1
0

refactor(security): migrate from jws to jwe

Signed-off-by: Alan Brault <alan.brault@visus.io>
This commit is contained in:
2026-03-28 07:47:24 -04:00
parent 756a80c5b9
commit 7c742fca14
4 changed files with 18 additions and 21 deletions
@@ -6,7 +6,7 @@ import org.springframework.stereotype.Component
@Component
@ConfigurationProperties("jwt")
data class JwtProperties(
var secret: String = "",
var encryptionSecret: String = "",
var accessTokenExpiration: Long = 3600000, // 1 hour
var refreshTokenExpiration: Long = 2592000000, // 30 days
var issuer: String = "kotlin-api",
@@ -7,16 +7,15 @@ import io.jsonwebtoken.Jwts
import io.jsonwebtoken.MalformedJwtException
import io.jsonwebtoken.UnsupportedJwtException
import io.jsonwebtoken.io.Decoders
import io.jsonwebtoken.security.Keys
import io.visus.demos.kotlinapi.config.JwtProperties
import io.visus.demos.kotlinapi.domain.model.JwtTokenType
import org.slf4j.LoggerFactory
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.stereotype.Component
import java.security.SignatureException
import java.util.Date
import java.util.UUID
import javax.crypto.SecretKey
import javax.crypto.spec.SecretKeySpec
@Component
class JwtTokenProvider(
@@ -24,9 +23,9 @@ class JwtTokenProvider(
) {
private val logger = LoggerFactory.getLogger(JwtTokenProvider::class.java)
private val secretKey: SecretKey by lazy {
val bytes = Decoders.BASE64.decode(jwtProperties.secret)
Keys.hmacShaKeyFor(bytes)
private val encryptionKey: SecretKey by lazy {
val bytes = Decoders.BASE64.decode(jwtProperties.encryptionSecret)
SecretKeySpec(bytes, "AES")
}
fun <T> extractClaim(
@@ -36,9 +35,9 @@ class JwtTokenProvider(
val claims =
Jwts
.parser()
.verifyWith(secretKey)
.decryptWith(encryptionKey)
.build()
.parseSignedClaims(token)
.parseEncryptedClaims(token)
.payload
return claimsResolver(claims)
@@ -76,7 +75,7 @@ class JwtTokenProvider(
).issuedAt(now)
.expiration(expiry)
.issuer(jwtProperties.issuer)
.signWith(secretKey, Jwts.SIG.HS512)
.encryptWith(encryptionKey, Jwts.KEY.DIRECT, Jwts.ENC.A256GCM)
.compact()
}
@@ -95,7 +94,7 @@ class JwtTokenProvider(
.toString(), // UUIDv7
).issuedAt(now)
.expiration(expiry)
.signWith(secretKey, Jwts.SIG.HS512)
.encryptWith(encryptionKey, Jwts.KEY.DIRECT, Jwts.ENC.A256GCM)
.compact()
}
@@ -122,13 +121,11 @@ class JwtTokenProvider(
try {
Jwts
.parser()
.verifyWith(secretKey)
.decryptWith(encryptionKey)
.build()
.parseSignedClaims(token)
.parseEncryptedClaims(token)
return true
} catch (ex: SignatureException) {
logger.error("Invalid JWT signature: {}", ex.message)
} catch (ex: MalformedJwtException) {
logger.error("Invalid JWT token: {}", ex.message)
} catch (ex: ExpiredJwtException) {