domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Port "Use general token signing secret"

Browse source 
Port of https://github.com/go-gitea/gitea/pull/29205

Use a clearly defined "signing secret" for token signing.

(cherry picked from commit 8be198cdef0a486f417663b1fd6878458d7e5d92)
This commit is contained in:
wxiaoguang 2024-02-19 01:39:04 +08:00 committed by Gusted
parent cfd6420a0e
commit 62d3e5255f
No known key found for this signature in database
GPG key ID: FD821B732837125F
13 changed files with 131 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

4
services/packages/auth.go
View file

@ -33,7 +33,7 @@ func CreateAuthorizationToken(u *user_model.User) (string, error) {
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte(setting.SecretKey))
tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())
if err != nil {
return "", err
}
@ -57,7 +57,7 @@ func ParseAuthorizationToken(req *http.Request) (int64, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
}
return []byte(setting.SecretKey), nil
return setting.GetGeneralTokenSigningSecret(), nil
})
if err != nil {
return 0, err