Added support for jwt secret creation of each user upon user login #4719
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Saranya-jena <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // UpdateUser updates user details in the database | ||
| func (r repository) UpdateUser(user *entities.UserDetails) error { | ||
| data, _ := toDoc(user) | ||
| _, err := r.Collection.UpdateOne(context.Background(), bson.M{"_id": user.ID}, bson.M{"$set": data}) | ||
| _, err := r.Collection.UpdateMany(context.Background(), bson.M{"_id": user.ID}, bson.M{"$set": data}) |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
SarthakJain26
requested changes
Jun 25, 2024
Comment on lines
291
to
310
| salt := utils.RandomString(6) | ||
| newHashedSalt, err := bcrypt.GenerateFromPassword([]byte(salt), utils.PasswordEncryptionCost) | ||
| if err != nil { | ||
| log.Error(err) | ||
| c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError)) | ||
| return | ||
| } | ||
|
|
||
| err = service.UpdateUserByQuery(bson.D{ | ||
| {"user_id", user.ID}, | ||
| }, bson.D{ | ||
| {"$set", bson.D{ | ||
| {"salt", string(newHashedSalt)}, | ||
| }}, | ||
| }) | ||
| if err != nil { | ||
| log.Error(err) | ||
| c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError)) | ||
| return | ||
| } |
There was a problem hiding this comment.
Can you please make this a new function which can be reused in both the places
| @@ -206,10 +207,20 @@ func (r repository) CreateUser(user *entities.User) (*entities.User, error) { | |||
| return user.SanitizedUser(), nil | |||
| } | |||
|
|
|||
| // UpdateUserByQuery updates user details in the database | |||
| func (r repository) UpdateUserByQuery(filter bson.D, updateQuery bson.D) error { | |||
| _, err := r.Collection.UpdateMany(context.Background(), filter, updateQuery) | |||
There was a problem hiding this comment.
This should be just Update not UpdateMany
| func RandomString(n int) string { | ||
| if n > 0 { | ||
| var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-") | ||
| rand.Seed(time.Now().UnixNano()) |
There was a problem hiding this comment.
this will give the same seed value for a given input which can be easy to guess, how about using crypto/rand?
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
SarthakJain26
requested changes
Jun 27, 2024
| return a.authConfigRepo.GetConfig(key) | ||
| } | ||
|
|
||
| func (a applicationService) UpdateConfig(ctx context.Context, key string, value interface{}) error { |
There was a problem hiding this comment.
I don't think this will be ever used
There was a problem hiding this comment.
Have kept it for future use in case we need to add more such cases
There was a problem hiding this comment.
We can always add it back if needed. As they say "developers spend more time reading the code than writing". We can keep it if you can think of any use case in the future where this can be utilised, but if not then this can be removed.
| Collection *mongo.Collection | ||
| } | ||
|
|
||
| func (r repository) CreateConfig(config AuthConfig) error { |
There was a problem hiding this comment.
How about renaming this to CreateSalt and GetSalt, code will be more readable
There was a problem hiding this comment.
As mentioned above, if you look at the schema it's like key value pair, which can be used to store different types od data so to generalise it, I have given such naming.
| package response | ||
|
|
||
| import ( | ||
| authConfig2 "github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/authConfig" |
There was a problem hiding this comment.
No need to add alias to this import
| @@ -138,7 +138,20 @@ func DexCallback(userService services.ApplicationService) gin.HandlerFunc { | |||
| c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError)) | |||
| return | |||
| } | |||
| jwtToken, err := userService.GetSignedJWT(signedInUser) | |||
|
|
|||
| salt, err := userService.GetConfig("salt") | |||
There was a problem hiding this comment.
