Bug Report: Hardcoded JWT Key Paths in Production Config
Module: control-plane
File: control-plane/src/main/resources/application.properties
Lines: 45–47
reShapr Version: 0.0.8
Description
The production JWT key configuration hardcodes key file paths with no mechanism for runtime override:
# TODO: must be changed before going live.
%prod.smallrye.jwt.sign.key.location=keys/jwt-rs256.pem
%prod.mp.jwt.verify.publickey.location=keys/jwt-rs256.pub.pem
This creates three compounding issues:
- No runtime override — an operator cannot supply their own RSA key pair without rebuilding the container image.
- Committed development keys used in production by default — the bundled
keys/jwt-rs256.pem and keys/jwt-rs256.pub.pem are checked into the repository and are shared, public, development-only keys. Any production deployment that does not rebuild the image is signing and verifying JWTs with a key that is publicly known.
- Unactionable
TODO — the comment acknowledges this must be fixed before going live but provides no mechanism to do so.
Fix
Wrap the paths in Quarkus config expressions so they can be overridden at runtime via environment variables, while retaining the bundled keys as a fallback for backward compatibility:
# Override RESHAPR_JWT_SIGN_KEY_LOCATION and RESHAPR_JWT_VERIFY_KEY_LOCATION in production
# to point to your own RSA key pair. The bundled keys are for development only.
%prod.smallrye.jwt.sign.key.location=${RESHAPR_JWT_SIGN_KEY_LOCATION:keys/jwt-rs256.pem}
%prod.mp.jwt.verify.publickey.location=${RESHAPR_JWT_VERIFY_KEY_LOCATION:keys/jwt-rs256.pub.pem}The default fallback preserves backward compatibility — existing deployments are unaffected unless the environment variables are explicitly set.
Note: The bundled key files should also be removed from the repository and added to .gitignore. Until that is done, any deployment relying on the fallback default is using a publicly known key pair and should be considered compromised.
Bug Report: Hardcoded JWT Key Paths in Production Config
Module:
control-planeFile:
control-plane/src/main/resources/application.propertiesLines:
45–47reShapr Version:
0.0.8Description
The production JWT key configuration hardcodes key file paths with no mechanism for runtime override:
This creates three compounding issues:
keys/jwt-rs256.pemandkeys/jwt-rs256.pub.pemare checked into the repository and are shared, public, development-only keys. Any production deployment that does not rebuild the image is signing and verifying JWTs with a key that is publicly known.TODO— the comment acknowledges this must be fixed before going live but provides no mechanism to do so.Fix
Wrap the paths in Quarkus config expressions so they can be overridden at runtime via environment variables, while retaining the bundled keys as a fallback for backward compatibility:
The default fallback preserves backward compatibility — existing deployments are unaffected unless the environment variables are explicitly set.