Encryption in JWT for single-user password mode #2111
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cabwds
pushed a commit
to cabwds/anything-llm
that referenced
this pull request
Jul 3, 2025
* wip encrypting jwt value * Encrypt/Decrypt pass in JWT value for verification in single-user password mode
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Type
Relevant Issues
resolves #xxx
What is in this change?
As a convenience, we have always just included the plaintext password in the JWT so we can quickly compare with requests on the backend. While this does work and is mostly safe, if for whatever reason, the JWT was taken from the user's browser, then it could be used to directly login to the instance without needing to do a JWT replay.
This is very unlikely and only applies to single-user instances that are using simple password protection.
Now, we encrypt and decrypt this
pvalue in the JWT, as a consequence any currently logged-in sessions under these conditions will be logged out as their previous token will not pass validation. All that needs to be done is for the user to log back in to get a compliant token.