Mercurial Repository: p/roundup/code: doc/rest.txt comparison

comparison doc/rest.txt @ 7809:be6cb2e0d471

feat: add support for rotating jwt keys This allows jwt_secret to have multiple ',' separated secrets. The first/leftmost should be used to sign new JWTs. All of them are used (starting from left/newest) to try to verify a JWT. If the first secret is < 32 chars in length JWTs are disabled. If any of the other secrets are < 32 chars, the configuration code causes the software to exit. This prevents insecure (too short) secrets from being used. Updated doc examples and tests.

author	John Rouillard <rouilj@ieee.org>
date	Thu, 14 Mar 2024 19:04:19 -0400
parents	af898d1d66dc
children	ee0062411160

comparison

equal deleted inserted replaced

-:6c5f8da9fca7
+:be6cb2e0d471
 raise UsageError("Role %s is not permitted."%role)
 claim['roles'] = newroles
 else:
 claim['roles'] = user_roles
-secret = self.db.config.WEB_JWT_SECRET
+# Sign with newest/first secret.
+secret = self.db.config.WEB_JWT_SECRET[0]
 myjwt = jwt.encode(claim, secret, algorithm='HS256')
 # if jwt.__version__ >= 2.0.0 jwt.encode() returns string
 # not byte. So do not use b2s() with newer versions of pyjwt.
 result = {"jwt": b2s(myjwt),
 if not 'jwt' in input:
 raise UsageError("jwt key must be specified")
 myjwt = input['jwt'].value
-secret = self.db.config.WEB_JWT_SECRET
+secret = self.db.config.WEB_JWT_SECRET[0]
+# only return decoded result if the newest signing key
+# is used. Have older keys report an invalid signature.
 try:
 result = jwt.decode(myjwt, secret,
 algorithms=['HS256'],
 audience=self.db.config.TRACKER_WEB,
 issuer=self.db.config.TRACKER_WEB,

Mercurial > p > roundup > code

comparison doc/rest.txt @ 7809:be6cb2e0d471