fix: critical security vulnerabilities

- Fix JWT secret derivation vulnerability - replace deriveJWTSecret with cryptographically secure GenerateSecureToken - Secure setup interface - remove JWT secret display and API response exposure - Addresses system-wide compromise risk from admin credential exposure
2025-10-31 09:32:34 -04:00
parent e64131079e
commit 63cc7f6645
4 changed files with 33 additions and 58 deletions
--- a/aggregator-server/internal/api/handlers/setup.go
+++ b/aggregator-server/internal/api/handlers/setup.go
@@ -1,13 +1,12 @@
 package handlers

 import (
-	"crypto/sha256"
 	"database/sql"
-	"encoding/hex"
 	"fmt"
 	"net/http"
 	"strconv"

+	"github.com/Fimeg/RedFlag/aggregator-server/internal/config"
 	"github.com/gin-gonic/gin"
 	"github.com/lib/pq"
 	_ "github.com/lib/pq"
@@ -374,8 +373,12 @@ func (h *SetupHandler) ConfigureServer(c *gin.Context) {
 		return
 	}

-	// Generate JWT secret for display (not logged for security)
-	jwtSecret := deriveJWTSecret(req.AdminUser, req.AdminPass)
+	// Generate secure JWT secret (not derived from credentials for security)
+	jwtSecret, err := config.GenerateSecureToken()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate JWT secret"})
+		return
+	}

 	// Step 1: Update PostgreSQL password from bootstrap to user password
 	fmt.Println("Updating PostgreSQL password from bootstrap to user-provided password...")
@@ -398,7 +401,6 @@ func (h *SetupHandler) ConfigureServer(c *gin.Context) {

 	c.JSON(http.StatusOK, gin.H{
 		"message": "Configuration generated successfully!",
-		"jwtSecret": jwtSecret,
 		"envContent": newEnvContent,
 		"restartMessage": "Please replace the bootstrap environment variables with the newly generated ones, then run: docker-compose down && docker-compose up -d",
 		"manualRestartRequired": true,
@@ -407,8 +409,3 @@ func (h *SetupHandler) ConfigureServer(c *gin.Context) {
 	})
 }

-// deriveJWTSecret generates a JWT secret from admin credentials
-func deriveJWTSecret(username, password string) string {
-	hash := sha256.Sum256([]byte(username + password + "redflag-jwt-2024"))
-	return hex.EncodeToString(hash[:])
-}
--- a/aggregator-server/internal/config/config.go
+++ b/aggregator-server/internal/config/config.go
@@ -2,7 +2,6 @@ package config

 import (
 	"crypto/rand"
-	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"os"
@@ -123,12 +122,6 @@ func getEnv(key, defaultValue string) string {
 }


-func deriveJWTSecret(username, password string) string {
-	// Derive JWT secret from admin credentials
-	// This ensures JWT secret changes if admin password changes
-	hash := sha256.Sum256([]byte(username + password + "redflag-jwt-2024"))
-	return hex.EncodeToString(hash[:])
-}

 // GenerateSecureToken generates a cryptographically secure random token
 func GenerateSecureToken() (string, error) {