Merge pull request #821 from immich-app/feature/jwt-bits-warning

Log a warning if JWT_SECRET key does not have enough bits
2024-11-16 10:28:54 -07:00 · 2022-10-14 08:42:27 -05:00 · 2022-10-14 08:42:27 -05:00 · 4df0cf2d07
commit 4df0cf2d07
parent f2e0e3f345 87ba99755b
1 changed files with 16 additions and 1 deletions
--- a/server/libs/common/src/config/app.config.ts
+++ b/server/libs/common/src/config/app.config.ts
@ -1,5 +1,20 @@
+import { Logger } from '@nestjs/common';
 import { ConfigModuleOptions } from '@nestjs/config';
 import Joi from 'joi';
+import { createSecretKey, generateKeySync } from 'node:crypto'
+
+const jwtSecretValidator: Joi.CustomValidator<string> = (value, ) => {
+  const key = createSecretKey(value, "base64")
+  const keySizeBits = (key.symmetricKeySize ?? 0) * 8
+
+  if (keySizeBits < 128) {
+    const newKey = generateKeySync('hmac', { length: 256 }).export().toString('base64')
+    Logger.warn("The current JWT_SECRET key is insecure. It should be at least 128 bits long!")
+    Logger.warn(`Here is a new, securely generated key that you can use instead: ${newKey}`)
+  }
+
+  return value;
+}

 export const immichAppConfig: ConfigModuleOptions = {
  envFilePath: '.env',
@ -9,7 +24,7 @@ export const immichAppConfig: ConfigModuleOptions = {
    DB_USERNAME: Joi.string().required(),
    DB_PASSWORD: Joi.string().required(),
    DB_DATABASE_NAME: Joi.string().required(),
-    JWT_SECRET: Joi.string().required(),
+    JWT_SECRET: Joi.string().required().custom(jwtSecretValidator),
    DISABLE_REVERSE_GEOCODING: Joi.boolean().optional().valid(true, false).default(false),
    REVERSE_GEOCODING_PRECISION: Joi.number().optional().valid(0,1,2,3).default(3),
    LOG_LEVEL: Joi.string().optional().valid('simple', 'verbose').default('simple'),