fix: remove hardcoded salts

Signed-off-by: Oleh Astappiev <4512729+astappiev@users.noreply.github.com>

Author: astappiev

src/main/java/de/l3s/learnweb/app/ConfigProvider.java

@@ -20,6 +20,7 @@
 import jakarta.enterprise.inject.spi.DeploymentException;
 import jakarta.inject.Named;
 
+import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -42,6 +43,11 @@ public class ConfigProvider implements Serializable {
      */
     private final Properties properties = new Properties();
 
+    /**
+     * Application secret key, used for links generation, encryption, etc. Might break links if changed.
+     */
+    private String appSecret;
+
     /**
      * A version of the application from pom.xml (extracted from web.xml, maven should put it there on build).
      */
@@ -251,6 +257,18 @@ public boolean getPropertyBoolean(final String key, final boolean defaultValue)
         return Boolean.parseBoolean(properties.getProperty(key, String.valueOf(defaultValue)));
     }
 
+    public String getAppSecret() {
+        if (appSecret == null) {
+            appSecret = properties.getProperty("app_secret");
+            if (appSecret == null) {
+                appSecret = RandomStringUtils.secure().nextAlphanumeric(56);
+                log.warn("No app secret found, new token generated: {}", appSecret);
+                log.warn("Please set app_secret in application.properties or .env file to avoid token regeneration on every restart.");
+            }
+        }
+        return appSecret;
+    }
+
     public String getEnvironment() {
         if (environment == null) {
             if (!isDevelopment()) {

src/main/java/de/l3s/learnweb/app/Learnweb.java

@@ -38,8 +38,6 @@
 @ApplicationScoped
 @SuppressWarnings("AssignmentToStaticFieldFromInstanceMethod")
 public final class Learnweb {
-    public static final String SALT_1 = "ff4a9ff19306ee0407cf69d592";
-    public static final String SALT_2 = "3a129713cc1b33650816d61450";
 
     private static Learnweb learnweb;
 

src/main/java/de/l3s/learnweb/forum/ForumNotificator.java

@@ -77,6 +77,6 @@ private void sendMailWithNewTopics(User user, List<ForumTopic> topics) throws Me
     }
 
     public static String getHash(User user) {
-        return user.getId() + ":" + HashHelper.sha512(Learnweb.SALT_1 + user.getId() + Learnweb.SALT_2 + "notification");
+        return user.getId() + ":" + HashHelper.sha256(user.getId() + "unsubscribe" + Learnweb.config().getAppSecret());
     }
 }

src/main/java/de/l3s/learnweb/resource/glossary/GlossaryBean.java

@@ -56,6 +56,7 @@
 import de.l3s.learnweb.resource.search.solrClient.FileInspector;
 import de.l3s.learnweb.user.Organisation.Option;
 import de.l3s.learnweb.user.User;
+import de.l3s.util.HashHelper;
 import de.l3s.util.Image;
 import de.l3s.util.bean.BeanHelper;
 
@@ -458,13 +459,21 @@ public void postProcessXls(Object document) {
 
                 HSSFCellStyle copyrightStyle = wb.createCellStyle();
                 copyrightStyle.setLocked(true);
-                sheet.protectSheet(Learnweb.SALT_1); // use SALT as password
+                sheet.protectSheet(getXlsPassword());
             }
         } catch (RuntimeException | IOException e) {
             throw new HttpException("Error in postprocessing Glossary XLS for resource: " + glossaryResource.getId(), e);
         }
     }
 
+    private String getXlsPassword() {
+        String glossaryPassword = config().getProperty("glossary_password");
+        if (glossaryPassword == null) {
+            return HashHelper.sha256(config().getAppSecret() + "glossary");
+        }
+        return glossaryPassword;
+    }
+
     public void rotatePDF(Object document) {
         Document doc = (Document) document;
         doc.setPageSize(PageSize.A4.rotate());