Switch JWT signing from HS256 to RS256 (4096-bit RSA)

- Replace symmetric SECRET_KEY with JWT_PRIVATE_KEY / JWT_PUBLIC_KEY (PEM) - Add iat claim to every token - Add expand_newlines validator in config for single-line .env PEM values - Add scripts/generate_jwt_keys.py key-generation helper - Update security-auditor agent JWT checklist with RS256 enforcement rules - Mark RS256 as done in TODO.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-13 23:00:35 +02:00
parent 0af5e8cc24
commit e2c55556ac
7 changed files with 100 additions and 12 deletions
@@ -15,14 +15,19 @@ def verify_password(plain: str, hashed: str) -> bool:


 def create_access_token(subject: str) -> str:
-    expire = datetime.now(timezone.utc) + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    now = datetime.now(timezone.utc)
+    expire = now + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
    return jwt.encode(
-        {"sub": subject, "exp": expire},
-        settings.SECRET_KEY,
+        {"sub": subject, "exp": expire, "iat": now},
+        settings.JWT_PRIVATE_KEY,
        algorithm=settings.ALGORITHM,
    )


 def decode_access_token(token: str) -> str:
-    payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
+    payload = jwt.decode(
+        token,
+        settings.JWT_PUBLIC_KEY,
+        algorithms=[settings.ALGORITHM],
+    )
    return payload["sub"]