travels-java-api icon indicating copy to clipboard operation
travels-java-api copied to clipboard
verified publisher icon mariazevedo88

Hardcoding the JWT secret key can lead to arbitrary users spoofing tokens.

Open Redpeppersir opened this issue 1 year ago • 0 comments

Description: Hardcoding the JWT secret key can lead to arbitrary users spoofing tokens. Since the travels-java-api is an open-source project, others can easily obtain the JWT secret key of travels-java-api. This allows them to use the JWT secret key to generate arbitrary JWT tokens and gain access to any user's permissions.

Fix Suggestion: Generate a random JWT secret key during project initialization and store it in the database.

test code: image file: travels-java-api-master\src\main\java\io\github\mariazevedo88\travelsjavaapi\filters\JwtAuthenticationTokenFilter.java image image

Redpeppersir avatar Oct 29 '24 07:10 Redpeppersir