@dr0ptp4kt provided some helpful feedback on how to strengthen the security of hashed URLs that are included in EventLogging data for EditorJourney.
Currently we use the user's token as the salt for hashing URLs. Instead of this, we can:
- Generate a hash of the user's token as a lookup key for getting/setting the HMAC salt in Redis
- Attempt to get the salt from redis with the key, if not found, generate random value and store in Redis with a TTL of 24 hours
- Use the salt stored in Redis to hash the URLs
The end result is that the salt for hashing is only around for 24 hours, as opposed to potentially months/years with the session token in the MW database.