Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EBT] userId hash: Find alternatives to js-sha256 #130147

Closed
Tracked by #121992
afharo opened this issue Apr 13, 2022 · 6 comments · Fixed by #130785
Closed
Tracked by #121992

[EBT] userId hash: Find alternatives to js-sha256 #130147

afharo opened this issue Apr 13, 2022 · 6 comments · Fixed by #130785
Assignees
@afharo
Labels
Feature:Telemetry impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc

Comments

@afharo
Copy link
Member

afharo commented Apr 13, 2022

We can use the browser native digest function here:
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest

Though it only works on https which might be an OK tradeoff?

Alternatively, wouldn't t be better to send a request to a custom route on the kibana server to get this in a GET/POST request instead of loading an external library?

Originally posted by @Bamieh in #129927 (comment)
@afharo afharo added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Feature:Telemetry labels Apr 13, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

This was referenced Apr 13, 2022
Merged
Closed
@Bamieh
Copy link
Member

Bamieh commented Apr 14, 2022

Loading a browser hashing library for this is not worth it IMO. But what I feel needs addressing more is where this logic lives; I believe the ID creation belongs on the server side more than doing it ad-hoc on the browser.

If we were to add a cookie with this ID passed from the server when serving a page, where would be the best place to attach this cookie header? the service is already in core so I think it should be relatively easy to plug in.

@pgayvallet
Copy link
Contributor

pgayvallet commented Apr 20, 2022
edited
Loading

If we were to add a cookie with this ID passed from the server when serving a page, where would be the best place to attach this cookie header? the service is already in core so I think it should be relatively easy to plug in.

Correct me if I'm wrong, but this userId is coming from the cloud plugin's config. Core has no knowledge of such data.

And there's no way atm to let plugins register additional headers/cookie to bind to the rendering service, so it wouldn't be possible to do that from the cloud plugin either atm.

So this approach can't be achieved without proper enhancement.

I don't see it in the issue's description, so if I may ask: what's the problem with the current implementation / what exactly are we trying to solve or improve here?

@afharo
Copy link
Member Author

afharo commented Apr 20, 2022

@pgayvallet AFAIK, the main benefit would be removing the dependency, hence the size of the bundle. It is loaded async, but still...

@afharo afharo added the impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. label Apr 20, 2022
@Bamieh
Copy link
Member

Bamieh commented Apr 24, 2022
edited
Loading

I agree the main benefit would be removing an extra dependency that might expose us to vulnerabilities if we decide to maintain it and avoid loading an additional library to do only this tiny task on the browser. It also helps in centralizing the logic of where we create this ID

@afharo afharo mentioned this issue Apr 28, 2022
Merged
21 tasks
@afharo afharo self-assigned this Apr 28, 2022
@afharo
Copy link
Member Author

afharo commented Apr 28, 2022

I noticed core exposes a sha utility. I switched to using it in #130785. Tests prove that the output is the same 🎉

@exalate-issue-sync exalate-issue-sync bot reopened this May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afharo afharo

Labels
Feature:Telemetry impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[EBT] Core Context Providers afharo/kibana
4 participants
@pgayvallet @afharo @Bamieh @elasticmachine