lightning icon indicating copy to clipboard operation
lightning copied to clipboard
verified publisher icon OpenFn

Production mode shouldn't have a default JWT signing secret

Open stuartc opened this issue 1 year ago • 1 comments

Details

Currently when generating User API tokens, they are signed using Jokens default signer, which is signed with a string of secret.

This means that tokens can be forged.

Fortunately we verify that the token exists in the database, and we use the jti claim making it's all but impossible to produce a token with the same signature.

However if at some point we verify tokens without querying the database, then this would be a security vulnerability.

Implementation notes

At the very least we need to have prod.exs set the Joken default signer to nil, and then use an environment variable to set the signing secret.

In order to avoid issues with defaults, perhaps adopting the same pattern as the worker tokens - where the signer is not defined in config/ and rather inside Lightning.Config.

Release notes

User acceptance criteria

The application should fail to start in production mode without a API_TOKEN_SIGNING_SECRET env var.

stuartc avatar Mar 19 '24 06:03 stuartc

@stuartc how urgent is this issue? Should we prioritize it as a small fix?

christad92 avatar Jul 18 '24 05:07 christad92