fix: use deterministic HKDF key for cookie signing

cookieMac was using encryptString which generates a random IV per call, making the HMAC key non-deterministic. Cookie signed at login could never verify on subsequent requests. Now uses deriveKey(info) which uses HKDF — deterministic for same server key.
2026-05-26 17:56:34 +00:00 · 2026-05-10 02:59:04 +02:00 · 2026-05-10 02:59:04 +02:00 · bacf1d2fcb
commit bacf1d2fcb
parent fe11519925
2 changed files with 8 additions and 2 deletions
--- a/server/src/shared/auth.ts
+++ b/server/src/shared/auth.ts
@ -170,9 +170,10 @@ export function createAuth(
  // ---- Sessions -------------------------------------------------------------
  const cookieKey = secrets.deriveKey("cookie");
  function cookieMac(sid: string): string {
-    const subkeyMaterial = secrets.encryptString("cookie-subkey", "cookie-derivation");
+    return createHmac("sha256", cookieKey).update(sid).digest("hex");
    return createHmac("sha256", subkeyMaterial).update(sid).digest("hex");
  }
  function signCookie(sid: string): string {
--- a/server/src/shared/secrets.ts
+++ b/server/src/shared/secrets.ts
@ -33,6 +33,7 @@ export interface SecretsLog {
 export interface SecretsApi {
  encryptString(plaintext: string, info?: string): string;
  decryptString(ciphertext: string, info?: string): string;
  deriveKey(info: string): Buffer;
  generateClusterKey(): string;
  encryptForCluster(plaintext: string, clusterKeyB64u: string): string;
 }
@ -54,6 +55,10 @@ export function initSecrets(config: SecretsConfig, log: SecretsLog): SecretsApi
  }
  return {
    deriveKey(info: string): Buffer {
      return deriveSubkey(info);
    },
    encryptString(plaintext: string, info: string = "field"): string {
      const subkey = deriveSubkey(info);
      const iv = randomBytes(12);