fix(config): remove hardcoded JWT signing key; resolve securely#1134
Open
madhavilosetty-intel wants to merge 1 commit into
Open
fix(config): remove hardcoded JWT signing key; resolve securely#1134madhavilosetty-intel wants to merge 1 commit into
madhavilosetty-intel wants to merge 1 commit into
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1134 +/- ##
==========================================
+ Coverage 43.59% 43.88% +0.28%
==========================================
Files 143 144 +1
Lines 13621 13634 +13
==========================================
+ Hits 5938 5983 +45
+ Misses 7118 7078 -40
- Partials 565 573 +8 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
madhavilosetty-intel
force-pushed
the
fix/jwt-key-secure-handling
branch
from
July 10, 2026 23:42
383532a to
0c93db7
Compare
The JWT signing key defaulted to the public literal "your_secret_jwt_key" in defaultConfig, .env.example and config/config.yml. Because every JWT (REST middleware and the KVM/SOL/IDER WebSocket) is validated with HS256 against this key, anyone could forge a token and bypass authentication. The env-required tag gave false assurance: cleanenv is satisfied by the non-empty default, so the app booted with the insecure key. Resolve the key with no hardcoded default, mirroring the AMT encryption key: secret store (Vault) -> OS keyring -> generate a 256-bit key, stored securely and never written to config.yml. Refuse to start when the key is empty or the known-insecure literal. Tighten config.yml to 0600 / dir 0700 (it persists the admin password in plaintext) and scrub the literal from .env.example and config/config.yml. This is Phase 1 of #1067 (secure credential storage); admin-password migration and the disable-plaintext toggle follow in Phase 2. Refs: #1067
madhavilosetty-intel
force-pushed
the
fix/jwt-key-secure-handling
branch
from
July 11, 2026 00:10
0c93db7 to
e840c17
Compare
Contributor
|
@madhavilosetty-intel : This issue needs to be resolved independant of the secret store related support as described in #1067 or if you think that a secret store support is needed to fix this issue then we need to first address #1067 before having the issue fixed in parts. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The JWT signing key defaulted to the public literal your_secret_jwt_key, allowing anyone to forge HS256 JWTs and bypass authentication for both REST APIs and KVM/SOL/IDER WebSocket endpoints. Because cleanenv accepts the non-empty default, the application starts with the insecure key even when AUTH_JWT_KEY is unset.
Remove the hardcoded default and resolve the key securely (Vault → OS keyring → generate a random 256-bit key), never persisting it to config.yml. Refuse to start with an empty or known-insecure key, tighten config.yml permissions (0600/0700), and remove the literal from .env.example and config/config.yml.
Refs: #1067