Add asymmetric JWT signing #16010
Add asymmetric JWT signing #16010
Conversation
techknowlogick
added
type/feature
GiteaBot
added
the
lgtm/need 2
Codecov Report
@@ Coverage Diff @@
## main #16010 +/- ##
==========================================
- Coverage 44.57% 44.50% -0.07%
==========================================
Files 700 701 +1
Lines 82867 83092 +225
==========================================
+ Hits 36940 36984 +44
- Misses 39936 40105 +169
- Partials 5991 6003 +12
Continue to review full report at Codecov.
|
| @@ -350,7 +350,7 @@ relation to port exhaustion. | |||
| - `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch. | |||
| - The next 4 configuration values are deprecated and should be set in `queue.issue_indexer` however are kept for backwards compatibility: | |||
| - `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`. | |||
| - `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. (Previously this was `indexers/issues.queue`.) | |||
There was a problem hiding this comment.
per discussion in chat, these changed lines are fine due to the fact that it cleans up line endings (shakes fist at windows)
There was a problem hiding this comment.
Thank you so much so far on your work on this PR!!
I was able to sign into Sourcegraph using this PR, however testing this PR more I found that 1. sourcegraph may not be using the cert to validate the signature on this token, 2. possibly the upstream jwt library may not be signing the token correctly.
| func loadOrCreateSymmetricKey() (interface{}, error) { | ||
| key := make([]byte, 32) | ||
| n, err := base64.RawURLEncoding.Decode(key, []byte(setting.OAuth2.JWTSecretBase64)) | ||
| if err != nil || n != 32 { |
There was a problem hiding this comment.
Currently only 32 bytes are allowed. Should we really enforce this? Smaller keys are valid and larger keys are hashed by the internal hashing algorithm to create a secret with the correct length.
https://github.com/golang/go/blob/2ebe77a2fda1ee9ff6fd9a3e08933ad1ebaea039/src/crypto/hmac/hmac.go#L148-L152
…-jwt-asymmetric
GiteaBot
added
lgtm/need 1
…-jwt-asymmetric
GiteaBot
added
lgtm/done
zeripath
added
the
pr/breaking
|
Friendly warning to anyone out there using Drone - it fails to support new tokens which are too long |
|
TL;DR: For Drone compatibility... Set the gitea environment variable to: And restart gitea - OR - alter your database to accommodate the longer value that needs to be stored. Something like the following might work, or perhaps set the column type to TEXT instead of BYTEA. ALTER TABLE users ALTER COLUMN user_oauth_token BYTEA;I would suggest modifying the column in the drone db for production environments since the intention is to improve security with asymmetric tokens. By default, the column is setup as a |
|
A shorter RSA key may help too. The default key size is 4096 bit. |
|
thanks for the hint, for more issues etc please open a new issues |
Close #15912
Added asymmetric JWT signing. Supports
HS256(already implemented),HS384,HS512,RS256,RS384,RS512,ES256,ES384andES512.The default signing algorithm is changed from
HS256(symmetric encryption) toRS256(asymmetric encryption).JWT_SIGNING_PRIVATE_KEY_FILE(by defaultAPP_DATA_PATH/jwt), a pair will be generated if it is not present. (NB: this was originally inCUSTOM_PATHbut was changed by Fix mkdir jwt - permission denied #16227)JWT_SECRETwill only be used ifJWT_SIGNING_ALGORITHMis set toHS256(previous default),HS384orHS512.JWT_SIGNING_ALGORITHMback toHS256.or see: #16010 (comment)