sessions: new secret, set issued time of session cookie for revoking

app.rb

@@ -4,7 +4,7 @@ require './app_helpers.rb'
 use Rack::Session::Cookie, key:          'neocities',
                            path:         '/',
                            expire_after: 31556926, # one year in seconds
-                           secret:       $config['session_secret'],
+                           secret:       Base64.strict_decode64($config['session_secret']),
                            httponly: true,
                            same_site: :lax,
                            secure: ENV['RACK_ENV'] == 'production'
@@ -105,11 +105,14 @@ end
 after do
   if @api
     request.session_options[:skip] = true
+  else
+    # Set issue timestamp on session cookie if it doesn't exist yet
+    session['i'] = Time.now.to_i if session && !session['i'] && session['id']
   end
-end
 
-after do
-  response.headers['Content-Security-Policy'] = %{default-src 'self' data: blob: 'unsafe-inline'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com} unless self.class.development?
+  unless self.class.development?
+    response.headers['Content-Security-Policy'] = %{default-src 'self' data: blob: 'unsafe-inline'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com}
+  end
 end
 
 not_found do

config.ru

@@ -92,7 +92,7 @@ map '/sidekiq' do
     username == $config['sidekiq_user'] && password == $config['sidekiq_pass']
   end
 
-  use Rack::Session::Cookie, key: 'sidekiq.session', secret: $config['session_secret']
+  use Rack::Session::Cookie, key: 'sidekiq.session', secret: Base64.strict_decode64($config['session_secret'])
   use Rack::Protection::AuthenticityToken
   run Sidekiq::Web
 end

config.yml.ci

@@ -1,6 +1,6 @@
 database: 'postgres://postgres:citestpassword@localhost/ci_test'
 database_pool: 1
-session_secret: 's3cr3t'
+session_secret: 'SSBqdXN0IHdhbnRlZCB0byBzZWUgd2hhdCB5b3UgbG9va2VkIGxpa2UgaW4gYSBkcmVzcywgRGFkZSBNdXJwaHk='
 email_unsubscribe_token: "somethingrandomderrrrp"
 paypal_api_username: derp
 paypal_api_password: ing

config.yml.template

@@ -2,7 +2,7 @@ development:
   database: 'postgres://localhost/neocities'
   database_pool: 1
   redis_url: "redis://localhost"
-  session_secret: "SECRET GOES HERE"
+  session_secret: "SSBqdXN0IHdhbnRlZCB0byBzZWUgd2hhdCB5b3UgbG9va2VkIGxpa2UgaW4gYSBkcmVzcywgRGFkZSBNdXJwaHk="
   hcaptcha_site_key: "10000000-ffff-ffff-ffff-000000000001"
   hcaptcha_secret_key: "0x0000000000000000000000000000000000000000"
   sidekiq_user: "ENTER USER HERE"
@@ -34,7 +34,7 @@ development:
 test:
   database: 'postgres://localhost/neocities_test'
   database_pool: 1
-  session_secret: "SECRET GOES HERE"
+  session_secret: "SSBqdXN0IHdhbnRlZCB0byBzZWUgd2hhdCB5b3UgbG9va2VkIGxpa2UgaW4gYSBkcmVzcywgRGFkZSBNdXJwaHk="
   hcaptcha_site_key: "10000000-ffff-ffff-ffff-000000000001"
   hcaptcha_secret_key: "0x0000000000000000000000000000000000000000"
   sidekiq_user: "ENTER USER HERE"