codeql/java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.java

import java.util.Date;
import java.util.Properties;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.JWTVerifier;

public class HardcodedJwtKey {
    // 15 minutes
    private static final long ACCESS_EXPIRE_TIME = 1000 * 60 * 15;

    private static final String ISSUER = "example_com";

    private static final String SECRET = "hardcoded_secret";

    // BAD: Get secret from hardcoded string then sign a JWT token
    public String accessTokenBad(String username) {
        Algorithm algorithm = Algorithm.HMAC256(SECRET);

        return JWT.create()
                .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
                .withIssuer(ISSUER)
                .withClaim("username", username)
                .sign(algorithm);
    }

    // GOOD: Get secret from system configuration then sign a token
    public String accessTokenGood(String username) {
        String tokenSecret = System.getenv("SECRET_KEY");
        Algorithm algorithm = Algorithm.HMAC256(tokenSecret);

        return JWT.create()
                .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
                .withIssuer(ISSUER)
                .withClaim("username", username)
                .sign(algorithm);
    }

    // BAD: Get secret from hardcoded string then verify a JWT token
    public boolean verifyTokenBad(String token) {
        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET))
                .withIssuer(ISSUER)
                .build();
        try {
            verifier.verify(token);
            return true;
        } catch (JWTVerificationException e) {
            return false;
        }
    }

    // GOOD: Get secret from environment variable then verify a JWT token
    public boolean verifyTokenGood(String token) {
        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(System.getenv("SECRET_KEY")))
                .withIssuer(ISSUER)
                .build();
        try {
            verifier.verify(token);
            return true;
        } catch (JWTVerificationException e) {
            return false;
        }
    }
}