-
Notifications
You must be signed in to change notification settings - Fork 97
Security
JWT with the default algorithm, if using a "weak key" opens itself up to brute-force attack vectors. In theory, the randomly generated key should be strong enough (make sure its 64+ characters, as there was a change to the generator in the JWT package recently), however it is recommended that you take the encryption up a level, because it is relatively easy to do so.
In order to accomplish this, we will switch to the RS512 algorithm and use a public/private key pair to handle signature signing. If you are interested in doing this, please follow these steps;
- Generate a public/private key pair. Instructions for linux;
ssh-keygen -t rsa -b 4096 -m PEM -f jwt.key
openssl rsa -in jwt.key -pubout -outform PEM -out jwt.key.pub-
Put them inside of your app. In this example, we will use the directory "resources/keys".
-
Change your config/jwt.php file to switch the algorithm used, and specify the location of the keys. For example:
'public' => env('JWT_PUBLIC_KEY', 'file://' . resource_path('keys/jwt.key.pub')),
'private' => env('JWT_PRIVATE_KEY', 'file://' . resource_path('keys/jwt.key')),
....
'algo' => env('JWT_ALGO', 'RS512'),Make sure your .env file does not contain these variables so as to use the defaults you specify in the config.
After making these changes, any new keys generated will be using this stronger cryptography, and any old keys will no longer be validated by your app.