-

2025-08-23 22:31:47 -04:00
parent 9ca9c53baf
commit e5bccc85c2
22 changed files with 2405 additions and 209 deletions
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@ -57,6 +57,12 @@ func (j *JWTManager) GenerateToken(userToken *domain.UserToken) (string, error)
 		return "", errors.NewValidationError("JWT secret not configured")
 	}

+	// Generate secure JWT ID
+	jti := j.generateJTI()
+	if jti == "" {
+		return "", errors.NewInternalError("Failed to generate secure JWT ID - cryptographic random number generation failed")
+	}
+
 	// Create custom claims
 	claims := CustomClaims{
 		UserID:      userToken.UserID,
@ -72,7 +78,7 @@ func (j *JWTManager) GenerateToken(userToken *domain.UserToken) (string, error)
 			ExpiresAt: jwt.NewNumericDate(userToken.ExpiresAt),
 			IssuedAt:  jwt.NewNumericDate(userToken.IssuedAt),
 			NotBefore: jwt.NewNumericDate(userToken.IssuedAt),
-			ID:        j.generateJTI(),
+			ID:        jti,
 		},
 	}

@ -272,8 +278,10 @@ func (j *JWTManager) IsTokenRevoked(tokenString string) (bool, error) {
 func (j *JWTManager) generateJTI() string {
 	bytes := make([]byte, 16)
 	if _, err := rand.Read(bytes); err != nil {
-		// Fallback to timestamp-based ID if random generation fails
-		return fmt.Sprintf("jti_%d", time.Now().UnixNano())
+		// Log the error and fail securely - do not generate predictable fallback IDs
+		j.logger.Error("Cryptographic random number generation failed - cannot generate secure JWT ID", zap.Error(err))
+		// Return an error indicator that will cause token generation to fail
+		return ""
 	}
 	return base64.URLEncoding.EncodeToString(bytes)
 }