mirror of
https://github.com/spacebarchat/server.git
synced 2026-03-29 09:50:20 +00:00
No longer generate security_jwtSecret, switch webauthn to modern tokens, dont
This commit is contained in:
Rory&
@@ -24,7 +24,7 @@ export class SecurityConfiguration {
|
||||
twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
|
||||
autoUpdate: boolean | number = true;
|
||||
requestSignature: string = crypto.randomBytes(32).toString("base64");
|
||||
jwtSecret: string = crypto.randomBytes(256).toString("base64"); // deprecated
|
||||
jwtSecret: string | null = null;
|
||||
// header to get the real user ip address
|
||||
// X-Forwarded-For for nginx/reverse proxies
|
||||
// CF-Connecting-IP for cloudflare
|
||||
|
||||
@@ -104,8 +104,8 @@ export const checkToken = (
|
||||
if (!dec) return reject("Could not parse token");
|
||||
logAuth("Decoded token: " + JSON.stringify(dec));
|
||||
|
||||
if (dec.header.alg == "HS256") {
|
||||
jwt.verify(token, Config.get().security.jwtSecret, JWTOptions, validateUser);
|
||||
if (dec.header.alg == "HS256" && Config.get().security.jwtSecret !== null) {
|
||||
jwt.verify(token, Config.get().security.jwtSecret!, JWTOptions, validateUser);
|
||||
} else if (dec.header.alg == "ES512") {
|
||||
loadOrGenerateKeypair().then((keyPair) => {
|
||||
jwt.verify(token, keyPair.publicKey, { algorithms: ["ES512"] }, validateUser);
|
||||
|
||||
@@ -19,13 +19,14 @@
|
||||
import { Fido2Lib } from "fido2-lib";
|
||||
import jwt from "jsonwebtoken";
|
||||
import { Config } from "./Config";
|
||||
import { loadOrGenerateKeypair } from "./Token";
|
||||
|
||||
const jwtSignOptions: jwt.SignOptions = {
|
||||
algorithm: "HS256",
|
||||
algorithm: "ES512",
|
||||
expiresIn: "5m",
|
||||
};
|
||||
const jwtVerifyOptions: jwt.VerifyOptions = {
|
||||
algorithms: ["HS256"],
|
||||
algorithms: ["ES512"],
|
||||
};
|
||||
|
||||
export const WebAuthn: {
|
||||
@@ -44,28 +45,32 @@ export async function generateWebAuthnTicket(
|
||||
challenge: string,
|
||||
): Promise<string> {
|
||||
return new Promise((res, rej) => {
|
||||
jwt.sign(
|
||||
{ challenge },
|
||||
Config.get().security.jwtSecret,
|
||||
jwtSignOptions,
|
||||
(err, token) => {
|
||||
if (err || !token) return rej(err || "no token");
|
||||
return res(token);
|
||||
},
|
||||
loadOrGenerateKeypair().then(kp=>
|
||||
jwt.sign(
|
||||
{ challenge },
|
||||
kp.privateKey,
|
||||
jwtSignOptions,
|
||||
(err, token) => {
|
||||
if (err || !token) return rej(err || "no token");
|
||||
return res(token);
|
||||
},
|
||||
)
|
||||
);
|
||||
});
|
||||
}
|
||||
|
||||
export async function verifyWebAuthnToken(token: string) {
|
||||
return new Promise((res, rej) => {
|
||||
jwt.verify(
|
||||
token,
|
||||
Config.get().security.jwtSecret,
|
||||
jwtVerifyOptions,
|
||||
async (err, decoded) => {
|
||||
if (err) return rej(err);
|
||||
return res(decoded);
|
||||
},
|
||||
loadOrGenerateKeypair().then(kp=>
|
||||
jwt.verify(
|
||||
token,
|
||||
kp.publicKey,
|
||||
jwtVerifyOptions,
|
||||
async (err, decoded) => {
|
||||
if (err) return rej(err);
|
||||
return res(decoded);
|
||||
},
|
||||
)
|
||||
);
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user