search

OpenFn / lightning

OpenFn/Lightning ⚡️ is the newest version of the OpenFn DPG and provides a web UI to visually manage complex workflow automation projects.
https://openfn.github.io/lightning/
GNU Lesser General Public License v3.0
131 stars 36 forks source link

Production mode shouldn't have a default JWT signing secret #1911

Open stuartc opened 8 months ago

stuartc commented 8 months ago

Details

Currently when generating User API tokens, they are signed using Jokens default signer, which is signed with a string of secret.

This means that tokens can be forged.

Fortunately we verify that the token exists in the database, and we use the jti claim making it's all but impossible to produce a token with the same signature.

However if at some point we verify tokens without querying the database, then this would be a security vulnerability.

Implementation notes

At the very least we need to have prod.exs set the Joken default signer to nil, and then use an environment variable to set the signing secret.

In order to avoid issues with defaults, perhaps adopting the same pattern as the worker tokens - where the signer is not defined in config/ and rather inside Lightning.Config.

Release notes

User acceptance criteria

The application should fail to start in production mode without a API_TOKEN_SIGNING_SECRET env var.

christad92 commented 4 months ago

@stuartc how urgent is this issue? Should we prioritize it as a small fix?