minor adjustments to HMAC signing

src/shared/hmac-signing.ts

@@ -0,0 +1,18 @@
+/** Module for generating and verifying HMAC signatures. */
+
+import crypto from "crypto";
+import { SECRET_SIGNING_KEY } from "../config";
+
+/**
+ * Generates a HMAC signature for the given message. Optionally salts the
+ * key with a provided string.
+ */
+export function signMessage(msg: any, salt: string = ""): string {
+  const hmac = crypto.createHmac("sha256", SECRET_SIGNING_KEY + salt);
+  if (typeof msg === "object") {
+    hmac.update(JSON.stringify(msg));
+  } else {
+    hmac.update(msg);
+  }
+  return hmac.digest("hex");
+}

src/shared/inject-csrf.ts

@@ -1,9 +1,9 @@
 import { doubleCsrf } from "csrf-csrf";
 import express from "express";
-import { config, COOKIE_SECRET } from "../config";
+import { config, SECRET_SIGNING_KEY } from "../config";
 
 const { generateToken, doubleCsrfProtection } = doubleCsrf({
-  getSecret: () => COOKIE_SECRET,
+  getSecret: () => SECRET_SIGNING_KEY,
   cookieName: "csrf",
   cookieOptions: {
     sameSite: "strict",

src/shared/with-session.ts

@@ -1,14 +1,14 @@
 import cookieParser from "cookie-parser";
 import expressSession from "express-session";
 import MemoryStore from "memorystore";
-import { config, COOKIE_SECRET } from "../config";
+import { config, SECRET_SIGNING_KEY } from "../config";
 
 const ONE_WEEK = 1000 * 60 * 60 * 24 * 7;
 
-const cookieParserMiddleware = cookieParser(COOKIE_SECRET);
+const cookieParserMiddleware = cookieParser(SECRET_SIGNING_KEY);
 
 const sessionMiddleware = expressSession({
-  secret: COOKIE_SECRET,
+  secret: SECRET_SIGNING_KEY,
   resave: false,
   saveUninitialized: false,
   store: new (MemoryStore(expressSession))({ checkPeriod: ONE_WEEK }),