The salt value being returned here is an encrypted value and should be decrypted before using it to generate the JWT
| @@ -294,7 +293,13 @@ func LoginUser(service services.ApplicationService) gin.HandlerFunc { | |||
| return | |||
| } | |||
|
|
|||
| token, err := service.GetSignedJWT(user) | |||
| salt, err := service.GetConfig("salt") | |||
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
amityt
requested changes
Jun 28, 2024
| @@ -294,7 +293,13 @@ func LoginUser(service services.ApplicationService) gin.HandlerFunc { | |||
| return | |||
| } | |||
|
|
|||
| token, err := service.GetSignedJWT(user) | |||
| salt, err := service.GetConfig("salt") | |||
There was a problem hiding this comment.
Can you create a constant for the "salt"?
| encodedSalt := base64.StdEncoding.EncodeToString([]byte(salt)) | ||
|
|
||
| config := authConfig.AuthConfig{ | ||
| Key: "salt", |
| @@ -90,7 +95,12 @@ func (a applicationService) CreateApiToken(user *entities.User, request entities | |||
| claims["username"] = user.Username | |||
| claims["exp"] = expiresAt | |||
|
|
|||
| tokenString, err := token.SignedString([]byte(utils.JwtSecret)) | |||
| salt, err := a.GetConfig("salt") | |||
|
|
||
| func (m *MongoOperations) GetAuthConfig(ctx context.Context, key string) (*AuthConfig, error) { | ||
|
|
||
| authDb := MgoClient.Database("auth") |
| } | ||
|
|
||
| func (c *Operator) GetAuthConfig(ctx context.Context) (*mongodb.AuthConfig, error) { | ||
| salt, err := c.operator.GetAuthConfig(ctx, "salt") |
SarthakJain26
approved these changes
Jun 28, 2024
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Jonsy13
reviewed
Jul 2, 2024
chaoscenter/authentication/api/handlers/rest/dex_auth_handler.go
Outdated
Show resolved
Hide resolved
Signed-off-by: Saranya-jena <[email protected]>
Jonsy13
approved these changes
Jul 2, 2024
Signed-off-by: Saranya-jena <[email protected]>
Signed-off-by: Saranya-jena <[email protected]>
Saranya-jena
force-pushed
the
jwt-secret-fix
branch
from
ef0c21a
to
228a255
Compare
andoriyaprashant
pushed a commit
to andoriyaprashant/litmus
that referenced
this pull request
Jul 6, 2024
…itmuschaos#4719) * Added support for jwt secret creation of each user upon logic Signed-off-by: Saranya-jena <[email protected]> * Fixed imports Signed-off-by: Saranya-jena <[email protected]> * Add fixes in dex service Signed-off-by: Saranya-jena <[email protected]> * Fixed UTs Signed-off-by: Saranya-jena <[email protected]> * resolved comments Signed-off-by: Saranya-jena <[email protected]> * updated logic Signed-off-by: Saranya-jena <[email protected]> * fixed UTs and removed unecessary test cases Signed-off-by: Saranya-jena <[email protected]> * fixed imports Signed-off-by: Saranya-jena <[email protected]> * fixed imports Signed-off-by: Saranya-jena <[email protected]> * resolved comments Signed-off-by: Saranya-jena <[email protected]> * fixed imports Signed-off-by: Saranya-jena <[email protected]> * resolved comments Signed-off-by: Saranya-jena <[email protected]> * added server endpoint in allowed origins Signed-off-by: Saranya-jena <[email protected]> * fixed imports Signed-off-by: Saranya-jena <[email protected]> * minor chnages Signed-off-by: Saranya-jena <[email protected]> * minor chnages Signed-off-by: Saranya-jena <[email protected]> * fixed imports Signed-off-by: Saranya-jena <[email protected]> --------- Signed-off-by: Saranya-jena <[email protected]> Signed-off-by: andoriyaprashant <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
As part of the fix we are storing the JWT secret in the DB which is generated using randomization and then encoded into base64 format before inserting into DB. This secret is generated once during litmus installation and is being used for token validation.
Summarize your changes here to communicate with the maintainers and make sure to put the link of that issue
Types of changes
What types of changes does your code introduce to Litmus? Put an
xin the boxes that applyChecklist
Put an
xin the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Dependency
Special notes for your reviewer: