From 1491e2b6f34f42d17e0386115cc806097cb36d9f Mon Sep 17 00:00:00 2001 From: Matthias Date: Mon, 5 Sep 2022 15:59:15 +0200 Subject: [PATCH] Generate jwt secret on first start instead of hardcoded secret Closes #26 --- backend/src/controllers/auth/auth_common.cpp | 20 +++++++++++++++++--- backend/src/controllers/auth/auth_gitlab.cpp | 4 ++-- backend/src/controllers/controllers.h | 1 + backend/src/db/db.h | 2 -- backend/src/filters/filters.cpp | 2 +- 5 files changed, 21 insertions(+), 8 deletions(-) diff --git a/backend/src/controllers/auth/auth_common.cpp b/backend/src/controllers/auth/auth_common.cpp index da82936..d396a3f 100644 --- a/backend/src/controllers/auth/auth_common.cpp +++ b/backend/src/controllers/auth/auth_common.cpp @@ -3,9 +3,9 @@ #pragma ide diagnostic ignored "readability-convert-member-functions-to-static" #include -#include +#include +#include -#include #include #include @@ -76,7 +76,7 @@ namespace api { .set_payload_claim("jti", picojson::value((int64_t)new_token.getValueOfId())) .set_issued_at(std::chrono::system_clock::from_time_t(iat.count())) .set_expires_at(std::chrono::system_clock::from_time_t(exp.count())) - .sign(jwt::algorithm::hs256{jwt_secret}); + .sign(jwt::algorithm::hs256{get_jwt_secret()}); } void auth::generate_root(db::User& user) { @@ -91,6 +91,20 @@ namespace api { db::MapperToken token_mapper(drogon::app().getDbClient()); token_mapper.deleteBy(db::Criteria(db::Token::Cols::_owner_id, db::CompareOps::EQ, user.getValueOfId())); } + + std::string auth::get_jwt_secret() { + static std::string token; + if (token.empty()) { + if (!std::filesystem::exists("jwt.secret")) { + auto new_token = rng->random_vec(128); + std::ofstream file("jwt.secret", std::ofstream::binary); + file.write((const char*)new_token.data(), (std::streamsize)new_token.size()); + } + std::ifstream file("jwt.secret", std::ifstream::binary); + token = {std::istreambuf_iterator(file), std::istreambuf_iterator()}; + } + return token; + } } #pragma clang diagnostic pop diff --git a/backend/src/controllers/auth/auth_gitlab.cpp b/backend/src/controllers/auth/auth_gitlab.cpp index f27c007..2af6d53 100644 --- a/backend/src/controllers/auth/auth_gitlab.cpp +++ b/backend/src/controllers/auth/auth_gitlab.cpp @@ -82,7 +82,7 @@ namespace api { ); } - void auth::gitlab(req_type req, cbk_type cbk) { + void auth::gitlab(req_type, cbk_type cbk) { std::stringstream ss; ss << config::get_url() << "/oauth/authorize" << "?redirect_uri=" << get_redirect_uri() @@ -91,7 +91,7 @@ namespace api { cbk(drogon::HttpResponse::newRedirectionResponse(ss.str())); } - void auth::gitlab_callback(req_type req, cbk_type cbk, std::string code) { + void auth::gitlab_callback(req_type, cbk_type cbk, std::string code) { auto tokens = get_gitlab_tokens(code, false); if (!tokens.has_value()) return cbk(dto::Responses::get_unauth_res("Invalid code")); diff --git a/backend/src/controllers/controllers.h b/backend/src/controllers/controllers.h index fe8c98d..fa2a8c1 100644 --- a/backend/src/controllers/controllers.h +++ b/backend/src/controllers/controllers.h @@ -67,6 +67,7 @@ public: static std::string get_token(const db::User&); static void generate_root(db::User&); static void revoke_all(const db::User&); + static std::string get_jwt_secret(); void gitlab(req_type, cbk_type); void gitlab_callback(req_type, cbk_type, std::string code); diff --git a/backend/src/db/db.h b/backend/src/db/db.h index 06e1165..5807c01 100644 --- a/backend/src/db/db.h +++ b/backend/src/db/db.h @@ -10,8 +10,6 @@ #include "Tokens.h" #include "User.h" -const std::string jwt_secret = "CUM"; - namespace db { enum UserRole : int { ADMIN = 2, diff --git a/backend/src/filters/filters.cpp b/backend/src/filters/filters.cpp index 058bfd9..c446439 100644 --- a/backend/src/filters/filters.cpp +++ b/backend/src/filters/filters.cpp @@ -27,7 +27,7 @@ void Login::doFilter(const drogon::HttpRequestPtr& req, drogon::FilterCallback&& try { auto token = jwt::decode(token_str); jwt::verify() - .allow_algorithm(jwt::algorithm::hs256{jwt_secret}) + .allow_algorithm(jwt::algorithm::hs256{api::auth::get_jwt_secret()}) .verify(token); uint64_t token_id = token.get_payload_claim("jti").as_int(); uint64_t user_id = token.get_payload_claim("sub").as_int();