github/OpenHands
1
0
Fork 0
mirror of https://github.com/OpenHands/OpenHands.git synced 2025-12-26 05:48:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

refactor: derive deterministic key id from secret itself (#11905)

Browse Source
This commit is contained in:
Hiep Le 2025-12-05 01:41:32 +07:00 committed by GitHub
parent 3a9aa90c3a
commit 59ca8bd9a8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
openhands/app_server/utils/encryption_key.py
View File

@ -1,3 +1,4 @@
import hashlib
import os
from datetime import datetime
from pathlib import Path
@ -30,8 +31,14 @@ def get_default_encryption_keys(workspace_dir: Path) -> list[EncryptionKey]:
"""Generate default encryption keys."""
master_key = os.getenv('JWT_SECRET')
if master_key:
# Derive a deterministic key ID from the secret itself.
# This ensures all pods using the same JWT_SECRET get the same key ID,
# which is critical for multi-pod deployments where tokens may be
# created by one pod and verified by another.
key_id = base62.encodebytes(hashlib.sha256(master_key.encode()).digest())
return [
EncryptionKey(
id=key_id,
key=SecretStr(master_key),
active=True,
notes='jwt secret master key',