-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add asymmetric JWT signing #16010
Add asymmetric JWT signing #16010
Conversation
Codecov Report
@@ Coverage Diff @@
## main #16010 +/- ##
==========================================
- Coverage 44.57% 44.50% -0.07%
==========================================
Files 700 701 +1
Lines 82867 83092 +225
==========================================
+ Hits 36940 36984 +44
- Misses 39936 40105 +169
- Partials 5991 6003 +12
Continue to review full report at Codecov.
|
@@ -350,7 +350,7 @@ relation to port exhaustion. | |||
- `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch. | |||
- The next 4 configuration values are deprecated and should be set in `queue.issue_indexer` however are kept for backwards compatibility: | |||
- `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`. | |||
- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. (Previously this was `indexers/issues.queue`.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
per discussion in chat, these changed lines are fine due to the fact that it cleans up line endings (shakes fist at windows)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you so much so far on your work on this PR!!
I was able to sign into Sourcegraph using this PR, however testing this PR more I found that 1. sourcegraph may not be using the cert to validate the signature on this token, 2. possibly the upstream jwt library may not be signing the token correctly.
func loadOrCreateSymmetricKey() (interface{}, error) { | ||
key := make([]byte, 32) | ||
n, err := base64.RawURLEncoding.Decode(key, []byte(setting.OAuth2.JWTSecretBase64)) | ||
if err != nil || n != 32 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently only 32 bytes are allowed. Should we really enforce this? Smaller keys are valid and larger keys are hashed by the internal hashing algorithm to create a secret with the correct length.
https://github.com/golang/go/blob/2ebe77a2fda1ee9ff6fd9a3e08933ad1ebaea039/src/crypto/hmac/hmac.go#L148-L152
Friendly warning to anyone out there using Drone - it fails to support new tokens which are too long |
TL;DR: For Drone compatibility... Set the gitea environment variable to:
And restart gitea - OR - alter your database to accommodate the longer value that needs to be stored. Something like the following might work, or perhaps set the column type to TEXT instead of BYTEA. ALTER TABLE users ALTER COLUMN user_oauth_token BYTEA; I would suggest modifying the column in the drone db for production environments since the intention is to improve security with asymmetric tokens. By default, the column is setup as a |
A shorter RSA key may help too. The default key size is 4096 bit. |
thanks for the hint, for more issues etc please open a new issues |
Close #15912
Added asymmetric JWT signing. Supports
HS256
(already implemented),HS384
,HS512
,RS256
,RS384
,RS512
,ES256
,ES384
andES512
.The default signing algorithm is changed from
HS256
(symmetric encryption) toRS256
(asymmetric encryption).JWT_SIGNING_PRIVATE_KEY_FILE
(by defaultAPP_DATA_PATH/jwt
), a pair will be generated if it is not present. (NB: this was originally inCUSTOM_PATH
but was changed by Fix mkdir jwt - permission denied #16227)JWT_SECRET
will only be used ifJWT_SIGNING_ALGORITHM
is set toHS256
(previous default),HS384
orHS512
.JWT_SIGNING_ALGORITHM
back toHS256
.or see: #16010 (comment)