linglong
linglong copied to clipboard
Published
20 hours ago •
awake1t
awake1t
安全问题--jwt 规则建议修改下
https://github.com/awake1t/linglong/blob/bedbe49597412abab1c1635e133957d782e65325/pkg/utils/jwt.go#L12-L31
按照这边的生成规则,会将用户账号密码保存到jwt token中,可以经过简单的解码进行账号密码的查看。
$ go test
GenerateToken
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsImV4cCI6MTY2Njc2NjA3NSwiaXNzIjoibGluZ2xvbmcifQ.4Ia5g5e0EzkOUjJ-Xmnu59lX6JiJVnDVaw_p-7vBrtA
PASS
ok linglong/pkg/utils 0.063s
$ .\jwt-hack.exe decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsImV4cCI6MTY2Njc2NjA3NSwiaXNzIjoibGluZ2xvbmcifQ.4Ia5g5e0EzkOUjJ-Xmnu59lX6JiJVnDVaw_p-7vBrtA
d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP
88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P'
88P 888P`Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L
88888' 88P YP8 '88p 88P 888 8b `Y' d888888 888 `8p
-------------------------
time="2022-10-26T11:36:19+08:00" level=info msg="Decoded data(claims)" header="{\"alg\":\"HS256\",\"typ\":\"JWT\"}" method="&{HS256 SHA-256}"
time="2022-10-26T11:36:19+08:00" level=info msg="Expiraton Time" EXP=1666766075 TIME="1970-01-01 08:00:01.666766075 +0800 CST"
{"exp":1666766075,"iss":"linglong","password":"password","username":"admin"}
