Skip to content

Increase length of JWT secret to avoid errors in lcobucci/jwt ^4.2 #1124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 14, 2022
Merged

Increase length of JWT secret to avoid errors in lcobucci/jwt ^4.2 #1124

merged 2 commits into from
Sep 14, 2022

Conversation

silverbackdan
Copy link
Contributor

@silverbackdan silverbackdan commented Sep 12, 2022
edited by chalasr
Loading

Q A
License MIT
Doc issue/PR n/a

I'm not sure if I should have added this in a new version or included previous config directories.

But the length of the JWT secret needs to be longer by default
See: symfony/mercure#89
See: https://github.com/symfony/symfony-docs/pull/17259/files
See: symfony/mercure#89
See: https://github.com/lcobucci/jwt/releases/tag/4.2.0

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) September 12, 2022 13:54
@github-actions
Copy link

github-actions bot commented Sep 12, 2022
edited
Loading

Thanks for the PR 😍

How to test these changes in your application

  1. Define the SYMFONY_ENDPOINT environment variable:

    # On Unix-like (BSD, Linux and macOS)
export SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1124/index.json
# On Windows
SET SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1124/index.json

  2. Install the package(s) related to this recipe:

    composer req 'symfony/flex:^1.16'
composer req 'symfony/mercure-bundle:^0.3'

  3. Don't forget to unset the SYMFONY_ENDPOINT environment variable when done:

    # On Unix-like (BSD, Linux and macOS)
unset SYMFONY_ENDPOINT
# On Windows
SET SYMFONY_ENDPOINT=

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

symfony/mercure-bundle

0.1 vs 0.2 
diff --git a/symfony/mercure-bundle/0.1/config/packages/mercure.yaml b/symfony/mercure-bundle/0.2/config/packages/mercure.yaml
index d1947d1..17aaa0c 100644
--- a/symfony/mercure-bundle/0.1/config/packages/mercure.yaml
+++ b/symfony/mercure-bundle/0.2/config/packages/mercure.yaml
@@ -1,4 +1,5 @@
 mercure:
+    enable_profiler: '%kernel.debug%'
     hubs:
         default:
             url: '%env(MERCURE_PUBLISH_URL)%'
0.2 vs 0.3 
diff --git a/symfony/mercure-bundle/0.2/config/packages/mercure.yaml b/symfony/mercure-bundle/0.3/config/packages/mercure.yaml
index 17aaa0c..f2a7395 100644
--- a/symfony/mercure-bundle/0.2/config/packages/mercure.yaml
+++ b/symfony/mercure-bundle/0.3/config/packages/mercure.yaml
@@ -1,6 +1,8 @@
 mercure:
-    enable_profiler: '%kernel.debug%'
     hubs:
         default:
-            url: '%env(MERCURE_PUBLISH_URL)%'
-            jwt: '%env(MERCURE_JWT_TOKEN)%'
+            url: '%env(MERCURE_URL)%'
+            public_url: '%env(MERCURE_PUBLIC_URL)%'
+            jwt:
+                secret: '%env(MERCURE_JWT_SECRET)%'
+                publish: '*'
diff --git a/symfony/mercure-bundle/0.2/manifest.json b/symfony/mercure-bundle/0.3/manifest.json
index ba8f74d..9df7a45 100644
--- a/symfony/mercure-bundle/0.2/manifest.json
+++ b/symfony/mercure-bundle/0.3/manifest.json
@@ -7,9 +7,41 @@
     },
     "env": {
         "#1": "See https://symfony.com/doc/current/mercure.html#configuration",
-        "MERCURE_PUBLISH_URL": "http://mercure/.well-known/mercure",
-        "#2": "The default token is signed with the secret key: !ChangeMe!",
-        "MERCURE_JWT_TOKEN": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InB1Ymxpc2giOltdfX0.Oo0yg7y4yMa1vr_bziltxuTCqb8JVHKxp-f_FwwOim0"
+        "#2": "The URL of the Mercure hub, used by the app to publish updates (can be a local URL)",
+        "MERCURE_URL": "https://example.com/.well-known/mercure",
+        "#3": "The public URL of the Mercure hub, used by the browser to connect",
+        "MERCURE_PUBLIC_URL": "https://example.com/.well-known/mercure",
+        "#4": "The secret used to sign the JWTs",
+        "MERCURE_JWT_SECRET": "!ChangeThisMercureHubJWTSecretKey!"
+    },
+    "docker-compose": {
+        "docker-compose.yml": {
+            "services": [
+                "mercure:",
+                "  image: dunglas/mercure",
+                "  restart: unless-stopped",
+                "  environment:",
+                "    SERVER_NAME: ':80'",
+                "    MERCURE_PUBLISHER_JWT_KEY: '!ChangeThisMercureHubJWTSecretKey!'",
+                "    MERCURE_SUBSCRIBER_JWT_KEY: '!ChangeThisMercureHubJWTSecretKey!'",
+                "    # Set the URL of your Symfony project (without trailing slash!) as value of the cors_origins directive",
+                "    MERCURE_EXTRA_DIRECTIVES: |",
+                "      cors_origins http://127.0.0.1:8000",
+                "  # Comment the following line to disable the development mode",
+                "  command: /usr/bin/caddy run -config /etc/caddy/Caddyfile.dev",
+                "  volumes:",
+                "    - mercure_data:/data",
+                "    - mercure_config:/config"
+            ],
+            "volumes": ["mercure_data:", "mercure_config:"]
+        },
+        "docker-compose.override.yml": {
+            "services": [
+                "mercure:",
+                "  ports:",
+                "    - \"80\""
+            ]
+        }
     },
     "aliases": ["mercure"]
 }

auto-merge was automatically disabled September 12, 2022 13:55

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) September 12, 2022 13:56
stof
stof previously approved these changes Sep 12, 2022
View reviewed changes
@chalasr
Copy link
Member

chalasr commented Sep 12, 2022

I'm not sure if I should have added this in a new version or included previous config directories.

