Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include SHA-256 functions in Mojo::Util #1977

Closed
wants to merge 1 commit into from
Closed

Include SHA-256 functions in Mojo::Util #1977

wants to merge 1 commit into from

Conversation

duffee
Copy link

@duffee duffee commented Sep 6, 2022

Summary

Import SHA-256 functions from Digest::SHA into Mojo::Util

Motivation

As of v9.19, signed cookies now use HMAC-SHA-256 instead of HMAC-SHA1.
Import the equivalent SHA-256 functions into Mojo::Util in line with the current available SHA-1 functions.

I tripped over this last week while migrating a module from Mojo 8 to 9. Our test module was mocking the
signed cookie and when I reached for the updated hmac_sha256_hex function, it wasn't in Mojo::Util
and I was sad. Was just going to raise an issue and thought that a PR was just as quick and explains the change
better than I could.

References

Switch away from HMAC SHA1 for signed cookies #1790

@duffee
Include SHA-256 functions in Mojo::Util
f184d1a 
As of v9.19, signed cookies now use HMAC-SHA-256 instead of HMAC-SHA1.
Import the equivalent SHA-256 functions in line with the current
SHA-1 functions available in Mojo::Util.
willsheppard
willsheppard approved these changes Sep 6, 2022
View reviewed changes
Copy link

@willsheppard willsheppard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kraih
Copy link
Member

kraih commented Sep 6, 2022

We don't usually add functions to Mojo::Util that are not used inside the framework for something.

@duffee
Copy link
Author

duffee commented Sep 6, 2022

I see that Mojolicious::Controller uses Digest::SHA::hmac_sha256_hex directly in the every_signed_cookie and signed_cookie subs and that you're planning to deprecate the old SHA1 functions. Is that a design decision to remove digest code out of Mojo core or would you find it useful to migrate the current SHA1 functions to SHA-256?

@kraih
Copy link
Member

kraih commented Sep 6, 2022

I think we'd rather remove those than add more. Their only use anymore is basically as methods of Mojo::ByteStream, in some limited situations. Happy to listen to counter arguments though.

@Grinnz
Copy link
Contributor

Grinnz commented Sep 6, 2022

I think it would be a good idea to add these from the point of view of promoting good practices by easy availability, and SHA-256 is a rather commonly used hash at this point. And if so, they should be added to Mojo::ByteStream as well.

@duffee
Copy link
Author

duffee commented Sep 7, 2022
edited
Loading

I'd hate to argue against my own PR, but thinking some more, I'd actually prefer performance over convenience. The business has recently moved into the cloud where memory and runtime now have a price tag on them.

I'm not a profiling guru. If someone can determine whether monkey patching the sha-256 functions into Mojo::Util improves or hurts performance for code that uses them (as well as for code that doesn't), I would go with that. If it's better, I'll volunteer to add them to Mojo::ByteStream as well.

If it degrades performance, perhaps it's better just to expand the docs with a mention on how it's implemented and write a blog post on rolling your own signed cookies (for those who blog).

@mergify
Copy link
Contributor

mergify bot commented Apr 27, 2023

This pull request is now in conflicts. Could you fix it @duffee? 🙏

2 similar comments
@mergify
Copy link
Contributor

mergify bot commented Aug 14, 2023

This pull request is now in conflicts. Could you fix it @duffee? 🙏

@mergify Mergify
Copy link
Contributor

mergify bot commented Nov 21, 2023

This pull request is now in conflicts. Could you fix it @duffee? 🙏

@kraih
Copy link
Member

kraih commented Nov 21, 2023

I'm afraid it looks like this PR failed to reach the required number of votes. Thank you.

@kraih kraih closed this Nov 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willsheppard willsheppard willsheppard approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@duffee @kraih @Grinnz @willsheppard