From 7c364c7295ffe27dce79a6a567a7329b7ee42731 Mon Sep 17 00:00:00 2001
From: Hubert Van De Walle <hubv@protonmail.com>
Date: Mon, 15 Jun 2020 16:51:37 +0200
Subject: [PATCH] Use different JWT secret for auth and refresh tokens..

---
 api/resources/application.dev.yaml       | 3 ++-
 api/resources/application.prod.yaml      | 3 ++-
 api/src/features/ConfigurationFeature.kt | 8 ++++----
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/api/resources/application.dev.yaml b/api/resources/application.dev.yaml
index 0912c4f..58459ea 100644
--- a/api/resources/application.dev.yaml
+++ b/api/resources/application.dev.yaml
@@ -11,11 +11,12 @@ server:
     cors: true
 
 jwt:
-    secret: 9Io9kvgIedOcLdUvKl31OKf51jdTZcFHJFgqvEpfJuI= # Can be generated with `openssl rand -base64 32`
     auth:
+        secret: uiqzRNiMYwbObn/Ps5xTasYVeu/63ZuI+1oB98Ez+lY=
         validity: 1
         unit: HOURS
     refresh:
+        secret: wWchkx44YGig4Q5Z7b7+E/3ymGEGd6PS7UGedMul3bg=
         validity: 15
         unit: DAYS
 
diff --git a/api/resources/application.prod.yaml b/api/resources/application.prod.yaml
index 7fc8c2e..936ab0e 100644
--- a/api/resources/application.prod.yaml
+++ b/api/resources/application.prod.yaml
@@ -11,11 +11,12 @@ server:
     cors: ${CORS:-true}
 
 jwt:
-    secret: ${JWT_SECRET} # Can be generated with `openssl rand -base64 32`
     auth:
+        secret: ${JWT_SECRET} # Can be generated with `openssl rand -base64 32`
         validity: 1
         unit: HOURS
     refresh:
+        secret: ${JWT_REFRESH_SECRET} # Can be generated with `openssl rand -base64 32`
         validity: 15
         unit: DAYS
 
diff --git a/api/src/features/ConfigurationFeature.kt b/api/src/features/ConfigurationFeature.kt
index b004a4b..a46eb68 100644
--- a/api/src/features/ConfigurationFeature.kt
+++ b/api/src/features/ConfigurationFeature.kt
@@ -29,21 +29,21 @@ val configurationModule = Kodein.Module(name = "Configuration") {
 
 data class DatabaseConfig(val host: String, val port: Int, val name: String, val username: String, val password: Masked)
 data class ServerConfig(val host: String, val port: Int, val cors: Boolean)
-data class JwtConfig(val secret: Masked, val auth: JwtValidity, val refresh: JwtValidity)
-data class JwtValidity(val validity: Long, val unit: TimeUnit)
+data class JwtConfig(val auth: Jwt, val refresh: Jwt)
+data class Jwt(val validity: Long, val unit: TimeUnit, val secret: Masked)
 data class Config(val database: DatabaseConfig, val server: ServerConfig, val jwt: JwtConfig)
 
 
 private fun configureAuthJwt(kodein: Kodein): SimpleJWT {
     val config by kodein.instance<Config>()
-    val jwtSecret = config.jwt.secret
+    val jwtSecret = config.jwt.auth.secret
     val authConfig = config.jwt.auth
     return SimpleJWT(jwtSecret.value, authConfig.validity, authConfig.unit)
 }
 
 private fun configureRefreshJwt(kodein: Kodein): SimpleJWT {
     val config by kodein.instance<Config>()
-    val jwtSecret = config.jwt.secret
+    val jwtSecret = config.jwt.refresh.secret
     val refreshConfig = config.jwt.auth
     return SimpleJWT(jwtSecret.value, refreshConfig.validity, refreshConfig.unit)
 }