Securely generate a SHA1 or HMAC_SHA256?

[Guest]

Coming from Liquid, it's possible to generate a hmac_sha256 hash prior to display on the front end of the site. This would allow, for example, a piece of Javascript to include a hash that is unique to the current user.

Is this possible with Squarespace templates?

Or is there another way to have a secure key in the template that is not visible on the front end?

The end user case would be to generate a complete JWT token but I don't believe that is possible.

Edited September 29, 2021 by ColinLongworth

[iamdavehart]

In the latest version 7.1, Squarespace only lets you inject code into the front-end and it gets executed there, so the kind of thing you're talking about isn't really possible as it's a server-side action. As far as I know, it's also not possible by developing your own template as they really work by processing JSON-T templates and don't give you low level access to any server side processing. you can check the documentation at developers.squarespace.com but I had a quick scan and couldn't see any way to access secrets.

Because of that, in my opinion, it's not possible to store variables on the client side securely and therefore I would say JWTs are out of the question because they rely on being signed by a server.

Don't know your level of expertise so forgive me if any of this is stating the obvious... I think the short answer is squarespace lets you directly inject code, but only ever to be executed on the client side. therefore no server side (at least no useful server side code execution environment).

My question would be: Why do you want to create a JWT? the point about a JWT is that you can validate the server it came from (or a set of servers who share the signing secret), so clients usually receive it from a server and send it back with their requests. so if your end goal is to send it to some non-squarespace server then you really need to receive your JWT from that server. If you're not going to ask the user for credentials to exchange for the JWT then I'm not sure what you're trying to achieve. If you just want a unique user but dont' care whether they're authenticated (something similar to the way that google analytics do) then just issue one based on origin/ip etc from another server. either directly through javascript or through a clear pixel.

One thing to consider is that - again depending on expertise - any injected client-side code you execute does so in squarespace's trusted origin which means you can use javascript to read their cookies / session storage. they have squarespace analytics ids, session ids, and a few other things that you might be able to read as a proxy for whatever you're looking for.

not sure whether that helps you?