From d02da17a8e495e6ea24a16cdaa98c20b4b43cfb6 Mon Sep 17 00:00:00 2001
From: Benjamin Hummel <infos@x-projects.de>
Date: Sun, 20 Oct 2024 11:00:58 +0200
Subject: [PATCH] bugfixes jwt

---
 .gitignore                 |  1 +
 src/Jwt/JwtToken.php       | 39 ++++++++++++++++++++++++++++++++++++--
 tests/Jwt/JwtTokenTest.php |  1 +
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index df0ac3a..8338a9c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 /public/
 /composer.lock
 /.phpunit.result.cache
+/var/
diff --git a/src/Jwt/JwtToken.php b/src/Jwt/JwtToken.php
index 2073491..eca3482 100644
--- a/src/Jwt/JwtToken.php
+++ b/src/Jwt/JwtToken.php
@@ -13,6 +13,8 @@
 use Lcobucci\JWT\Validation\Constraint\IdentifiedBy;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use Contao\System;
+use Symfony\Component\Filesystem\Filesystem;
+use Symfony\Component\Filesystem\Path;
 
 class JwtToken
 {
@@ -24,8 +26,40 @@ class JwtToken
      */
     private static function getDefaultKeyString(): string
     {
-        $keyString = System::getContainer()->getParameter('kernel.secret');
-        return \substr($keyString, 10, 32);
+        // if secret becomes '' it is caught by InMemory::plainText because checked for empty
+
+        try {
+
+            $secret = null;
+            $projectDir = System::getContainer()->getParameter('kernel.project_dir');
+
+            $filesystem = new Filesystem();
+            $secretFile = Path::join($projectDir, 'var/alpdesk_jwt_secret');
+
+            if ($filesystem->exists($secretFile)) {
+                $secret = \file_get_contents($secretFile);
+            }
+
+            if (!\is_string($secret) || \strlen($secret) < 32) {
+
+                // legacySupport - Remove in future and do not use kernel.secret
+                $keyString = System::getContainer()->getParameter('kernel.secret');
+                if (\is_string($keyString) && $keyString !== '' && \strlen($keyString) >= 42) {
+                    $secret = \substr($keyString, 10, 32);
+                } else {
+                    $secret = \bin2hex(\random_bytes(32));
+                }
+
+                $filesystem->dumpFile($secretFile, $secret);
+
+            }
+
+            return $secret;
+
+        } catch (\Throwable) {
+            return '';
+        }
+
     }
 
     /**
@@ -33,6 +67,7 @@ private static function getDefaultKeyString(): string
      */
     private static function getConfig(): Configuration
     {
+        // Empty key is caught
         $config = Configuration::forSymmetricSigner(new Sha256(), InMemory::plainText(self::getDefaultKeyString()));
         $config->setValidationConstraints(new SignedWith($config->signer(), $config->signingKey()));
 
diff --git a/tests/Jwt/JwtTokenTest.php b/tests/Jwt/JwtTokenTest.php
index 05bd4ae..aaa6101 100644
--- a/tests/Jwt/JwtTokenTest.php
+++ b/tests/Jwt/JwtTokenTest.php
@@ -84,6 +84,7 @@ protected function setUp(): void
 
         System::setContainer(new StubContainerInterface());
         System::getContainer()->setParameter('kernel.secret', '000adc04469d7c761f1407279738f4268e8cf58310e6ff2b3b317df0c61d3fc2');
+        System::getContainer()->setParameter('kernel.project_dir', '.');
 
     }