Stable oauth2.JWT_SECRET #106

New Issue

Closed

opened 2021-01-28 05:27:11 +00:00 by viceice · 5 comments

viceice commented 2021-01-28 05:27:11 +00:00 (Migrated from gitea.com)

Copy Link

The oauth2.JWT_SECRET should be stable.

Currently it will be regenerated on each container restart. So all existing token are invalid then.

https://discourse.gitea.io/t/drone-auth-error-after-gitea-server-restart/2880/4

The `oauth2.JWT_SECRET` should be stable. Currently it will be regenerated on each container restart. So all existing token are invalid then. https://discourse.gitea.io/t/drone-auth-error-after-gitea-server-restart/2880/4

viceice commented 2021-01-28 05:30:16 +00:00 (Migrated from gitea.com)

Copy Link

Maybe related to #43

Maybe related to #43

luhahn commented 2021-02-09 08:39:21 +00:00 (Migrated from gitea.com)

Copy Link

Well, you can always define the oauth token yourself.
The same goes for #43. Should be stable if you've defined one :)

gitea:
  config:
    oauth2:
      JWT_SECRET: <your_secret>
    security:
      INTERNAL_TOKEN: <token>

Well, you can always define the oauth token yourself. The same goes for #43. Should be stable if you've defined one :) ```yaml gitea: config: oauth2: JWT_SECRET: <your_secret> security: INTERNAL_TOKEN: <token> ```

viceice commented 2021-02-09 08:45:11 +00:00 (Migrated from gitea.com)

Copy Link

Sure, but the JWT_SECRET must have a specific structure, otherwise it will be overwritten on every gitea startup

0cd87d64ff/modules/setting/setting.go (L760)

Seems need exacly 32 bytes (then base64 encoded)

fe79b13ab2/modules/generate/generate.go (L60-L68)

Sure, but the `JWT_SECRET` must have a specific structure, otherwise it will be overwritten on every gitea startup https://github.com/go-gitea/gitea/blob/0cd87d64ff8bb40520877d3a217363de299f4531/modules/setting/setting.go#L760 Seems need exacly 32 bytes (then base64 encoded) https://github.com/go-gitea/gitea/blob/fe79b13ab2ce9526fae10a5257b4e171cae30ecb/modules/generate/generate.go#L60-L68

justusbunsi commented 2021-06-17 19:53:43 +00:00 (Migrated from gitea.com)

Copy Link

Maybe we could create those tokens (internal token, jwt_secret, secret_key) prior to the actual run. There are gitea cli commands to do that. We could even dynamically create a Kubernetes secret storing these values for the future. This would requires access to the Kubernetes API which could be done using a serviceaccount with the necessary permissions (e.g. update a specific secret that is created with the helm chart rollout in the cluster).

Doing so would persist those data in a secure way so that they can be reused.

What do you think @luhahn?

Maybe we could create those tokens (internal token, jwt_secret, secret_key) prior to the actual run. There are gitea cli commands to do that. We could even dynamically create a Kubernetes secret storing these values for the future. This would requires access to the Kubernetes API which could be done using a serviceaccount with the necessary permissions (e.g. update a specific secret that is created with the helm chart rollout in the cluster). Doing so would persist those data in a secure way so that they can be reused. What do you think @luhahn?

justusbunsi commented 2021-11-12 17:04:01 +00:00 (Migrated from gitea.com)

Copy Link

I am sure this issue will be fixed with #239, once ready.

I am sure this issue will be fixed with #239, once ready.

❤️ 1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/postgresql-ha-15.x

renovate/postgresql-16.x

renovate/redis-20.x

renovate/redis-cluster-11.x

fix-674

app-ini-recreation

fix-env-to-ini

clean-app-ini

gitea-ha

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

kind/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lunny

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#106

No description provided.