mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-25 23:05:39 +03:00
Port "Use general token signing secret"
Port of https://github.com/go-gitea/gitea/pull/29205 Use a clearly defined "signing secret" for token signing. (cherry picked from commit 8be198cdef0a486f417663b1fd6878458d7e5d92)
This commit is contained in:
parent
cfd6420a0e
commit
62d3e5255f
13 changed files with 131 additions and 61 deletions
|
@ -115,7 +115,7 @@ func CreateTimeLimitCode(data string, minutes int, startInf any) string {
|
||||||
|
|
||||||
// create sha1 encode string
|
// create sha1 encode string
|
||||||
sh := sha1.New()
|
sh := sha1.New()
|
||||||
_, _ = sh.Write([]byte(fmt.Sprintf("%s%s%s%s%d", data, setting.SecretKey, startStr, endStr, minutes)))
|
_, _ = sh.Write([]byte(fmt.Sprintf("%s%s%s%s%d", data, hex.EncodeToString(setting.GetGeneralTokenSigningSecret()), startStr, endStr, minutes)))
|
||||||
encoded := hex.EncodeToString(sh.Sum(nil))
|
encoded := hex.EncodeToString(sh.Sum(nil))
|
||||||
|
|
||||||
code := fmt.Sprintf("%s%06d%s", startStr, minutes, encoded)
|
code := fmt.Sprintf("%s%06d%s", startStr, minutes, encoded)
|
||||||
|
|
|
@ -6,6 +6,7 @@ package context
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"encoding/hex"
|
||||||
"fmt"
|
"fmt"
|
||||||
"html/template"
|
"html/template"
|
||||||
"io"
|
"io"
|
||||||
|
@ -124,7 +125,7 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
|
||||||
func Contexter() func(next http.Handler) http.Handler {
|
func Contexter() func(next http.Handler) http.Handler {
|
||||||
rnd := templates.HTMLRenderer()
|
rnd := templates.HTMLRenderer()
|
||||||
csrfOpts := CsrfOptions{
|
csrfOpts := CsrfOptions{
|
||||||
Secret: setting.SecretKey,
|
Secret: hex.EncodeToString(setting.GetGeneralTokenSigningSecret()),
|
||||||
Cookie: setting.CSRFCookieName,
|
Cookie: setting.CSRFCookieName,
|
||||||
SetCookie: true,
|
SetCookie: true,
|
||||||
Secure: setting.SessionConfig.Secure,
|
Secure: setting.SessionConfig.Secure,
|
||||||
|
|
|
@ -7,6 +7,7 @@ package generate
|
||||||
import (
|
import (
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -38,6 +39,20 @@ func NewInternalToken() (string, error) {
|
||||||
return internalToken, nil
|
return internalToken, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const defaultJwtSecretLen = 32
|
||||||
|
|
||||||
|
// DecodeJwtSecret decodes a base64 encoded jwt secret into bytes, and check its length
|
||||||
|
func DecodeJwtSecret(src string) ([]byte, error) {
|
||||||
|
encoding := base64.RawURLEncoding
|
||||||
|
decoded := make([]byte, encoding.DecodedLen(len(src))+3)
|
||||||
|
if n, err := encoding.Decode(decoded, []byte(src)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
} else if n != defaultJwtSecretLen {
|
||||||
|
return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, defaultJwtSecretLen)
|
||||||
|
}
|
||||||
|
return decoded[:defaultJwtSecretLen], nil
|
||||||
|
}
|
||||||
|
|
||||||
// NewJwtSecret generates a new base64 encoded value intended to be used for JWT secrets.
|
// NewJwtSecret generates a new base64 encoded value intended to be used for JWT secrets.
|
||||||
func NewJwtSecret() ([]byte, string, error) {
|
func NewJwtSecret() ([]byte, string, error) {
|
||||||
bytes := make([]byte, 32)
|
bytes := make([]byte, 32)
|
||||||
|
|
34
modules/generate/generate_test.go
Normal file
34
modules/generate/generate_test.go
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
// Copyright 2024 The Gitea Authors. All rights reserved.
