Use general token signing secret (#29205)

Use a clearly defined "signing secret" for token signing.
2025-07-22 10:18:38 +00:00 · 2024-02-19 01:39:04 +08:00
parent c2a8aacae5
commit 8be198cdef
9 changed files with 82 additions and 33 deletions
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -6,6 +6,7 @@ package context

 import (
 	"context"
+	"encoding/hex"
 	"fmt"
 	"html/template"
 	"io"
@@ -124,7 +125,7 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
 func Contexter() func(next http.Handler) http.Handler {
 	rnd := templates.HTMLRenderer()
 	csrfOpts := CsrfOptions{
-		Secret:         setting.SecretKey,
+		Secret:         hex.EncodeToString(setting.GetGeneralTokenSigningSecret()),
 		Cookie:         setting.CSRFCookieName,
 		SetCookie:      true,
 		Secure:         setting.SessionConfig.Secure,