Skip to content

Add jwt #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
skrylnikov merged 6 commits into from
Dec 1, 2025
Merged

Add jwt #2

skrylnikov merged 6 commits into from
Dec 1, 2025

Conversation

@skrylnikov
Copy link
Owner

@skrylnikov skrylnikov commented Dec 1, 2025

🔒 Security Fixes

  • Fixed security issue: Replaced insecure cookie-based session storage with JWT tokens
  • Session data is now stored as signed JWT tokens using the jose library with HS512 algorithm
  • Improved session validation and security

⚠️ Breaking Changes

  • JWT_SECRET environment variable required: When OIDC authentication is enabled, you must now configure the JWT_SECRET environment variable
  • The JWT_SECRET is used to sign and verify JWT tokens for user sessions
  • OIDC authentication will not work without JWT_SECRET configured
  • See README for instructions on generating a secure JWT secret

📝 Documentation

  • Added JWT_SECRET to environment variables documentation
  • Added instructions for generating JWT secrets using OpenSSL, Node.js/Bun, and Python
  • Updated troubleshooting section with JWT-related information

🔧 Technical Changes

  • Upgraded jose library to version 6.1.2
  • Replaced JSON cookie storage with JWT token-based authentication
  • Updated getAuthSession() to validate JWT tokens
  • Added createJWT() function for token generation

@skrylnikov skrylnikov requested a review from Copilot December 1, 2025 06:07
@skrylnikov skrylnikov self-assigned this Dec 1, 2025
Copilot AI reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces insecure cookie-based session storage with JWT tokens to improve security. Session data is now stored as signed JWT tokens using the jose library with the HS512 algorithm, requiring a new JWT_SECRET environment variable when OIDC authentication is enabled.

Key Changes

  • Implemented JWT-based authentication using the jose library (v6.1.2) with HS512 signing algorithm
  • Added createJWT() function to generate signed tokens and updated getAuthSession() to validate them
  • Made JWT_SECRET a required environment variable when OIDC is enabled

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
src/lib/auth.ts Added JWT token creation and verification logic, updated session validation to use JWT tokens instead of plain JSON
src/routes/api/auth/callback.tsx Updated callback handler to generate JWT tokens for authenticated sessions
package.json Added jose v6.1.2 as a new dependency for JWT token operations
env.example Added JWT_SECRET configuration example for JWT signing
RELEASE_NOTES.md Documented security improvements, breaking changes, and technical implementation details
README.md Added comprehensive documentation for JWT_SECRET including generation instructions and updated authentication requirements

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

skrylnikov and others added 2 commits December 1, 2025 09:13
@skrylnikov
Update RELEASE_NOTES.md
74ab57e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@skrylnikov
Enhance JWT handling and security features
a445722 
- Added Zod for JWT payload validation.
- Introduced functions to manage JWT expiration and secure cookie settings.
- Updated README to reflect changes in JWT secret generation requirements.
- Modified session cookie handling to include secure flag based on HTTPS.
- Updated dependencies to use Zod version 4.1.13.
@skrylnikov skrylnikov requested a review from Copilot December 1, 2025 06:22
Copilot AI reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

skrylnikov and others added 3 commits December 1, 2025 09:28
@skrylnikov
Update src/lib/auth.ts
ed16ecf 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@skrylnikov
Update src/lib/auth.ts
5b051d7 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@skrylnikov
fix lint
3947cbb
@skrylnikov skrylnikov merged commit 086642d into main Dec 1, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@skrylnikov skrylnikov

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skrylnikov