|
||||||
|
// SPDX-License-Identifier: MIT
|
||||||
|
|
||||||
|
package generate
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestDecodeJwtSecret(t *testing.T) {
|
||||||
|
_, err := DecodeJwtSecret("abcd")
|
||||||
|
assert.ErrorContains(t, err, "invalid base64 decoded length")
|
||||||
|
_, err = DecodeJwtSecret(strings.Repeat("a", 64))
|
||||||
|
assert.ErrorContains(t, err, "invalid base64 decoded length")
|
||||||
|
|
||||||
|
str32 := strings.Repeat("x", 32)
|
||||||
|
encoded32 := base64.RawURLEncoding.EncodeToString([]byte(str32))
|
||||||
|
decoded32, err := DecodeJwtSecret(encoded32)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Equal(t, str32, string(decoded32))
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNewJwtSecret(t *testing.T) {
|
||||||
|
secret, encoded, err := NewJwtSecret()
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Len(t, secret, 32)
|
||||||
|
decoded, err := DecodeJwtSecret(encoded)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Equal(t, secret, decoded)
|
||||||
|
}
|
|
@ -4,22 +4,19 @@
|
||||||
package setting
|
package setting
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/base64"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"code.gitea.io/gitea/modules/generate"
|
"code.gitea.io/gitea/modules/generate"
|
||||||
"code.gitea.io/gitea/modules/util"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// LFS represents the configuration for Git LFS
|
// LFS represents the configuration for Git LFS
|
||||||
var LFS = struct {
|
var LFS = struct {
|
||||||
StartServer bool `ini:"LFS_START_SERVER"`
|
StartServer bool `ini:"LFS_START_SERVER"`
|
||||||
JWTSecretBase64 string `ini:"LFS_JWT_SECRET"`
|
JWTSecretBytes []byte `ini:"-"`
|
||||||
JWTSecretBytes []byte `ini:"-"`
|
HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
|
||||||
HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
|
MaxFileSize int64 `ini:"LFS_MAX_FILE_SIZE"`
|
||||||
MaxFileSize int64 `ini:"LFS_MAX_FILE_SIZE"`
|
LocksPagingNum int `ini:"LFS_LOCKS_PAGING_NUM"`
|
||||||
LocksPagingNum int `ini:"LFS_LOCKS_PAGING_NUM"`
|
|
||||||
|
|
||||||
Storage *Storage
|
Storage *Storage
|
||||||
}{}
|
}{}
|
||||||
|
@ -61,10 +58,10 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
LFS.JWTSecretBase64 = loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET")
|
jwtSecretBase64 := loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET")
|
||||||
LFS.JWTSecretBytes, err = util.Base64FixedDecode(base64.RawURLEncoding, []byte(LFS.JWTSecretBase64), 32)
|
LFS.JWTSecretBytes, err = generate.DecodeJwtSecret(jwtSecretBase64)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
LFS.JWTSecretBytes, LFS.JWTSecretBase64, err = generate.NewJwtSecret()
|
LFS.JWTSecretBytes, jwtSecretBase64, err = generate.NewJwtSecret()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error generating JWT Secret for custom config: %v", err)
|
return fmt.Errorf("error generating JWT Secret for custom config: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -74,8 +71,8 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
|
return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
|
||||||
}
|
}
|
||||||
rootCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(LFS.JWTSecretBase64)
|
rootCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
|
||||||
saveCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(LFS.JWTSecretBase64)
|
saveCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
|
||||||
if err := saveCfg.Save(); err != nil {
|
if err := saveCfg.Save(); err != nil {
|
||||||
return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
|
return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,13 +4,12 @@
|
||||||
package setting
|
package setting
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/base64"
|
|
||||||
"math"
|
"math"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"sync/atomic"
|
||||||
|
|
||||||
"code.gitea.io/gitea/modules/generate"
|
"code.gitea.io/gitea/modules/generate"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/util"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
|
// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
|
||||||
|
@ -98,7 +97,6 @@ var OAuth2 = struct {
|
||||||
RefreshTokenExpirationTime int64
|
RefreshTokenExpirationTime int64
|
||||||
InvalidateRefreshTokens bool
|
InvalidateRefreshTokens bool
|
||||||
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
|
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
|
||||||
JWTSecretBase64 string `ini:"JWT_SECRET"`
|
|
||||||
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
|
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
|
||||||
MaxTokenLength int
|
MaxTokenLength int
|
||||||
DefaultApplications []string
|
DefaultApplications []string
|
||||||
|
