update jwt secret

2025-11-08 14:26:16 +01:00 · 2025-05-18 18:16:33 +05:00
parent 1506c802d4
commit 624246c68a
5 changed files with 59 additions and 2 deletions
--- a/fastapi_ssh_server.py
+++ b/fastapi_ssh_server.py
@@ -11,7 +11,8 @@ from jose import jwt, JWTError
 import logging

 app = FastAPI()
-JWT_SECRET = "YOUR_SECRET_KEY"
+# JWT_SECRET = "YOUR_SECRET_KEY"
+JWT_SECRET = "REPLACE_ME_WITH_INSTALLER"
 JWT_ALGORITHM = "HS256"

 # Allow CORS for local dev/testing
--- a/install/install.py
+++ b/install/install.py
@@ -13,6 +13,7 @@ import socket
 from os.path import *
 from stat import *
 import stat
+import secrets

 VERSION = '2.4'
 BUILD = 0
@@ -2639,6 +2640,20 @@ vmail
        command = f'chmod +x {filePath}'
        preFlightsChecks.call(command, self.distro, command, command, 1, 0, os.EX_OSERR)

+def configure_jwt_secret():
+    import secrets
+    secret = secrets.token_urlsafe(32)
+    fastapi_file = os.path.join(os.path.dirname(os.path.dirname(__file__)), 'fastapi_ssh_server.py')
+    with open(fastapi_file, 'r') as f:
+        lines = f.readlines()
+    with open(fastapi_file, 'w') as f:
+        for line in lines:
+            if line.strip().startswith('JWT_SECRET'):
+                f.write(f'JWT_SECRET = "{secret}"\n')
+            else:
+                f.write(line)
+    print(f"Configured JWT_SECRET in fastapi_ssh_server.py")
+
 def main():
    parser = argparse.ArgumentParser(description='CyberPanel Installer')
    parser.add_argument('publicip', help='Please enter public IP for your VPS or dedicated server.')
@@ -2855,6 +2870,9 @@ echo $oConfig->Save() ? 'Done' : 'Error';
        pass

    checks.fixCyberPanelPermissions()
+    checks.configure_jwt_secret()
+
+    # 

    logging.InstallLog.writeToFile("CyberPanel installation successfully completed!,80")

--- a/plogical/upgrade.py
+++ b/plogical/upgrade.py
@@ -3704,6 +3704,9 @@ pm.max_spare_servers = 3

        Upgrade.installDNS_CyberPanelACMEFile()

+        command = 'systemctl restart fastapi_ssh_server'
+        Upgrade.executioner(command, command, 0)
+
        Upgrade.stdOut("Upgrade Completed.")

        ### remove log file path incase its there
--- a/websiteFunctions/views.py
+++ b/websiteFunctions/views.py
@@ -23,6 +23,8 @@ import jwt
 from datetime import datetime, timedelta
 import OpenSSL
 from plogical.processUtilities import ProcessUtilities
+import os
+import re

 def loadWebsitesHome(request):
    val = request.session['userID']
@@ -2016,12 +2018,25 @@ def get_terminal_jwt(request):
            return JsonResponse({'status': 0, 'error_message': 'SSH user not configured for this website.'})
        from datetime import datetime, timedelta
        import jwt as pyjwt
+        # Read JWT_SECRET from fastapi_ssh_server.py
+        jwt_secret = None
+        try:
+            with open(os.path.join(os.path.dirname(os.path.dirname(__file__)), '../fastapi_ssh_server.py')) as f:
+                for line in f:
+                    m = re.match(r'\s*JWT_SECRET\s*=\s*[\'"](.+)[\'"]', line)
+                    if m and m.group(1) != 'REPLACE_ME_WITH_INSTALLER':
+                        jwt_secret = m.group(1)
+                        break
+        except Exception as e:
+            logger.error(f"Could not read JWT_SECRET: {e}")
+        if not jwt_secret:
+            jwt_secret = 'YOUR_SECRET_KEY'  # fallback, should not be used in production
        payload = {
            'user_id': user_id,
            'ssh_user': ssh_user,
            'exp': datetime.utcnow() + timedelta(minutes=10)
        }
-        token = pyjwt.encode(payload, 'YOUR_SECRET_KEY', algorithm='HS256')
+        token = pyjwt.encode(payload, jwt_secret, algorithm='HS256')
        logger.error(f"JWT generated: {token}")
        return JsonResponse({'status': 1, 'token': token, 'ssh_user': ssh_user})
    except Exception as e:
--- a/websiteFunctions/website.py
+++ b/websiteFunctions/website.py
@@ -4981,6 +4981,26 @@ StrictHostKeyChecking no
        website = Websites.objects.get(domain=self.domain)
        externalApp = website.externalApp

+        #### update jwt secret if needed
+
+        import secrets
+        import re
+        import os
+        from plogical.processUtilities import ProcessUtilities
+
+        fastapi_file = os.path.join(os.path.dirname(os.path.dirname(__file__)), '../fastapi_ssh_server.py')
+        try:
+            with open(fastapi_file, 'r') as f:
+                content = f.read()
+            m = re.search(r'JWT_SECRET\s*=\s*[\'"](.+)[\'"]', content)
+            if m and m.group(1) in ['REPLACE_ME_WITH_INSTALLER', 'YOUR_SECRET_KEY']:
+                new_secret = secrets.token_urlsafe(32)
+                # Use sed to replace the line in-place (macOS compatible)
+                sed_cmd = f"sed -i '' 's|JWT_SECRET = \"{m.group(1)}\"|JWT_SECRET = \"{new_secret}\"|' '{fastapi_file}'"
+                ProcessUtilities.outputExecutioner(sed_cmd)
+        except Exception as e:
+            pass
+
        #####

        from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter