From 7ad3d247b5a09c6d4dd273e4509df405b98520a1 Mon Sep 17 00:00:00 2001 From: Wyatt Johnson Date: Thu, 18 Oct 2018 14:33:45 -0600 Subject: [PATCH 1/2] feat: added base64 secret encoding --- docs/source/02-02-advanced-configuration.md | 17 +++++++++++++++-- services/jwt.js | 5 +++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/source/02-02-advanced-configuration.md b/docs/source/02-02-advanced-configuration.md index 083b4bcdb..49769be0b 100644 --- a/docs/source/02-02-advanced-configuration.md +++ b/docs/source/02-02-advanced-configuration.md @@ -246,6 +246,21 @@ Refer to the documentation for [TALK_JWT_ALG](#talk-jwt-alg) for other signing methods and other forms of the `TALK_JWT_SECRET`. If you are interested in using multiple keys, then refer to [TALK_JWT_SECRETS](#talk-jwt-secrets). +You can also encode your secret as a base64 string (if you are using a symmetric +algorithm) as long as you prefix it with `base64:`. For example: + +```plain +TALK_JWT_SECRET={"secret": "base64:dGVzdA=="} +``` + +Would be the same as: + +```plain +TALK_JWT_SECRET={"secret": "test"} +``` + +As `dGVzdA==` is just `test` encoded using base64. + ## TALK_JWT_SECRETS Used when specifying multiple secrets used for key rotations. This is a JSON @@ -271,7 +286,6 @@ Note that the secret is stored in a JSON object, keyed by `secret`. This is only needed when specifying in the multiple secrets for `TALK_JWT_SECRETS`, but may be used to specify the single [TALK_JWT_SECRET](#talk-jwt-secret). - When the value of [TALK_JWT_ALG](#talk-jwt-alg) is **not** a `HS*` value, then the value of the `TALK_JWT_SECRETS` should take the form: @@ -282,7 +296,6 @@ TALK_JWT_SECRETS=[{"kid": "1", "private": "", "public": " Date: Fri, 19 Oct 2018 16:28:13 +0000 Subject: [PATCH 2/2] review: fix invalid substring --- services/jwt.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/jwt.js b/services/jwt.js index 21045da8f..b1e444dbd 100644 --- a/services/jwt.js +++ b/services/jwt.js @@ -122,7 +122,7 @@ function SharedSecret({ kid = undefined, secret = null }, algorithm) { // If the secret is base64 encoded, then decode it! if (secret.startsWith('base64:')) { - secret = Buffer.from(secret.substring(6), 'base64').toString(); + secret = Buffer.from(secret.substring(7), 'base64').toString(); } return new Secret({