Skip to content

Specify minimum length for secret when parsing SecretsConfiguration #8554

New issue
New issue
Closed
Closed
Specify minimum length for secret when parsing SecretsConfiguration#8554
Assignees
wsargent
@wsargent

Description

@wsargent
wsargent
opened on Aug 6, 2018

Per #8446, the JJWT library requires at least 32 bytes for the application secret (if using HMAC-SHA256) up to 64 bytes (if using HMAC-SHA512)

This traces down to the SecretsConfiguration:

https://github.com/playframework/playframework/blob/master/framework/src/play/src/main/scala/play/api/http/HttpConfiguration.scala#L65

but the parser does not specify a minimum length for the secret:

https://github.com/playframework/playframework/blob/master/framework/src/play/src/main/scala/play/api/http/HttpConfiguration.scala#L243

Amongst other things, upgrading the library means that "changeme" will no longer work as the secret with the JJWT codec -- which means we probably have to map it to something that does conform..

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions