root: revert to use secret_key for JWT signing (#5934)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-06-12 11:02:05 +02:00 committed by GitHub
parent 4741d8aa0d
commit c45e92b17e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 10 deletions

View File

@ -1,5 +1,4 @@
"""Dynamically set SameSite depending if the upstream connection is TLS or not""" """Dynamically set SameSite depending if the upstream connection is TLS or not"""
from functools import lru_cache
from hashlib import sha512 from hashlib import sha512
from time import time from time import time
from timeit import default_timer from timeit import default_timer
@ -17,16 +16,10 @@ from jwt import PyJWTError, decode, encode
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.lib.utils.http import get_client_ip from authentik.lib.utils.http import get_client_ip
from authentik.root.install_id import get_install_id
LOGGER = get_logger("authentik.asgi") LOGGER = get_logger("authentik.asgi")
ACR_AUTHENTIK_SESSION = "goauthentik.io/core/default" ACR_AUTHENTIK_SESSION = "goauthentik.io/core/default"
SIGNING_HASH = sha512(settings.SECRET_KEY.encode()).hexdigest()
@lru_cache
def get_signing_hash():
"""Get cookie JWT signing hash"""
return sha512(get_install_id().encode()).hexdigest()
class SessionMiddleware(UpstreamSessionMiddleware): class SessionMiddleware(UpstreamSessionMiddleware):
@ -54,7 +47,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
# for testing setups, where the session is directly set # for testing setups, where the session is directly set
session_key = key if settings.TEST else None session_key = key if settings.TEST else None
try: try:
session_payload = decode(key, get_signing_hash(), algorithms=["HS256"]) session_payload = decode(key, SIGNING_HASH, algorithms=["HS256"])
session_key = session_payload["sid"] session_key = session_payload["sid"]
except (KeyError, PyJWTError): except (KeyError, PyJWTError):
pass pass
@ -121,7 +114,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
} }
if request.user.is_authenticated: if request.user.is_authenticated:
payload["sub"] = request.user.uid payload["sub"] = request.user.uid
value = encode(payload=payload, key=get_signing_hash()) value = encode(payload=payload, key=SIGNING_HASH)
if settings.TEST: if settings.TEST:
value = request.session.session_key value = request.session.session_key
response.set_cookie( response.set_cookie(