Merge pull request #160 from osvauld/feature/improve-jwt

JWT updates
osvauld · Apr 22, 2024 · 38ac0ce · 38ac0ce
2 parents ad3c331 + 115b36d
commit 38ac0ce
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 7 deletions.
diff --git a/app.env.example b/app.env.example
@@ -1,4 +1,4 @@
-SECRET=h9wt*pasj6796j##w(w8=xaje8tpi6h*r&hzgrz065u&ed+k2)
+AUTH_SECRET=6M6H5u8DJnWxg33bgcpGaLs6k4pAE7x9
 DEBUG=True
 ALLOWED_HOSTS=0.0.0.0
 SERVER_HOST=0.0.0.0

diff --git a/auth/auth.go b/auth/auth.go
@@ -22,7 +22,8 @@ type Claims struct {
 // GenerateToken creates a JWT token for authenticated users.
 func GenerateToken(username string, id uuid.UUID) (string, error) {
 	jwtSecret := config.GetJWTSecret()
-	expirationTime := time.Now().Add(10 * time.Hour)
+	// expiry time is 1 week
+	expirationTime := time.Now().Add(7 * 24 * time.Hour)
 	claims := &Claims{
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: expirationTime.Unix(),

diff --git a/config/config.go b/config/config.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"fmt"
 	"osvauld/infra/logger"
 
 	"github.com/spf13/viper"
@@ -34,10 +35,23 @@ func SetupConfig() error {
 		return err
 	}
 
+	err = ValidateJWTSecret()
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
 func GetJWTSecret() string {
-	jwtSecret := viper.GetString("SECRET")
+	jwtSecret := viper.GetString("AUTH_SECRET")
 	return jwtSecret
 }
+
+func ValidateJWTSecret() error {
+	jwtSecret := GetJWTSecret()
+	if len(jwtSecret) < 32 {
+		return fmt.Errorf("JWT secret must be at least 32 characters")
+	}
+	return nil
+}
diff --git a/deploy.sh b/deploy.sh
@@ -8,7 +8,6 @@ ssh [email protected] << 'EOF'
     
     git pull
 
-
     sudo docker stop osvauld_backend
 
     sudo docker rm osvauld_backend
@@ -26,5 +25,6 @@ ssh [email protected] << 'EOF'
     -e MASTER_DB_PASSWORD=$MASTER_DB_PASSWORD \
     -e MASTER_DB_PORT=$MASTER_DB_PORT \
     -e MASTER_SSL_MODE=require \
+    -e AUTH_SECRET=$AUTH_SECRET \
     osvauld_be:latest
 EOF
diff --git a/routers/middleware/auth.go b/routers/middleware/auth.go
@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"errors"
 	"net/http"
 	"strings"
 
@@ -29,9 +30,15 @@ func JWTAuthMiddleware() gin.HandlerFunc {
 
 		claims := &auth.Claims{}
 
-		token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
-			return []byte(config.GetJWTSecret()), nil // Ensure your auth package has GetJWTSecret() method that returns the secret key
-		})
+		keyFunc := func(token *jwt.Token) (interface{}, error) {
+			_, ok := token.Method.(*jwt.SigningMethodHMAC)
+			if !ok {
+				return nil, errors.New("invalid token")
+			}
+			return []byte(config.GetJWTSecret()), nil
+		}
+
+		token, err := jwt.ParseWithClaims(tokenString, claims, keyFunc)
 
 		if err != nil {
 			logger.Errorf(err.Error())