Use general token signing secret (#29205) (#29325)

Backport #29205 (including #29172) Use a clearly defined "signing secret" for token signing.
2025-07-09 20:17:21 +00:00 · 2024-02-23 01:07:41 +08:00
parent 7ea2ffaf16
commit 511298e452
13 changed files with 130 additions and 70 deletions
--- a/modules/context/context.go
+++ b/modules/context/context.go
@ -6,6 +6,7 @@ package context

 import (
 	"context"
+	"encoding/hex"
 	"html"
 	"html/template"
 	"io"
@ -134,7 +135,7 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
 func Contexter() func(next http.Handler) http.Handler {
 	rnd := templates.HTMLRenderer()
 	csrfOpts := CsrfOptions{
-		Secret:         setting.SecretKey,
+		Secret:         hex.EncodeToString(setting.GetGeneralTokenSigningSecret()),
 		Cookie:         setting.CSRFCookieName,
 		SetCookie:      true,
 		Secure:         setting.SessionConfig.Secure,