Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

removed the hard coded jwt secret key #353

Merged
merged 1 commit into from Feb 14, 2022

Conversation

Real-XkLi
Copy link

the hard coded jwt secret key allows an attacker to generate Authentication Tokens and assume the role of the admin without needing the password.
It was replaced with a routine to create a new jwt secret token during every startup. This leads to all previous tokens being invalidated after a restart lxdui.

Changes to be committed:
modified: metadata.py
modified: api/utils/authentication.py

…to create a new secret key during each initiation

Changes to be committed:
modified:   __metadata__.py
modified:   api/utils/authentication.py
@jetroni
Copy link
Contributor

jetroni commented Feb 14, 2022

Thank you for your contribution!

@jetroni jetroni merged commit e4bffeb into AdaptiveScale:develop Feb 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants