From 1522882edcf77db3bbde67736840d0fe89c9fd08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=CE=A3rebe=20-=20Romain=20GERARD?= <erebe@erebe.eu>
Date: Mon, 26 Aug 2024 20:56:22 +0200
Subject: [PATCH] Randomize jwt secret signature

---
 src/tunnel/transport/jwt.rs | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/tunnel/transport/jwt.rs b/src/tunnel/transport/jwt.rs
index 0c992d0..10ac6d1 100644
--- a/src/tunnel/transport/jwt.rs
+++ b/src/tunnel/transport/jwt.rs
@@ -4,18 +4,25 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashSet;
 use std::ops::Deref;
 use std::sync::LazyLock;
+use std::time::SystemTime;
 use url::Host;
 use uuid::Uuid;
 
 pub static JWT_HEADER_PREFIX: &str = "authorization.bearer.";
-static JWT_SECRET: &[u8; 15] = b"champignonfrais";
-static JWT_KEY: LazyLock<(Header, EncodingKey)> =
-    LazyLock::new(|| (Header::new(Algorithm::HS256), EncodingKey::from_secret(JWT_SECRET)));
+static JWT_KEY: LazyLock<(Header, EncodingKey)> = LazyLock::new(|| {
+    let now = SystemTime::now()
+        .duration_since(SystemTime::UNIX_EPOCH)
+        .unwrap()
+        .as_nanos()
+        .to_ne_bytes();
+    (Header::new(Algorithm::HS256), EncodingKey::from_secret(&now))
+});
 
 static JWT_DECODE: LazyLock<(Validation, DecodingKey)> = LazyLock::new(|| {
     let mut validation = Validation::new(Algorithm::HS256);
     validation.required_spec_claims = HashSet::with_capacity(0);
-    (validation, DecodingKey::from_secret(JWT_SECRET))
+    validation.insecure_disable_signature_validation();
+    (validation, DecodingKey::from_secret(b"champignonfrais"))
 });
 
 #[derive(Debug, Clone, Serialize, Deserialize)]