make jwt signing algorithm configurable

Signed-off-by: mornyx <[email protected]>
pingcap · Sep 19, 2024 · fd91e5e · fd91e5e
1 parent 3305937
commit fd91e5e
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/cmd/tidb-dashboard/main.go b/cmd/tidb-dashboard/main.go
@@ -71,6 +71,7 @@ func NewCLIConfig() *DashboardCLIConfig {
 	flag.IntVar(&cfg.CoreConfig.NgmTimeout, "ngm-timeout", cfg.CoreConfig.NgmTimeout, "timeout secs for accessing the ngm API")
 	flag.BoolVar(&cfg.CoreConfig.EnableKeyVisualizer, "keyviz", true, "enable/disable key visualizer(default: true)")
 	flag.BoolVar(&cfg.CoreConfig.DisableCustomPromAddr, "disable-custom-prom-addr", false, "do not allow custom prometheus address")
+	flag.StringVar(&cfg.CoreConfig.SigningAlgorithm, "signing-algorithm", cfg.CoreConfig.SigningAlgorithm, "signing algorithm for jwt (HS256, HS384, HS512, RS256, RS384, RS512)")
 	flag.Float64Var(&cfg.CoreConfig.UnauthedAPIQpsLimit, "unauthed-api-qps-limit", cfg.CoreConfig.UnauthedAPIQpsLimit, "unauthed API qps limit")
 	flag.IntVar(&cfg.CoreConfig.UnauthedAPIBurstLimit, "unauthed-api-burst-limit", cfg.CoreConfig.UnauthedAPIBurstLimit, "unauthed API burst limit")
 

diff --git a/pkg/apiserver/user/auth.go b/pkg/apiserver/user/auth.go
@@ -80,7 +80,7 @@ func (a BaseAuthenticator) SignOutInfo(_ *utils.SessionUser, _ string) (*SignOut
 	return &SignOutInfo{}, nil
 }
 
-func NewAuthService(featureFlags *featureflag.Registry) *AuthService {
+func NewAuthService(featureFlags *featureflag.Registry, config *config.Config) *AuthService {
 	var secret *[32]byte
 
 	secretStr := os.Getenv("DASHBOARD_SESSION_SECRET")
@@ -110,11 +110,12 @@ func NewAuthService(featureFlags *featureflag.Registry) *AuthService {
 	}
 
 	middleware, err := jwt.New(&jwt.GinJWTMiddleware{
-		IdentityKey: utils.SessionUserKey,
-		Realm:       "dashboard",
-		Key:         secret[:],
-		Timeout:     time.Hour * 24,
-		MaxRefresh:  time.Hour * 24,
+		IdentityKey:      utils.SessionUserKey,
+		Realm:            "dashboard",
+		Key:              secret[:],
+		Timeout:          time.Hour * 24,
+		MaxRefresh:       time.Hour * 24,
+		SigningAlgorithm: config.SigningAlgorithm,
 		Authenticator: func(c *gin.Context) (interface{}, error) {
 			var form AuthenticateForm
 			if err := c.ShouldBindJSON(&form); err != nil {

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -38,6 +38,7 @@ type Config struct {
 
 	NgmTimeout int // in seconds
 
+	SigningAlgorithm      string
 	UnauthedAPIQpsLimit   float64
 	UnauthedAPIBurstLimit int
 }
@@ -57,6 +58,7 @@ func Default() *Config {
 		DisableCustomPromAddr: false,
 		FeatureVersion:        version.PDVersion,
 		NgmTimeout:            30, // s
+		SigningAlgorithm:      "",
 		UnauthedAPIQpsLimit:   0,
 		UnauthedAPIBurstLimit: 0,
 	}