ohmj/ohmj2
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

[FIX] Fix some securiry issues

Browse Source
This commit is contained in:
NADAL Jean-Baptiste
2026-02-18 15:27:55 +01:00
parent 3abc6f6371
commit 039cecc4a6
15 changed files with 2179 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
api/lib/Auth.php
View File

@@ -1,14 +1,20 @@
<?php
class Auth {
private const JWT_SECRET = 'ohmj_secret_key_change_in_production';
private const JWT_ALGO = 'HS256';
private const JWT_EXPIRY = 3600; // 1 hour
private string $usersFile;
private string $jwtSecret;
public function __construct(string $usersFile = null) {
$this->usersFile = $usersFile ?? __DIR__ . '/../config/users.json';
// Load JWT secret from environment variable
$this->jwtSecret = $_ENV['JWT_SECRET'] ?? getenv('JWT_SECRET');
if (empty($this->jwtSecret)) {
throw new Exception('JWT_SECRET environment variable is not configured');
}
}
public function login(string $username, string $password): array {
@@ -45,7 +51,7 @@ class Auth {
// Verify signature
$expectedSignature = base64_encode(
hash_hmac('sha256', "$header.$payload", self::JWT_SECRET, true)
hash_hmac('sha256', "$header.$payload", $this->jwtSecret, true)
);
if (!hash_equals($expectedSignature, $signature)) {
@@ -101,7 +107,7 @@ class Auth {
]));
$signature = base64_encode(
hash_hmac('sha256', "$header.$payload", self::JWT_SECRET, true)
hash_hmac('sha256', "$header.$payload", $this->jwtSecret, true)
);
return "$header.$payload.$signature";