Use of Hard-coded Credentials in token.go

[gtqbhksl]

pkg/token/token.go

var (
	config = Config{"Rtg8BPKNEf2mB4mgvKONGPZZQSaJWNLijxR42qRgq0iBb5", "identityKey"}
	once   sync.Once
)
...........
...........
// Sign 使用 jwtSecret 签发 token，token 的 claims 中会存放传入的 subject.
func Sign(identityKey string) (tokenString string, err error) {
	// Token 的内容
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		config.identityKey: identityKey,
		"nbf":              time.Now().Unix(),
		"iat":              time.Now().Unix(),
		"exp":              time.Now().Add(100000 * time.Hour).Unix(),
	})
	// 签发 token
	tokenString, err = token.SignedString([]byte(config.key))

	return
}

In line 94 of the file 'pkg/token/token.go', hard-coded credentials (config.key) are used. This means that the key is written directly in the code or is provided to the program in some other way (such as a configuration file or environment variable). Hard-coded credentials are a very serious security risk because anyone who has access to the code or configuration can get hold of this key, potentially leading to unauthorized access or action. In addition, if the codebase is compromised or obtained by an attacker, hard-coded keys can also be used to forge legitimate tokens or other sensitive operations.

[dengmengmian]

ok