juice-shop · bkimminich · Oct 12, 2017 · Aug 6, 2017 · Aug 27, 2017 · Aug 27, 2017
diff --git a/lib/insecurity.js b/lib/insecurity.js
@@ -6,8 +6,8 @@ const sanitizeHtml = require('sanitize-html')
 const z85 = require('z85')
 const utils = require('./utils')
 
-const defaultSecret = 'JOSE'
-exports.defaultSecret = defaultSecret
+const publicKey = '-----BEGIN RSA PUBLIC KEY-----\r\nMIGJAoGBAM3CosR73CBNcJsLv5E90NsFt6qN1uziQ484gbOoule8leXHFbyIzPQRozgEpSpiwhr6d2/c0CfZHEJ3m5tV0klxfjfM7oqjRMURnH/rmBjcETQ7qzIISZQ/iptJ3p7Gi78X5ZMhLNtDkUFU9WaGdiEb+SnC39wjErmJSfmGb7i1AgMBAAE=\r\n-----END RSA PUBLIC KEY-----'
+const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----'
 
 exports.hash = data => crypto.createHash('md5').update(data).digest('hex')
 
@@ -21,11 +21,11 @@ exports.cutOffPoisonNullByte = str => {
   return str
 }
 
-exports.isAuthorized = role => expressJwt({secret: role || defaultSecret})
+exports.isAuthorized = role => expressJwt({secret: role || publicKey})
 
 exports.denyAll = () => expressJwt({secret: '' + Math.random()})
 
-exports.authorize = (user, role) => jwt.sign(user || {}, role || defaultSecret, { expiresIn: 3600 * 5 })
+exports.authorize = (user, role) => jwt.sign(user || {}, role || privateKey, { expiresIn: 3600 * 5, algorithm: 'RS256' })
 
 exports.sanitizeHtml = html => sanitizeHtml(html)
 

diff --git a/package.json b/package.json
@@ -46,7 +46,7 @@
     "epilogue-js": "~0.7",
     "errorhandler": "~1.5",
     "express": "~4.15",
-    "express-jwt": "~5.3",
+    "express-jwt": "0.1.3",
     "fs-extra": "~4.0",
     "glob": "~5.0",
     "grunt": "~1.0",

diff --git a/routes/search.js b/routes/search.js