-
-
Notifications
You must be signed in to change notification settings - Fork 97
Security
JWT with the default algorithm using a "weak key" opens itself up to brute-force attack vectors. In theory, the randomly generated key should be strong enough (maybe sure its 64+ characters, as there was a change to the generator in the JWT package recently), however it is recommended that you take the encryption up a level, because it is relatively easy to do so.
In order to accomplish this, we will switch to the RS512 algorithm and use a public/private key pair to handle signature signing. If you are interested in doing this, please follow these steps;
- Generate a public/private key pair. Instructions for linux;
ssh-keygen -t rsa -b 4096 -m PEM -f jwt.key
openssl rsa -in jwt.key -pubout -outform PEM -out jwt.key.pub-
Put them inside of your app. In this example, we will use the directory "resources/keys".
-
Change your config/jwt.php file to switch the algorithm used, and specify the location of the keys. For example:
'public' => env('JWT_PUBLIC_KEY', 'file://' . resource_path('keys/jwt.pub')),
'private' => env('JWT_PRIVATE_KEY', 'file://' . resource_path('keys/jwt')),
....
'algo' => env('JWT_ALGO', 'RS512'),
.....Make sure your .env file does not contain these variables so as to use the defaults you specify in the config.