From c03f860f8e30e96b77e01618fd6c0a409d9cee5c Mon Sep 17 00:00:00 2001 From: bo0tzz Date: Thu, 13 Oct 2022 21:54:29 +0200 Subject: [PATCH] Log a warning if JWT_SECRET key does not have enough bits --- server/libs/common/src/config/app.config.ts | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/server/libs/common/src/config/app.config.ts b/server/libs/common/src/config/app.config.ts index 1e657403e0..be3a006b75 100644 --- a/server/libs/common/src/config/app.config.ts +++ b/server/libs/common/src/config/app.config.ts @@ -1,5 +1,20 @@ +import { Logger } from '@nestjs/common'; import { ConfigModuleOptions } from '@nestjs/config'; import Joi from 'joi'; +import { createSecretKey, generateKeySync } from 'node:crypto' + +const jwtSecretValidator: Joi.CustomValidator = (value, _) => { + const key = createSecretKey(value, "base64") + const keySizeBits = (key.symmetricKeySize ?? 0) * 8 + + if (keySizeBits < 128) { + const newKey = generateKeySync('hmac', { length: 256 }).export().toString('base64') + Logger.warn("The current JWT_SECRET key is insecure. It should be at least 128 bits long!") + Logger.warn(`Here is a new, securely generated key that you can use instead: ${newKey}`) + } + + return value; +} export const immichAppConfig: ConfigModuleOptions = { envFilePath: '.env', @@ -9,7 +24,7 @@ export const immichAppConfig: ConfigModuleOptions = { DB_USERNAME: Joi.string().required(), DB_PASSWORD: Joi.string().required(), DB_DATABASE_NAME: Joi.string().required(), - JWT_SECRET: Joi.string().required(), + JWT_SECRET: Joi.string().required().custom(jwtSecretValidator), DISABLE_REVERSE_GEOCODING: Joi.boolean().optional().valid(true, false).default(false), REVERSE_GEOCODING_PRECISION: Joi.number().optional().valid(0,1,2,3).default(3), LOG_LEVEL: Joi.string().optional().valid('simple', 'verbose').default('simple'),