Fix the format of JWT secret

It was parsed as a string, but shuold be a binary instead. Also: add file check
esl · Jul 26, 2022 · 05d916c · 05d916c
1 parent 287541a
commit 05d916c
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/src/auth/ejabberd_auth_jwt.erl b/src/auth/ejabberd_auth_jwt.erl
@@ -76,10 +76,10 @@ config_spec() ->
 jwt_secret_config_spec() ->
     #section{
        items = #{<<"file">> => #option{type = string,
-                                       validate = non_empty},
+                                       validate = filename},
                  <<"env">> => #option{type = string,
                                       validate = non_empty},
-                 <<"value">> => #option{type = string}},
+                 <<"value">> => #option{type = binary}},
        format_items = list,
        process = fun ?MODULE:process_jwt_secret/1
       }.
@@ -162,6 +162,7 @@ supported_features() -> [dynamic_domains].
 
 % A direct path to a file is read only once during startup,
 % a path in environment variable is read on every auth request.
+-spec get_jwt_secret(mongooseim:host_type()) -> binary() | {env, string()}.
 get_jwt_secret(HostType) ->
     case mongoose_config:get_opt([{auth, HostType}, jwt, secret]) of
         {value, JWTSecret} ->

diff --git a/test/common/config_parser_helper.erl b/test/common/config_parser_helper.erl
@@ -710,7 +710,7 @@ extra_auth() ->
       external => #{instances => 1,
                     program => "/usr/bin/authenticator"},
       jwt => #{algorithm => <<"RS256">>,
-               secret => {value, "secret123"},
+               secret => {value, <<"secret123">>},
                username_key => user},
       ldap => #{base => <<"ou=Users,dc=esl,dc=com">>,
                 bind_pool_tag => bind,

diff --git a/test/config_parser_SUITE.erl b/test/config_parser_SUITE.erl
@@ -839,12 +839,12 @@ auth_jwt(_Config) ->
              <<"algorithm">> => <<"HS512">>,
              <<"username_key">> => <<"user">>}, % tested together as all options are required
     Config = #{algorithm => <<"HS512">>,
-               secret => {value, "secret123"},
+               secret => {value, <<"secret123">>},
                username_key => user},
     ?cfgh([auth, jwt], Config,
           auth_raw(<<"jwt">>, Opts)),
-    ?cfgh([auth, jwt, secret], {file, "/home/user/jwt_secret"},
-          auth_raw(<<"jwt">>, Opts#{<<"secret">> := #{<<"file">> => <<"/home/user/jwt_secret">>}})),
+    ?cfgh([auth, jwt, secret], {file, "priv/jwt_secret"},
+          auth_raw(<<"jwt">>, Opts#{<<"secret">> := #{<<"file">> => <<"priv/jwt_secret">>}})),
     ?cfgh([auth, jwt, secret], {env, "SECRET"},
           auth_raw(<<"jwt">>, Opts#{<<"secret">> := #{<<"env">> => <<"SECRET">>}})),
     ?errh(auth_raw(<<"jwt">>, Opts#{<<"secret">> := #{<<"value">> => 123}})),
@@ -3165,6 +3165,7 @@ create_files(Config) ->
     [ensure_copied(filename:join(Root, From), To) || {From, To} <- files_to_copy()],
     ok = file:write_file("priv/access_psk", ""),
     ok = file:write_file("priv/provision_psk", ""),
+    ok = file:write_file("priv/jwt_secret", "secret123"),
     ok = filelib:ensure_dir("www/muc/dummy").
 
 ensure_copied(From, To) ->