From 46063d70fd15b8936c7337a54238664367e9ee14 Mon Sep 17 00:00:00 2001
From: Nicolas Beguier <nicolas.beguier@adevinta.com>
Date: Wed, 13 Nov 2019 13:48:12 +0100
Subject: [PATCH] [koa-session] security example for app.keys

---
 csrf/app.js           | 3 ++-
 flash-messages/app.js | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/csrf/app.js b/csrf/app.js
index b8beeac..945c67e 100644
--- a/csrf/app.js
+++ b/csrf/app.js
@@ -3,6 +3,7 @@ const koaBody = require('koa-body');
 const session = require('koa-session');
 const CSRF = require('koa-csrf');
 const router = require('koa-router')();
+const Keygrip = require('keygrip');
 
 const app = module.exports = new Koa();
 
@@ -10,7 +11,7 @@ const app = module.exports = new Koa();
  * csrf need session
  */
 
-app.keys = ['session key', 'csrf example'];
+app.keys = new Keygrip(['insert 64 bytes random string', 'insert another 64 bytes random string'], 'sha512');
 app.use(session(app));
 app.use(koaBody());
 
diff --git a/flash-messages/app.js b/flash-messages/app.js
index 5ff0fde..9445b3b 100644
--- a/flash-messages/app.js
+++ b/flash-messages/app.js
@@ -6,11 +6,12 @@
 const Koa = require('koa');
 const rawBody = require('raw-body');
 const session = require('koa-session');
+const Keygrip = require('keygrip');
 
 const app = module.exports = new Koa();
 
 // required for signed cookie sessions
-app.keys = ['key1', 'key2'];
+app.keys = new Keygrip(['insert 64 bytes random string', 'insert another 64 bytes random string'], 'sha512');
 app.use(session(app));
 
 app.use(async function(ctx, next) {