Skip to content

[Task] Decouple JWT signing key from user password hash #6398

Description

@Aias00

Description

DashboardUserServiceImpl currently uses the SHA-512 hash of the user's password as the HMAC-SHA256 signing key for JWT tokens (JwtUtils.generateToken(userName, getPassword(), ...)). This design has two weaknesses:

If the database is compromised, an attacker can use the stored password hash directly as a JWT signing key without needing to crack the original password.
Changing a user's password silently invalidates all existing sessions for that user with no explicit revocation mechanism.

Affected Files:

shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/JwtUtils.java
shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/DashboardUserServiceImpl.java
shenyu-admin/src/main/resources/application.yml

Proposed Change:

Introduce a shenyu.jwt.secret-key configuration property in application.yml that holds a randomly generated secret independent of user credentials.
Update JwtUtils.generateToken() and JwtUtils.verifyToken() to use this configured secret instead of the password hash.
Generate a default random value at startup if the property is not configured, with a warning log recommending explicit configuration.

Acceptance Criteria:

JWT tokens are signed with a configured or randomly generated secret key, not the user's password hash.
Changing a user's password does not affect existing JWT validity.
shenyu.jwt.secret-key is documented in the configuration reference.

Task List

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions