security improvements

2025-06-29 21:59:41 +02:00
parent 7fdda06dba
commit caba5bae70
30 changed files with 3929 additions and 147 deletions
--- a/local/utl/jwt/jwt.go
+++ b/local/utl/jwt/jwt.go
@@ -2,16 +2,18 @@ package jwt

 import (
 	"acc-server-manager/local/model"
+	"crypto/rand"
+	"encoding/base64"
 	"errors"
+	"log"
+	"os"
 	"time"

 	"github.com/golang-jwt/jwt/v4"
 )

-// SecretKey is the secret key for signing the JWT.
-// It is recommended to use a long, complex string for this.
-// In a production environment, this should be loaded from a secure configuration source.
-var SecretKey = []byte("your-secret-key")
+// SecretKey holds the JWT signing key loaded from environment
+var SecretKey []byte

 // Claims represents the JWT claims.
 type Claims struct {
@@ -19,6 +21,36 @@ type Claims struct {
 	jwt.RegisteredClaims
 }

+// init initializes the JWT secret key from environment variable
+func init() {
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		log.Fatal("JWT_SECRET environment variable is required and cannot be empty")
+	}
+
+	// Decode base64 secret if it looks like base64, otherwise use as-is
+	if decoded, err := base64.StdEncoding.DecodeString(jwtSecret); err == nil && len(decoded) >= 32 {
+		SecretKey = decoded
+	} else {
+		SecretKey = []byte(jwtSecret)
+	}
+
+	// Ensure minimum key length for security
+	if len(SecretKey) < 32 {
+		log.Fatal("JWT_SECRET must be at least 32 bytes long for security")
+	}
+}
+
+// GenerateSecretKey generates a cryptographically secure random key for JWT signing
+// This is a utility function for generating new secrets, not used in normal operation
+func GenerateSecretKey() string {
+	key := make([]byte, 64) // 512 bits
+	if _, err := rand.Read(key); err != nil {
+		log.Fatal("Failed to generate random key: ", err)
+	}
+	return base64.StdEncoding.EncodeToString(key)
+}
+
 // GenerateToken generates a new JWT for a given user.
 func GenerateToken(user *model.User) (string, error) {
 	expirationTime := time.Now().Add(24 * time.Hour)