checks for secret key, allow for jwt secret to come from env variable.

lmajano · lmajano · commit 8b1e44813b46 · 2019-09-24T08:21:58.000-05:00
diff --git a/ModuleConfig.cfc b/ModuleConfig.cfc
@@ -69,15 +69,12 @@ component {
 			"enableSecurityVisualizer"		: false,
 			// JWT Settings
 			"jwt"                     		: {
-				// The jwt secret encoding key, defaults to getSystemEnv( "JWT_SECRET", "" )
-				"secretKey"               : "",
-
-				// by default it uses the authorization bearer header, but you can also pass a custom one as well.
+				// The jwt secret encoding key to use
+				"secretKey"               : getSystemSetting( "JWT_SECRET", "" ),
+				// by default it uses the authorization bearer header, but you can also pass a custom one as well or as an rc variable.
 				"customAuthHeader"        : "x-auth-token",
-
 				// The expiration in minutes for the jwt tokens
 				"expiration"              : 60,
-
 				// If true, enables refresh tokens, longer lived tokens (not implemented yet)
 				"enableRefreshTokens"     : false,
 				// The default expiration for refresh tokens, defaults to 30 days
diff --git a/models/jwt/JwtService.cfc b/models/jwt/JwtService.cfc
@@ -40,6 +40,20 @@ component accessors="true" singleton{
 		return this;
 	}
 
+	/**
+	 * Runs after DI
+	 */
+	function onDIComplete(){
+		// Verify a few settings just in case
+		if ( isNull( variables.settings.jwt.secretKey ) || !len( variables.settings.jwt.secretKey ) ){
+			throw(
+				message = "The JWT secret key cannot be empty, please fill this out in your `config/ColdBox.cfc` under your cbsecurity settings",
+				detail 	= "cbsecurity.jwt.secretKey",
+				type 	= "InvalidSecretKey"
+			)
+		}
+	}
+
 	/************************************************************************************/
 	/****************************** TOKEN CREATION METHODS ******************************/
 	/************************************************************************************/
