Make JWT expiration time configurable

and drop attempt to set JWT header (golang-jwt/jwt does not seem to use TokenOptions ever)
This commit is contained in:
Finn 2024-09-30 22:07:08 -07:00
parent 006b0003b4
commit 22254f1b4f
2 changed files with 4 additions and 11 deletions

View file

@ -27,6 +27,7 @@ var (
LimitDispatchInputs int64 `ini:"LIMIT_DISPATCH_INPUTS"` LimitDispatchInputs int64 `ini:"LIMIT_DISPATCH_INPUTS"`
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"` JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"` JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
JWTExpirationTime time.Duration `ini:"JWT_EXPIRATION_TIME"`
}{ }{
Enabled: true, Enabled: true,
DefaultActionsURL: defaultActionsURLForgejo, DefaultActionsURL: defaultActionsURLForgejo,
@ -34,6 +35,7 @@ var (
LimitDispatchInputs: 10, LimitDispatchInputs: 10,
JWTSigningAlgorithm: "EdDSA", JWTSigningAlgorithm: "EdDSA",
JWTSigningPrivateKeyFile: "actions_oidc/private.pem", JWTSigningPrivateKeyFile: "actions_oidc/private.pem",
JWTExpirationTime: time.Hour,
} }
) )

View file

@ -160,9 +160,9 @@ func (o oidcRoutes) getToken(ctx *ArtifactContext) {
"runner_environment": "self-hosted", // not sure what this should be set to, github will have either "github-hosted" or "self-hosted" "runner_environment": "self-hosted", // not sure what this should be set to, github will have either "github-hosted" or "self-hosted"
"iss": setting.AppURL + setting.AppSubURL + "/api/actions_idtoken", "iss": setting.AppURL + setting.AppSubURL + "/api/actions_idtoken",
"nbf": jwt.NewNumericDate(iat), "nbf": jwt.NewNumericDate(iat),
"exp": jwt.NewNumericDate(iat.Add(time.Minute * 15)), "exp": jwt.NewNumericDate(iat.Add(setting.Actions.JWTExpirationTime)),
"iat": jwt.NewNumericDate(iat), "iat": jwt.NewNumericDate(iat),
}, addTokenHeaders(o.signingKey)) })
signedJWT, err := token.SignedString(o.signingKey.SignKey()) signedJWT, err := token.SignedString(o.signingKey.SignKey())
if err != nil { if err != nil {
@ -212,12 +212,3 @@ func (o oidcRoutes) getOpenIDConfiguration(resp http.ResponseWriter, req *http.R
return return
} }
} }
func addTokenHeaders(key jwtx.JWTSigningKey) jwt.TokenOption {
return func(t *jwt.Token) {
kid := key.KID()
if kid != "" {
t.Header["kid"] = kid
}
}
}