graphql: T4574: set byte length of shared secret from CLI

2 files changed, 3 insertions, 1 deletions

diff --git a/src/services/api/graphql/libs/token_auth.py b/src/services/api/graphql/libs/token_auth.py
index fafb0f5af..3ecd8b855 100644
--- a/src/services/api/graphql/libs/token_auth.py
+++ b/src/services/api/graphql/libs/token_auth.py
@@ -11,7 +11,8 @@ def _check_passwd_pam(username: str, passwd: str) -> bool:
     return False
 
 def init_secret():
-    secret = token_hex(16)
+    length = int(state.settings['app'].state.vyos_secret_len)
+    secret = token_hex(length)
     state.settings['secret'] = secret
 
 def generate_token(user: str, passwd: str, secret: str, exp: int) -> dict:
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 4af27b949..3c390d9dc 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -699,6 +699,7 @@ if __name__ == '__main__':
             # default value is merged in conf_mode http-api.py, if not set
             app.state.vyos_auth_type = server_config['graphql']['authentication']['type']
             app.state.vyos_token_exp = server_config['graphql']['authentication']['expiration']
+            app.state.vyos_secret_len = server_config['graphql']['authentication']['secret_length']
     else:
         app.state.vyos_graphql = False