Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in / Register
  • funkwhale funkwhale
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 378
    • Issues 378
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 19
    • Merge requests 19
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • funkwhalefunkwhale
  • funkwhalefunkwhale
  • Merge requests
  • !828

Increase the security of JWT token generation by using DJANGO_SECRET_KEY as...

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Agate requested to merge jwt-secret-key into develop Jul 13, 2019
  • Overview 1
  • Commits 1
  • Pipelines 2
  • Changes 4

Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature

Reported by https://eldritch.cafe/@alice (related to a security audit conducted for !826 (merged))

This will invalidate existing token, but ensure that an attacker with access to the DB cannot forge tokens in the future (they'd need access to the SECRET_KEY as well).

Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: jwt-secret-key