as for code that doesn't), I would go with that. If it's better, I'll volunteer to add them to Mojo::ByteStream as well. If it degrades performance, perhaps it's better just to expand the docs with a mention on how it's implemented and write a blog post on rolling your own signed cookies (for those who blog). |
This pull request is now in conflicts. Could you fix it @duffee? 🙏 |
2 similar comments
This pull request is now in conflicts. Could you fix it @duffee? 🙏 |
This pull request is now in conflicts. Could you fix it @duffee? 🙏 |
I'm afraid it looks like this PR failed to reach the required number of votes. Thank you. |
Summary
Import SHA-256 functions from Digest::SHA into Mojo::Util
Motivation
As of v9.19, signed cookies now use HMAC-SHA-256 instead of HMAC-SHA1.
Import the equivalent SHA-256 functions into Mojo::Util in line with the current available SHA-1 functions.
I tripped over this last week while migrating a module from Mojo 8 to 9. Our test module was mocking the
signed cookie and when I reached for the updated
hmac_sha256_hex
function, it wasn't in Mojo::Utiland I was sad. Was just going to raise an issue and thought that a PR was just as quick and explains the change
better than I could.
References
Switch away from HMAC SHA1 for signed cookies #1790