IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2026-04-26 15:57:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

externalize login server secrets, now configurable

Browse Source
This commit is contained in:
Ulf Gebhardt 2021-11-04 02:18:19 +01:00
parent ab64185275
commit 2bd63985b2
Signed by: ulfgebhardt
GPG Key ID: DA6B843E748679C9
3 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
backend/.env.dist
View File

@ -18,4 +18,6 @@ DB_DATABASE=gradido_community
COMMUNITY_NAME= COMMUNITY_NAME=
COMMUNITY_URL= COMMUNITY_URL=
COMMUNITY_REGISTER_URL= COMMUNITY_REGISTER_URL=
COMMUNITY_DESCRIPTION= COMMUNITY_DESCRIPTION=
LOGIN_APP_SECRET=21ffbbc616fe
LOGIN_SERVER_KEY=a51ef8ac7ef1abf162fb7a65261acd7a

7
backend/src/config/index.ts
View File

@ -39,9 +39,14 @@ const community = {
process.env.COMMUNITY_DESCRIPTION || 'Die lokale Entwicklungsumgebung von Gradido.', process.env.COMMUNITY_DESCRIPTION || 'Die lokale Entwicklungsumgebung von Gradido.',
} }
const loginServer = {
LOGIN_APP_SECRET: process.env.LOGIN_APP_SECRET || '21ffbbc616fe',
LOGIN_SERVER_KEY: process.env.LOGIN_SERVER_KEY || 'a51ef8ac7ef1abf162fb7a65261acd7a',
}
// This is needed by graphql-directive-auth // This is needed by graphql-directive-auth
process.env.APP_SECRET = server.JWT_SECRET process.env.APP_SECRET = server.JWT_SECRET
const CONFIG = { ...server, ...database, ...klicktipp, ...community } const CONFIG = { ...server, ...database, ...klicktipp, ...community, ...loginServer }
export default CONFIG export default CONFIG

10
backend/src/graphql/resolver/UserResolver.ts
View File

@ -142,9 +142,9 @@ const KeyPairEd25519Create = (passphrase: string[]): Buffer[] => {
const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[] => { const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[] => {
// TODO: put that in the actual config // TODO: put that in the actual config
const configCryptoAppSecret = Buffer.from('21ffbbc616fe', 'hex') const configLoginAppSecret = Buffer.from(CONFIG.LOGIN_APP_SECRET, 'hex')
const configCryptoServerKey = Buffer.from('a51ef8ac7ef1abf162fb7a65261acd7a', 'hex') const configLoginServerKey = Buffer.from(CONFIG.LOGIN_SERVER_KEY, 'hex')
if (configCryptoServerKey.length !== sodium.crypto_shorthash_KEYBYTES) { if (configLoginServerKey.length !== sodium.crypto_shorthash_KEYBYTES) {
throw new Error( throw new Error(
`ServerKey has an invalid size. The size must be ${sodium.crypto_shorthash_KEYBYTES} bytes.`, `ServerKey has an invalid size. The size must be ${sodium.crypto_shorthash_KEYBYTES} bytes.`,
) )
@ -153,7 +153,7 @@ const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[
const state = Buffer.alloc(sodium.crypto_hash_sha512_STATEBYTES) const state = Buffer.alloc(sodium.crypto_hash_sha512_STATEBYTES)
sodium.crypto_hash_sha512_init(state) sodium.crypto_hash_sha512_init(state)
sodium.crypto_hash_sha512_update(state, Buffer.from(salt)) sodium.crypto_hash_sha512_update(state, Buffer.from(salt))
sodium.crypto_hash_sha512_update(state, Buffer.from(configCryptoAppSecret)) sodium.crypto_hash_sha512_update(state, configLoginAppSecret)
const hash = Buffer.alloc(sodium.crypto_hash_sha512_BYTES) const hash = Buffer.alloc(sodium.crypto_hash_sha512_BYTES)
sodium.crypto_hash_sha512_final(state, hash) sodium.crypto_hash_sha512_final(state, hash)
@ -171,7 +171,7 @@ const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[
) )
const encryptionKeyHash = Buffer.alloc(sodium.crypto_shorthash_BYTES) const encryptionKeyHash = Buffer.alloc(sodium.crypto_shorthash_BYTES)
sodium.crypto_shorthash(encryptionKeyHash, encryptionKey, configCryptoServerKey) sodium.crypto_shorthash(encryptionKeyHash, encryptionKey, configLoginServerKey)
return [encryptionKeyHash, encryptionKey] return [encryptionKeyHash, encryptionKey]
} }