Skip to content

Increase the security of JWT token generation by using DJANGO_SECRET_KEY as...

Agate requested to merge jwt-secret-key into develop

Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature

Reported by https://eldritch.cafe/@alice (related to a security audit conducted for !826 (merged))

This will invalidate existing token, but ensure that an attacker with access to the DB cannot forge tokens in the future (they'd need access to the SECRET_KEY as well).

Merge request reports