Uploaded image for project: 'National Data Service'
  1. National Data Service
  2. NDS-1131

JWT secret included in token fields

    XMLWordPrintableJSON

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • None
    • None
    • Backend
    • None
    • NDS Sprint 37

    Description

      While testing NDS-1094, I decoded a random JWT secret and noticed a potential glaring security hole:

      {
        "exp": 1513015808,
        "id": "lambert8",
        "orig_iat": 1513013179,
        "server": "ndslabs-apiserver-57c4j",
        "user": "lambert8"
      }
      

      One of the fields above is "server" and contains the name of the current apiserver pod, but isn't this value also the JWT secret? We should probably replace that with the domain or something innocuous instead...

      This ticket is complete when we have removed this field from the JWT.

      Gliffy Diagrams

        Attachments

          Activity

            People

              willis8 Craig Willis
              lambert8 Sara Lambert
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Tasks