From c45e92b17e053ef059c95565830d9271b294d2dd Mon Sep 17 00:00:00 2001 From: Jens L Date: Mon, 12 Jun 2023 11:02:05 +0200 Subject: [PATCH] root: revert to use secret_key for JWT signing (#5934) Signed-off-by: Jens Langhammer --- authentik/root/middleware.py | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/authentik/root/middleware.py b/authentik/root/middleware.py index 353a58ff0..a6b0d9c7e 100644 --- a/authentik/root/middleware.py +++ b/authentik/root/middleware.py @@ -1,5 +1,4 @@ """Dynamically set SameSite depending if the upstream connection is TLS or not""" -from functools import lru_cache from hashlib import sha512 from time import time from timeit import default_timer @@ -17,16 +16,10 @@ from jwt import PyJWTError, decode, encode from structlog.stdlib import get_logger from authentik.lib.utils.http import get_client_ip -from authentik.root.install_id import get_install_id LOGGER = get_logger("authentik.asgi") ACR_AUTHENTIK_SESSION = "goauthentik.io/core/default" - - -@lru_cache -def get_signing_hash(): - """Get cookie JWT signing hash""" - return sha512(get_install_id().encode()).hexdigest() +SIGNING_HASH = sha512(settings.SECRET_KEY.encode()).hexdigest() class SessionMiddleware(UpstreamSessionMiddleware): @@ -54,7 +47,7 @@ class SessionMiddleware(UpstreamSessionMiddleware): # for testing setups, where the session is directly set session_key = key if settings.TEST else None try: - session_payload = decode(key, get_signing_hash(), algorithms=["HS256"]) + session_payload = decode(key, SIGNING_HASH, algorithms=["HS256"]) session_key = session_payload["sid"] except (KeyError, PyJWTError): pass @@ -121,7 +114,7 @@ class SessionMiddleware(UpstreamSessionMiddleware): } if request.user.is_authenticated: payload["sub"] = request.user.uid - value = encode(payload=payload, key=get_signing_hash()) + value = encode(payload=payload, key=SIGNING_HASH) if settings.TEST: value = request.session.session_key response.set_cookie(