make JWT secret and expiry time configurable

configuration/config.go

@@ -59,6 +59,8 @@ func InitConfig() error {
 		s3Region        = flag.String("s3-region", "default", "S3 Region for file uploads")
 		s3NoSSL         = flag.Bool("s3-nossl", false, "Use encrypted connections to the S3 API")
 		s3PathStyle     = flag.Bool("s3-pathstyle", false, "Use path-style S3 API")
+		jwtSecret       = flag.String("jwt-secret", "This should NOT be here!!@33$8&", "The JSON Web Token secret")
+		jwtExpiresAfter = flag.String("jwt-expires-after", "1w", "The time after which the JSON Web Token expires")
 	)
 	flag.Parse()
 
@@ -81,6 +83,8 @@ func InitConfig() error {
 		"s3.bucket":         *s3Bucket,
 		"s3.endpoint":       *s3Endpoint,
 		"s3.region":         *s3Region,
+		"jwt.secret":        *jwtSecret,
+		"jwt.expires-after": *jwtExpiresAfter,
 	}
 
 	if *s3NoSSL == true {
@@ -116,6 +120,8 @@ func InitConfig() error {
 		"S3_REGION":         "s3.region",
 		"S3_NOSSL":          "s3.nossl",
 		"S3_PATHSTYLE":      "s3.pathstyle",
+		"JWT_SECRET":        "jwt.secret",
+		"JWT_EXPIRES_AFTER": "jwt.expires-after",
 	}
 
 	defaults := config.NewStatic(static)

routes/user/authenticate_endpoint.go

@@ -22,11 +22,13 @@
 package user
 
 import (
+	"net/http"
+	"time"
+
+	"git.rwth-aachen.de/acs/public/villas/web-backend-go/configuration"
 	"git.rwth-aachen.de/acs/public/villas/web-backend-go/helper"
 	"github.com/dgrijalva/jwt-go"
 	"github.com/gin-gonic/gin"
-	"net/http"
-	"time"
 )
 
 type tokenClaims struct {
@@ -86,12 +88,30 @@ func authenticate(c *gin.Context) {
 		return
 	}
 
+	expiresStr, err := configuration.GolbalConfig.String("jwt.expires-after")
+	if err != nil {
+		helper.UnauthorizedError(c, "Backend configuration error")
+		return
+	}
+
+	expiresDuration, err := time.ParseDuration(expiresStr)
+	if err != nil {
+		helper.UnauthorizedError(c, "Backend configuration error")
+		return
+	}
+
+	secret, err := configuration.GolbalConfig.String("jwt.secret")
+	if err != nil {
+		helper.UnauthorizedError(c, "Backend configuration error")
+		return
+	}
+
 	// create authentication token
 	claims := tokenClaims{
 		user.ID,
 		user.Role,
 		jwt.StandardClaims{
-			ExpiresAt: time.Now().Add(weekHours).Unix(),
+			ExpiresAt: time.Now().Add(expiresDuration).Unix(),
 			IssuedAt:  time.Now().Unix(),
 			Issuer:    "http://web.villas.fein-aachen.org/",
 		},
@@ -99,7 +119,7 @@ func authenticate(c *gin.Context) {
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 
-	tokenString, err := token.SignedString([]byte(jwtSigningSecret))
+	tokenString, err := token.SignedString([]byte(secret))
 	if err != nil {
 		helper.InternalServerError(c, err.Error())
 		return

routes/user/user_endpoints.go

@@ -23,20 +23,16 @@ package user
 
 import (
 	"fmt"
-	"git.rwth-aachen.de/acs/public/villas/web-backend-go/helper"
 	"net/http"
 	"strings"
-	"time"
+
+	"git.rwth-aachen.de/acs/public/villas/web-backend-go/helper"
 
 	"github.com/gin-gonic/gin"
 
 	"git.rwth-aachen.de/acs/public/villas/web-backend-go/database"
 )
 
-// TODO: the signing secret must be environmental variable
-const jwtSigningSecret = "This should NOT be here!!@33$8&"
-const weekHours = time.Hour * 24 * 7
-
 func RegisterUserEndpoints(r *gin.RouterGroup) {
 	r.POST("", addUser)
 	r.PUT("/:userID", updateUser)

routes/user/user_middleware.go

@@ -24,8 +24,10 @@ package user
 import (
 	"fmt"
 
+	"git.rwth-aachen.de/acs/public/villas/web-backend-go/configuration"
 	"git.rwth-aachen.de/acs/public/villas/web-backend-go/database"
 	"git.rwth-aachen.de/acs/public/villas/web-backend-go/helper"
+
 	"github.com/dgrijalva/jwt-go"
 	"github.com/dgrijalva/jwt-go/request"
 	"github.com/gin-gonic/gin"
@@ -66,8 +68,8 @@ func Authentication(unauthorized bool) gin.HandlerFunc {
 				}
 
 				// return secret in byte format
-				secret := ([]byte(jwtSigningSecret))
+				secret, _ := configuration.GolbalConfig.String("jwt.secret")
-				return secret, nil
+				return []byte(secret), nil
 			})
 
 		// If the authentication extraction fails return HTTP CODE 401