Increase the security of JWT token generation by using DJANGO_SECRET_KEY as...

Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature

Increase the security of JWT token generation by using DJANGO_SECRET_KEY as...
Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature
d39cfab2 · Eliot Berriot · 426f6f0d · d39cfab2 · d39cfab2 · d39cfab2
Verified Commit d39cfab2 authored 5 years ago by Eliot Berriot
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -564,12 +564,19 @@ CELERY_BEAT_SCHEDULE = {

 NODEINFO_REFRESH_DELAY = env.int("NODEINFO_REFRESH_DELAY", default=3600 * 24)

+
+def get_user_secret_key(user):
+    from django.conf import settings
+
+    return settings.SECRET_KEY + str(user.secret_key)
+
+
 JWT_AUTH = {
    "JWT_ALLOW_REFRESH": True,
    "JWT_EXPIRATION_DELTA": datetime.timedelta(days=7),
    "JWT_REFRESH_EXPIRATION_DELTA": datetime.timedelta(days=30),
    "JWT_AUTH_HEADER_PREFIX": "JWT",
-    "JWT_GET_USER_SECRET_KEY": lambda user: user.secret_key,
+    "JWT_GET_USER_SECRET_KEY": get_user_secret_key,
 }
 OLD_PASSWORD_FIELD_ENABLED = True
 ACCOUNT_ADAPTER = "funkwhale_api.users.adapters.FunkwhaleAccountAdapter"

--- a/api/funkwhale_api/federation/serializers.py
+++ b/api/funkwhale_api/federation/serializers.py
@@ -1012,7 +1012,7 @@ class TrackSerializer(MusicEntitySerializer):
        metadata = music_tasks.federation_audio_track_to_metadata(
            validated_data, references
        )
-        metadata['tags'] = tags
+        metadata["tags"] = tags

        from_activity = self.context.get("activity")
        if from_activity:

--- a/api/tests/users/test_jwt.py
+++ b/api/tests/users/test_jwt.py
@@ -22,3 +22,22 @@ def test_can_invalidate_token_when_changing_user_secret_key(factories):
    # token should be invalid
    with pytest.raises(DecodeError):
        api_settings.JWT_DECODE_HANDLER(payload)
+
+
+def test_can_invalidate_token_when_changing_settings_secret_key(factories, settings):
+    settings.SECRET_KEY = "test1"
+    user = factories["users.User"]()
+    jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
+    jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER
+    payload = jwt_payload_handler(user)
+    payload = jwt_encode_handler(payload)
+
+    # this should work
+    api_settings.JWT_DECODE_HANDLER(payload)
+
+    # now we update the secret key
+    settings.SECRET_KEY = "test2"
+
+    # token should be invalid
+    with pytest.raises(DecodeError):
+        api_settings.JWT_DECODE_HANDLER(payload)
--- a/changes/changelog.d/jwt.enhancement
+++ b/changes/changelog.d/jwt.enhancement
+Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature