JWT factory immutable and test fixed with > 512bit key

2024-04-18 22:00:14 +02:00 · 2024-04-18 22:00:14 +02:00 · 8dc455edc1
commit 8dc455edc1
parent f471f1351e
2 changed files with 12 additions and 10 deletions
--- a/application/src/main/java/org/thingsboard/server/service/security/model/token/JwtTokenFactory.java
+++ b/application/src/main/java/org/thingsboard/server/service/security/model/token/JwtTokenFactory.java
@ -16,6 +16,7 @@
 package org.thingsboard.server.service.security.model.token;

 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ClaimsBuilder;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwtBuilder;
@ -183,20 +184,21 @@ public class JwtTokenFactory {

        UserPrincipal principal = securityUser.getUserPrincipal();

-        Claims claims = Jwts.claims().setSubject(principal.getValue()).build();
-        claims.put(USER_ID, securityUser.getId().getId().toString());
-        claims.put(SCOPES, scopes);
+        ClaimsBuilder claims = Jwts.claims()
+                .subject(principal.getValue())
+                .add(USER_ID, securityUser.getId().getId().toString())
+                .add(SCOPES, scopes);
        if (securityUser.getSessionId() != null) {
-            claims.put(SESSION_ID, securityUser.getSessionId());
+            claims.add(SESSION_ID, securityUser.getSessionId());
        }

        ZonedDateTime currentTime = ZonedDateTime.now();

        return Jwts.builder()
-                .setClaims(claims)
-                .setIssuer(jwtSettingsService.getJwtSettings().getTokenIssuer())
-                .setIssuedAt(Date.from(currentTime.toInstant()))
-                .setExpiration(Date.from(currentTime.plusSeconds(expirationTime).toInstant()))
+                .claims(claims.build())
+                .issuer(jwtSettingsService.getJwtSettings().getTokenIssuer())
+                .issuedAt(Date.from(currentTime.toInstant()))
+                .expiration(Date.from(currentTime.plusSeconds(expirationTime).toInstant()))
                .signWith(SignatureAlgorithm.HS512, jwtSettingsService.getJwtSettings().getTokenSigningKey());
    }

@ -205,7 +207,7 @@ public class JwtTokenFactory {
            return Jwts.parser()
                    .setSigningKey(jwtSettingsService.getJwtSettings().getTokenSigningKey())
                    .build()
-                    .parseClaimsJws(token);
+                    .parseSignedClaims(token);
        } catch (UnsupportedJwtException | MalformedJwtException | IllegalArgumentException ex) {
            log.debug("Invalid JWT Token", ex);
            throw new BadCredentialsException("Invalid JWT token: ", ex);
--- a/application/src/test/java/org/thingsboard/server/service/security/auth/JwtTokenFactoryTest.java
+++ b/application/src/test/java/org/thingsboard/server/service/security/auth/JwtTokenFactoryTest.java
@ -66,7 +66,7 @@ public class JwtTokenFactoryTest {
    public void beforeEach() {
        jwtSettings = new JwtSettings();
        jwtSettings.setTokenIssuer("tb");
-        jwtSettings.setTokenSigningKey("abewafaf");
+        jwtSettings.setTokenSigningKey("abewafaf".repeat(11)); //48*11 bits key > 512 bits
        jwtSettings.setTokenExpirationTime((int) TimeUnit.HOURS.toSeconds(2));
        jwtSettings.setRefreshTokenExpTime((int) TimeUnit.DAYS.toSeconds(7));