From b172974fdd0c52e7bc5686ecca968e0c82a61b27 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas.gerbet@enalean.com>
Date: Mon, 19 Dec 2022 10:42:58 +0100
Subject: [PATCH] Generated JWT secret is too small for HMAC SHA256

The key that is automatically generated weaken the security strength.
As noted in RFC7518 section 3.2 [0]:
```
A key of the same size as the hash output (for instance, 256 bits for
"HS256") or larger MUST be used with this algorithm.  (This
requirement is based on Section 5.3.4 (Security Effect of the HMAC
Key) of NIST SP 800-117 [NIST.800-107], which states that the
effective security strength is the minimum of the security strength
of the key and two times the size of the internal hash value.)
```

Some JWT libraries are rejecting by default keys that are too small in
a attempt to prevent misusages so generating a key that does not respect
the minimal length can be problematic for OO integrations.

[0] https://www.rfc-editor.org/rfc/rfc7518.html#section-3.2
---
 run-document-server.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/run-document-server.sh b/run-document-server.sh
index fd183a3..2b68b35 100755
--- a/run-document-server.sh
+++ b/run-document-server.sh
@@ -86,7 +86,7 @@ fi
 
 [ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
 
-JWT_SECRET=${JWT_SECRET:-$(pwgen -s 20)}
+JWT_SECRET=${JWT_SECRET:-$(pwgen -s 32)}
 JWT_HEADER=${JWT_HEADER:-Authorization}
 JWT_IN_BODY=${JWT_IN_BODY:-false}