beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

jwt token generation improvement (#557)

Browse source 
* add some warning comment for those who want to choose their secret
* strictly follow the golang doc for using crypto/rand
* fatal if not enough entropy
* add a check when using pre-choosen secret
This commit is contained in:
registergoofy 2021-01-07 14:24:53 +01:00 committed by GitHub
parent f25acab313
commit eda9c03c82
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
pkg/apiserver/middlewares/v1/jwt.go
View file

@ -147,19 +147,23 @@ func NewJWT(dbClient *database.Client) (*JWT, error) {
secret []byte
)
//Please be aware that brute force HS256 is possible.
//PLEASE choose a STRONG secret
secret_string := os.Getenv("CS_LAPI_SECRET")
if secret_string == "" {
secret = make([]byte, 8)
if n, err := rand.Reader.Read(secret); err != nil {
log.Fatalf("Unable to generate a new random seed for JWT generation")
secret = make([]byte, 64)
if n, err := rand.Read(secret); err != nil {
log.Fatalf("unable to generate a new random seed for JWT generation")
} else {
if n != 8 {
log.Errorf("Not enough entropy at random seed generation for JWT generation")
if n != 64 {
log.Fatalf("not enough entropy at random seed generation for JWT generation")
}
}
} else {
secret = []byte(secret_string)
if len(secret) < 64 {
log.Fatalf("secret not strong enough")
}
}
jwtMiddleware := &JWT{