Use general token signing secret (#29205) (#29325)

Backport #29205 (including #29172) Use a clearly defined "signing secret" for token signing.
2025-07-25 03:38:36 +00:00 · 2024-02-23 01:07:41 +08:00
parent 7ea2ffaf16
commit 511298e452
13 changed files with 130 additions and 70 deletions
--- a/services/auth/source/oauth2/jwtsigningkey.go
+++ b/services/auth/source/oauth2/jwtsigningkey.go
@@ -300,7 +300,7 @@ func InitSigningKey() error {
 	case "HS384":
 		fallthrough
 	case "HS512":
-		key, err = loadSymmetricKey()
+		key = setting.GetGeneralTokenSigningSecret()
 	case "RS256":
 		fallthrough
 	case "RS384":
@@ -333,12 +333,6 @@ func InitSigningKey() error {
 	return nil
 }

-// loadSymmetricKey checks if the configured secret is valid.
-// If it is not valid, it will return an error.
-func loadSymmetricKey() (any, error) {
-	return util.Base64FixedDecode(base64.RawURLEncoding, []byte(setting.OAuth2.JWTSecretBase64), 32)
-}
-
 // loadOrCreateAsymmetricKey checks if the configured private key exists.
 // If it does not exist a new random key gets generated and saved on the configured path.
 func loadOrCreateAsymmetricKey() (any, error) {