θΏ™ζ˜―indexlocζδΎ›ηš„ζœεŠ‘οΌŒδΈθ¦θΎ“ε…₯任何密码
Skip to content

Encryption in JWT for single-user password mode #2111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 14, 2024
Merged

Encryption in JWT for single-user password mode #2111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
87526bf
wip encrypting jwt value
timothycarambat Aug 14, 2024
b30b4f6
Encrypt/Decrypt pass in JWT value for verification in single-user pas…
timothycarambat Aug 14, 2024
b988fc1
Merge branch 'master' into encrypt-jwt-value
timothycarambat Aug 14, 2024
d92fb78
Merge branch 'master' into encrypt-jwt-value
timothycarambat Aug 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/dev-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ concurrency:

on:
push:
branches: ['pipertts-support'] # put your current branch to create a build. Core team only.
branches: ['encrypt-jwt-value'] # put your current branch to create a build. Core team only.
paths-ignore:
- '**.md'
- 'cloud-deployments/*'
Expand Down
6 changes: 5 additions & 1 deletion server/endpoints/system.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ const {
generateRecoveryCodes,
} = require("../utils/PasswordRecovery");
const { SlashCommandPresets } = require("../models/slashCommandsPresets");
const { EncryptionManager } = require("../utils/EncryptionManager");

function systemEndpoints(app) {
if (!app) return;
Expand Down Expand Up @@ -236,7 +237,10 @@ function systemEndpoints(app) {
});
response.status(200).json({
valid: true,
token: makeJWT({ p: password }, "30d"),
token: makeJWT(
{ p: new EncryptionManager().encrypt(password) },
"30d"
),
message: null,
});
}
Expand Down
16 changes: 14 additions & 2 deletions server/utils/middleware/validatedRequest.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
const { SystemSettings } = require("../../models/systemSettings");
const { User } = require("../../models/user");
const { EncryptionManager } = require("../EncryptionManager");
const { decodeJWT } = require("../http");
const EncryptionMgr = new EncryptionManager();

async function validatedRequest(request, response, next) {
const multiUserMode = await SystemSettings.isMultiUserMode();
Expand Down Expand Up @@ -39,14 +41,24 @@ async function validatedRequest(request, response, next) {
const bcrypt = require("bcrypt");
const { p } = decodeJWT(token);

if (p === null) {
if (p === null || !/\w{32}:\w{32}/.test(p)) {
response.status(401).json({
error: "Token expired or failed validation.",
});
return;
}

if (!bcrypt.compareSync(p, bcrypt.hashSync(process.env.AUTH_TOKEN, 10))) {
// Since the blame of this comment we have been encrypting the `p` property of JWTs with the persistent
// encryptionManager PEM's. This prevents us from storing the `p` unencrypted in the JWT itself, which could
// be unsafe. As a consequence, existing JWTs with invalid `p` values that do not match the regex
// in ln:44 will be marked invalid so they can be logged out and forced to log back in and obtain an encrypted token.
// This kind of methodology only applies to single-user password mode.
if (
!bcrypt.compareSync(
EncryptionMgr.decrypt(p),
bcrypt.hashSync(process.env.AUTH_TOKEN, 10)
)
) {
response.status(401).json({
error: "Invalid auth credentials.",
});
Expand Down