gorilla · devhaozi · Aug 24, 2024 · Aug 25, 2024 · Aug 25, 2024 · Aug 25, 2024
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -12,15 +12,15 @@ jobs:
   scan:
     strategy:
       matrix:
-        go: ['1.20','1.21']
+        go: ['oldstable','stable']
       fail-fast: true
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Go ${{ matrix.go }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
           cache: false

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -12,16 +12,16 @@ jobs:
   unit:
     strategy:
       matrix:
-        go: ['1.20','1.21']
+        go: ['oldstable','stable']
         os: [ubuntu-latest, macos-latest, windows-latest]
       fail-fast: true
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Go ${{ matrix.go }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
           cache: false
@@ -30,6 +30,6 @@ jobs:
         run: go test -race -cover -coverprofile=coverage -covermode=atomic -v ./...
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           files: ./coverage
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -12,21 +12,21 @@ jobs:
   lint:
     strategy:
       matrix:
-        go: ['1.20','1.21']
+        go: ['oldstable','stable']
       fail-fast: true
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Go ${{ matrix.go }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
           cache: false
 
       - name: Run GolangCI-Lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.53
+          version: latest
           args: --timeout=5m
diff --git a/README.md b/README.md
@@ -10,8 +10,8 @@
 securecookie encodes and decodes authenticated and optionally encrypted
 cookie values.
 
-Secure cookies can't be forged, because their values are validated using HMAC.
-When encrypted, the content is also inaccessible to malicious eyes. It is still
+Secure cookies can't be forged, because their values are encrypted and validated
+using ChaCha20-Poly1305, the content is inaccessible to malicious eyes. It is still
 recommended that sensitive data not be stored in cookies, and that HTTPS be used
 to prevent cookie [replay attacks](https://en.wikipedia.org/wiki/Replay_attack).
 
@@ -20,21 +20,13 @@ to prevent cookie [replay attacks](https://en.wikipedia.org/wiki/Replay_attack).
 To use it, first create a new SecureCookie instance:
 
 ```go
-// Hash keys should be at least 32 bytes long
-var hashKey = []byte("very-secret")
-// Block keys should be 16 bytes (AES-128) or 32 bytes (AES-256) long.
-// Shorter keys may weaken the encryption used.
-var blockKey = []byte("a-lot-secret")
-var s = securecookie.New(hashKey, blockKey)
+// Keys must be 32 bytes long
+var key = []byte("32-byte-long-auth-key")
+var s, err = securecookie.New(hashKey, blockKey)
 ```
 
-The hashKey is required, used to authenticate the cookie value using HMAC.
-It is recommended to use a key with 32 or 64 bytes.
-
-The blockKey is optional, used to encrypt the cookie value -- set it to nil
-to not use encryption. If set, the length must correspond to the block size
-of the encryption algorithm. For AES, used by default, valid lengths are
-16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
+The key is required and must be 32 bytes, used to authenticate and
+encrypt cookie values.
 
 Strong keys can be created using the convenience function
 `GenerateRandomKey()`. Note that keys created using `GenerateRandomKey()` are not
@@ -75,11 +67,8 @@ func ReadCookieHandler(w http.ResponseWriter, r *http.Request) {
 }
 ```
 
-We stored a map[string]string, but secure cookies can hold any value that
-can be encoded using `encoding/gob`. To store custom types, they must be
-registered first using gob.Register(). For basic types this is not needed;
-it works out of the box. An optional JSON encoder that uses `encoding/json` is
-available for types compatible with JSON.
+Secure cookies can hold any value thatcan be encoded using encoding/json.
+it works out of the box.
 
 ### Key Rotation
 Rotating keys is an important part of any security strategy. The `EncodeMulti` and
@@ -89,15 +78,11 @@ For example, let's take a system that stores keys in a map:
 ```go
 // keys stored in a map will not be persisted between restarts
 // a more persistent storage should be considered for production applications.
+var previous, _ = securecookie.New(securecookie.GenerateRandomKey(32))
+var current, _ = securecookie.New(securecookie.GenerateRandomKey(32))
 var cookies = map[string]*securecookie.SecureCookie{
-	"previous": securecookie.New(
-		securecookie.GenerateRandomKey(64),
-		securecookie.GenerateRandomKey(32),
-	),
-	"current": securecookie.New(
-		securecookie.GenerateRandomKey(64),
-		securecookie.GenerateRandomKey(32),
-	),
+	"previous": previous,
+	"current": current,
 }
 ```
 

diff --git a/doc.go b/doc.go
@@ -6,22 +6,15 @@
 Package securecookie encodes and decodes authenticated and optionally
 encrypted cookie values.
 
-Secure cookies can't be forged, because their values are validated using HMAC.
-When encrypted, the content is also inaccessible to malicious eyes.
+Secure cookies can't be forged, because their values are encrypted and validated
+using ChaCha20-Poly1305, the content is inaccessible to malicious eyes.
 
 To use it, first create a new SecureCookie instance:
 
-	var hashKey = []byte("very-secret")
-	var blockKey = []byte("a-lot-secret")
-	var s = securecookie.New(hashKey, blockKey)
+	var key = []byte("32-byte-long-auth-key")
+	var s, err = securecookie.New(key)
 
-The hashKey is required, used to authenticate the cookie value using HMAC.
-It is recommended to use a key with 32 or 64 bytes.
-
-The blockKey is optional, used to encrypt the cookie value -- set it to nil
-to not use encryption. If set, the length must correspond to the block size
-of the encryption algorithm. For AES, used by default, valid lengths are
-16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
+The key is required and must be 32 bytes, used to authenticate and encrypt cookie values.
 
 Strong keys can be created using the convenience function GenerateRandomKey().
 
@@ -53,9 +46,7 @@ value:
 		}
 	}
 
-We stored a map[string]string, but secure cookies can hold any value that
-can be encoded using encoding/gob. To store custom types, they must be
-registered first using gob.Register(). For basic types this is not needed;
+Secure cookies can hold any value thatcan be encoded using encoding/json.
 it works out of the box.
 */
 package securecookie
diff --git a/go.mod b/go.mod
@@ -1,5 +1,10 @@
-module github.com/gorilla/securecookie
+module github.com/gorilla/securecookie/v2
 
-go 1.20
+go 1.22
 
-require github.com/google/gofuzz v1.2.0
+require (
+	github.com/google/gofuzz v1.2.0
+	golang.org/x/crypto v0.26.0
+)
+
+require golang.org/x/sys v0.23.0 // indirect
diff --git a/go.sum b/go.sum
@@ -1,2 +1,6 @@
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=