From ff3b3ba09be31b1c12048a17d2b2364657bc6d5d Mon Sep 17 00:00:00 2001 From: hexqi Date: Fri, 17 Apr 2026 18:17:08 +0800 Subject: [PATCH] fix: require explicit JWT secret configuration --- .../tinyengine/it/login/utils/JwtUtil.java | 77 +++++++++++-------- 1 file changed, 47 insertions(+), 30 deletions(-) diff --git a/base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java b/base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java index 42f7ed03..8b6bce17 100644 --- a/base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java +++ b/base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java @@ -17,20 +17,21 @@ import io.jsonwebtoken.Claims; import io.jsonwebtoken.ExpiredJwtException; import io.jsonwebtoken.Jwts; -import io.jsonwebtoken.MalformedJwtException; -import io.jsonwebtoken.security.Keys; -import lombok.extern.slf4j.Slf4j; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -import javax.crypto.SecretKey; -import java.util.ArrayList; -import java.util.Date; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Optional; -import java.util.stream.Collectors; +import io.jsonwebtoken.MalformedJwtException; +import io.jsonwebtoken.security.Keys; +import jakarta.annotation.PostConstruct; +import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import javax.crypto.SecretKey; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.stream.Collectors; /** * Jwt util @@ -39,22 +40,38 @@ @Slf4j public class JwtUtil { - @Autowired - private TokenBlacklistService tokenBlacklistService; - - private static final long EXPIRATION_TIME = 21600000L; // 6小时 = 6 * 60 * 60 * 1000 = 21600000 毫秒 - private static final String DEFAULT_SECRET = "tiny-engine-backend-secret-key-at-jwt-login"; - - // 避免启动时环境变量未加载的问题 - private static String getSecretString() { - return Optional.ofNullable(System.getenv("SECRET_STRING")) - .orElse(DEFAULT_SECRET); - } - - public static SecretKey getSecretKey() { - - return Keys.hmacShaKeyFor(getSecretString().getBytes()); - } + @Autowired + private TokenBlacklistService tokenBlacklistService; + + private static final long EXPIRATION_TIME = 21600000L; // 6小时 = 6 * 60 * 60 * 1000 = 21600000 毫秒 + private static final String SECRET_ENV_NAME = "SECRET_STRING"; + + @PostConstruct + public void validateSecretConfiguration() { + try { + getSecretKey(); + } catch (Exception e) { + throw new IllegalStateException( + "JWT secret is not configured correctly. Set environment variable " + + SECRET_ENV_NAME + " to a strong value before starting the service.", + e + ); + } + } + + private static String getSecretString() { + String secret = System.getenv(SECRET_ENV_NAME); + if (secret == null || secret.isBlank()) { + throw new IllegalStateException( + "Missing required environment variable " + SECRET_ENV_NAME + " for JWT signing." + ); + } + return secret; + } + + public static SecretKey getSecretKey() { + return Keys.hmacShaKeyFor(getSecretString().getBytes(StandardCharsets.UTF_8)); + } /** * 生成包含完整用户信息的 JWT Token(支持 Tenant 对象和 Map 两种格式)