@ -130,28 +128,50 @@ func loadOAuth2From(rootCfg ConfigProvider) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
OAuth2.JWTSecretBase64 = loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
|
jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
|
||||||
|
|
||||||
if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) {
|
if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) {
|
||||||
OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
|
OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
|
||||||
}
|
}
|
||||||
|
|
||||||
if InstallLock {
|
if InstallLock {
|
||||||
if _, err := util.Base64FixedDecode(base64.RawURLEncoding, []byte(OAuth2.JWTSecretBase64), 32); err != nil {
|
jwtSecretBytes, err := generate.DecodeJwtSecret(jwtSecretBase64)
|
||||||
_, OAuth2.JWTSecretBase64, err = generate.NewJwtSecret()
|
if err != nil {
|
||||||
|
jwtSecretBytes, jwtSecretBase64, err = generate.NewJwtSecret()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatal("error generating JWT secret: %v", err)
|
log.Fatal("error generating JWT secret: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
saveCfg, err := rootCfg.PrepareSaving()
|
saveCfg, err := rootCfg.PrepareSaving()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
|
log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
|
||||||
}
|
}
|
||||||
rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64)
|
rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
|
||||||
saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64)
|
saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
|
||||||
if err := saveCfg.Save(); err != nil {
|
if err := saveCfg.Save(); err != nil {
|
||||||
log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
|
log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
generalSigningSecret.Store(&jwtSecretBytes)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// generalSigningSecret is used as container for a []byte value
|
||||||
|
// instead of an additional mutex, we use CompareAndSwap func to change the value thread save
|
||||||
|
var generalSigningSecret atomic.Pointer[[]byte]
|
||||||
|
|
||||||
|
func GetGeneralTokenSigningSecret() []byte {
|
||||||
|
old := generalSigningSecret.Load()
|
||||||
|
if old == nil || len(*old) == 0 {
|
||||||
|
jwtSecret, _, err := generate.NewJwtSecret()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal("Unable to generate general JWT secret: %s", err.Error())
|
||||||
|
}
|
||||||
|
if generalSigningSecret.CompareAndSwap(old, &jwtSecret) {
|
||||||
|
// FIXME: in main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
|
||||||
|
log.Warn("OAuth2 is not enabled, unable to use a persistent signing secret, a new one is generated, which is not persistent between restarts and cluster nodes")
|
||||||
|
return jwtSecret
|
||||||
|
}
|
||||||
|
return *generalSigningSecret.Load()
|
||||||
|
}
|
||||||
|
return *old
|
||||||
|
}
|
||||||
|
|
34
modules/setting/oauth2_test.go
Normal file
34
modules/setting/oauth2_test.go
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
// Copyright 2024 The Gitea Authors. All rights reserved.
|
||||||
|
// SPDX-License-Identifier: MIT
|
||||||
|
|
||||||
|
package setting
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/modules/generate"
|
||||||
|
"code.gitea.io/gitea/modules/test"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestGetGeneralSigningSecret(t *testing.T) {
|
||||||
|
// when there is no general signing secret, it should be generated, and keep the same value
|
||||||
|
assert.Nil(t, generalSigningSecret.Load())
|
||||||
|
s1 := GetGeneralTokenSigningSecret()
|
||||||
|
assert.NotNil(t, s1)
|
||||||
|
s2 := GetGeneralTokenSigningSecret()
|
||||||
|
assert.Equal(t, s1, s2)
|
||||||
|
|
||||||
|
// the config value should always override any pre-generated value
|
||||||
|
cfg, _ := NewConfigProviderFromData(`
|
||||||
|
[oauth2]
|
||||||
|
JWT_SECRET = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
|
||||||
|
`)
|
||||||
|
defer test.MockVariableValue(&InstallLock, true)()
|
||||||
|
loadOAuth2From(cfg)
|
||||||
|
actual := GetGeneralTokenSigningSecret()
|
||||||
|
expected, _ := generate.DecodeJwtSecret("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB")
|
||||||
|
assert.Len(t, actual, 32)
|
||||||
|
assert.EqualValues(t, expected, actual)
|
||||||
|
}
|
|
@ -6,7 +6,6 @@ package util
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/base64"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"math/big"
|
"math/big"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
@ -246,13 +245,3 @@ func ToFloat64(number any) (float64, error) {
|
||||||
func ToPointer[T any](val T) *T {
|
func ToPointer[T any](val T) *T {
|
||||||
return &val
|
return &val
|
||||||
}
|
}
|
||||||
|
|
||||||
