From c95d8e8a015a8d8446b61166a27701fa710aa728 Mon Sep 17 00:00:00 2001
From: Mike Cao <mike@mikecao.com>
Date: Thu, 20 Aug 2020 19:38:20 -0700
Subject: [PATCH] Implement rotating salt.

---
 lib/crypto.js | 8 +++++++-
 package.json  | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/crypto.js b/lib/crypto.js
index 497b5fae..8a96e785 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -2,9 +2,11 @@ import crypto from 'crypto';
 import { v4, v5, validate } from 'uuid';
 import bcrypt from 'bcrypt';
 import { JWT, JWE, JWK } from 'jose';
+import { startOfMonth } from 'date-fns';
 
 const SALT_ROUNDS = 10;
 const KEY = JWK.asKey(Buffer.from(secret()));
+const ROTATING_SALT = hash(startOfMonth(new Date()).toUTCString());
 const CHARS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
 
 export function hash(...args) {
@@ -15,10 +17,14 @@ export function secret() {
   return hash(process.env.HASH_SALT);
 }
 
+export function salt() {
+  return v5([secret(), ROTATING_SALT].join(''), v5.DNS);
+}
+
 export function uuid(...args) {
   if (!args.length) return v4();
 
-  return v5(args.join(''), v5.DNS);
+  return v5(args.join(''), salt());
 }
 
 export function isValidId(s) {
diff --git a/package.json b/package.json
index 5f7be4d6..daf2f168 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "umami",
-  "version": "0.11.0",
+  "version": "0.12.0",
   "description": "A simple, fast, website analytics alternative to Google Analytics. ",
   "author": "Mike Cao <mike@mikecao.com>",
   "license": "MIT",