Uploaded image for project: 'National Data Service'
  1. National Data Service
  2. NDS-1131

JWT secret included in token fields


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • None
    • None
    • Backend
    • None
    • NDS Sprint 37

      While testing NDS-1094, I decoded a random JWT secret and noticed a potential glaring security hole:

        "exp": 1513015808,
        "id": "lambert8",
        "orig_iat": 1513013179,
        "server": "ndslabs-apiserver-57c4j",
        "user": "lambert8"

      One of the fields above is "server" and contains the name of the current apiserver pod, but isn't this value also the JWT secret? We should probably replace that with the domain or something innocuous instead...

      This ticket is complete when we have removed this field from the JWT.

              willis8 Craig Willis
              lambert8 Sara Lambert
              0 Vote for this issue
              2 Start watching this issue