The version of the recipe must match an existing release of the target package, so given this is kind of a bugfix I think we should update all existing versions instead

@silverbackdan
Copy link
Contributor Author

silverbackdan commented Sep 12, 2022
edited
Loading

Sure, 0.1 and 0.2 define the actual token and it is signed with the short key - do I need to update those?

I'm not sure it'd cause an error because the exception is thrown when creating the JWT - Unsure if it's thrown when the JWT is already created

auto-merge was automatically disabled September 12, 2022 14:00

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) September 12, 2022 14:01
auto-merge was automatically disabled September 12, 2022 14:09

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) September 12, 2022 14:10
@silverbackdan
Copy link
Contributor Author

Not quite sure what I need to change in the PR to avoid this error - sorry.

auto-merge was automatically disabled September 12, 2022 14:20

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) September 12, 2022 14:20
@chalasr
Copy link
Member

chalasr commented Sep 12, 2022

The verification is handled by the mercure hub which is written in Go and uses github.com/golang-jwt/jwt/v4 which does not have such validation, so this is not an issue for now but might be one day. However mercure-bundle 0.1 and 0.2 didn't use lcobucci/jwt so I'd say we don't care at all about these versions.

chalasr
chalasr previously approved these changes Sep 12, 2022
View reviewed changes
@chalasr
Copy link
Member

chalasr commented Sep 12, 2022

Not quite sure what I need to change in the PR to avoid this error - sorry.

No worry, I fear there's nothing we can do, all good for this PR. /cc @fabpot

dunglas
dunglas requested changes Sep 13, 2022
View reviewed changes
Copy link
Member

@dunglas dunglas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just released a patch version of Mercure changing the default key used in dev mode: https://github.com/dunglas/mercure/releases/tag/v0.14.1

Can you please use the same value, so the recipe will work out of the box in dev mode.

auto-merge was automatically disabled September 14, 2022 07:42

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) September 14, 2022 07:43
@silverbackdan
Copy link
Contributor Author

Sure thing @dunglas - updated the PR now.

This was referenced Sep 14, 2022
Closed
Merged
dunglas
dunglas previously approved these changes Sep 14, 2022
View reviewed changes
@silverbackdan
Copy link
Contributor Author

/cc @chalasr :)

chalasr
chalasr previously approved these changes Sep 14, 2022
View reviewed changes
@chalasr
Copy link
Member

chalasr commented Sep 14, 2022

@silverbackdan The CI was complaining about the missing table in the PR description (including the MIT license). I took the liberty to add it myself, hope it's ok for you. The check is still red though, can you please try to force-push to retrigger it?

@silverbackdan
Change secret to match patched Mercure version 0.14.1
c371f40 
| Q             | A
| ------------- | ---
| License       | MIT
| Doc issue/PR  | n/a
auto-merge was automatically disabled September 14, 2022 14:20

Head branch was pushed to by a user without write access

@silverbackdan silverbackdan dismissed stale reviews from chalasr and dunglas via c371f40 September 14, 2022 14:20
@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) September 14, 2022 14:20
@silverbackdan
Copy link
Contributor Author

silverbackdan commented Sep 14, 2022
edited
Loading

Ah perfect - sorry I missed that.
@chalasr and @dunglas - nothing has changed in the PR just the commit message with the MIT licence in there too.
Just need re-approving. Thanks for bearing with.

@symfony-recipes-bot symfony-recipes-bot merged commit b603770 into symfony:main Sep 14, 2022
@silverbackdan
Copy link
Contributor Author

Merci

javiereguiluz added a commit to symfony/symfony-docs that referenced this pull request Sep 14, 2022
@javiereguiluz
minor #17269 [Mercure] Update the default JWT secret (silverbackdan)
2bc0a70 
This PR was merged into the 6.0 branch.

Discussion
----------

[Mercure] Update the default JWT secret

The secret must now be a key of the same size as the hash output (for instance, 256 bits for "HS256") or larger to avoid error in lcobucci/jwt ^4.2.
See: symfony/mercure#89
See: https://github.com/lcobucci/jwt/releases/tag/4.2.0
See: symfony/recipes#1124

Commits
-------

688b84e Update mercure jwt default secret
@jrushlow jrushlow mentioned this pull request Sep 20, 2022
Merged
@bkosun bkosun mentioned this pull request Sep 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dunglas dunglas dunglas approved these changes

@stof stof stof approved these changes

@chalasr chalasr chalasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@silverbackdan @chalasr @dunglas @stof @symfony-recipes-bot