func Base64FixedDecode(encoding *base64.Encoding, src []byte, length int) ([]byte, error) {
|
|
||||||
decoded := make([]byte, encoding.DecodedLen(len(src))+3)
|
|
||||||
if n, err := encoding.Decode(decoded, src); err != nil {
|
|
||||||
return nil, err
|
|
||||||
} else if n != length {
|
|
||||||
return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, length)
|
|
||||||
}
|
|
||||||
return decoded[:length], nil
|
|
||||||
}
|
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
package util
|
package util
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/base64"
|
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
@ -234,16 +233,3 @@ func TestToPointer(t *testing.T) {
|
||||||
val123 := 123
|
val123 := 123
|
||||||
assert.False(t, &val123 == ToPointer(val123))
|
assert.False(t, &val123 == ToPointer(val123))
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestBase64FixedDecode(t *testing.T) {
|
|
||||||
_, err := Base64FixedDecode(base64.RawURLEncoding, []byte("abcd"), 32)
|
|
||||||
assert.ErrorContains(t, err, "invalid base64 decoded length")
|
|
||||||
_, err = Base64FixedDecode(base64.RawURLEncoding, []byte(strings.Repeat("a", 64)), 32)
|
|
||||||
assert.ErrorContains(t, err, "invalid base64 decoded length")
|
|
||||||
|
|
||||||
str32 := strings.Repeat("x", 32)
|
|
||||||
encoded32 := base64.RawURLEncoding.EncodeToString([]byte(str32))
|
|
||||||
decoded32, err := Base64FixedDecode(base64.RawURLEncoding, []byte(encoded32), 32)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, str32, string(decoded32))
|
|
||||||
}
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {
|
||||||
}
|
}
|
||||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||||
|
|
||||||
tokenString, err := token.SignedString([]byte(setting.SecretKey))
|
tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -62,7 +62,7 @@ func ParseAuthorizationToken(req *http.Request) (int64, error) {
|
||||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||||
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
||||||
}
|
}
|
||||||
return []byte(setting.SecretKey), nil
|
return setting.GetGeneralTokenSigningSecret(), nil
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return 0, err
|
return 0, err
|
||||||
|
|
|
@ -20,7 +20,7 @@ func TestCreateAuthorizationToken(t *testing.T) {
|
||||||
assert.NotEqual(t, "", token)
|
assert.NotEqual(t, "", token)
|
||||||
claims := jwt.MapClaims{}
|
claims := jwt.MapClaims{}
|
||||||
_, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (interface{}, error) {
|
_, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (interface{}, error) {
|
||||||
return []byte(setting.SecretKey), nil
|
return setting.GetGeneralTokenSigningSecret(), nil
|
||||||
})
|
})
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
scp, ok := claims["scp"]
|
scp, ok := claims["scp"]
|
||||||
|
|
|
@ -300,7 +300,7 @@ func InitSigningKey() error {
|
||||||
case "HS384":
|
case "HS384":
|
||||||
fallthrough
|
fallthrough
|
||||||
case "HS512":
|
case "HS512":
|
||||||
key, err = loadSymmetricKey()
|
key = setting.GetGeneralTokenSigningSecret()
|
||||||
case "RS256":
|
case "RS256":
|
||||||
fallthrough
|
fallthrough
|
||||||
case "RS384":
|
case "RS384":
|
||||||
|
@ -333,12 +333,6 @@ func InitSigningKey() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// loadSymmetricKey checks if the configured secret is valid.
|
|
||||||
// If it is not valid, it will return an error.
|
|
||||||
func loadSymmetricKey() (any, error) {
|
|
||||||
return util.Base64FixedDecode(base64.RawURLEncoding, []byte(setting.OAuth2.JWTSecretBase64), 32)
|
|
||||||
}
|
|
||||||
|
|
||||||
// loadOrCreateAsymmetricKey checks if the configured private key exists.
|
// loadOrCreateAsymmetricKey checks if the configured private key exists.
|
||||||
// If it does not exist a new random key gets generated and saved on the configured path.
|
// If it does not exist a new random key gets generated and saved on the configured path.
|
||||||
func loadOrCreateAsymmetricKey() (any, error) {
|
func loadOrCreateAsymmetricKey() (any, error) {
|
||||||
|
|
|
@ -33,7 +33,7 @@ func CreateAuthorizationToken(u *user_model.User) (string, error) {
|
||||||
}
|
}
|
||||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||||
|
|
||||||
tokenString, err := token.SignedString([]byte(setting.SecretKey))
|
tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -57,7 +57,7 @@ func ParseAuthorizationToken(req *http.Request) (int64, error) {
|
||||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||||
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
||||||
}
|
}
|
||||||
return []byte(setting.SecretKey), nil
|
return setting.GetGeneralTokenSigningSecret(), nil
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return 0, err
|
return 0, err
|
||||||
|
|
Loading…
Reference in a new issue