Cutlery/Kyoo
1
0
Fork 0
mirror of https://github.com/zoriya/Kyoo.git synced 2025-05-24 02:02:36 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add kid in jwks & jwts

Browse Source
This commit is contained in:
Zoe Roux 2025-05-11 03:37:13 +02:00
parent d4e5afd514
commit 2ce696a07b
No known key found for this signature in database
2 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
auth/config.go
View File

@ -2,9 +2,11 @@ package main
import ( import (
"context" "context"
"crypto"
"crypto/rand" "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"encoding/base64"
"encoding/json" "encoding/json"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
@ -15,6 +17,7 @@ import (
"github.com/golang-jwt/jwt/v5" "github.com/golang-jwt/jwt/v5"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/lestrrat-go/jwx/v3/jwk"
"github.com/zoriya/kyoo/keibi/dbc" "github.com/zoriya/kyoo/keibi/dbc"
) )
@ -22,13 +25,14 @@ type Configuration struct {
Prefix string Prefix string
JwtPrivateKey *rsa.PrivateKey JwtPrivateKey *rsa.PrivateKey
JwtPublicKey *rsa.PublicKey JwtPublicKey *rsa.PublicKey
JwtKid string
PublicUrl string PublicUrl string
DefaultClaims jwt.MapClaims DefaultClaims jwt.MapClaims
FirstUserClaims jwt.MapClaims FirstUserClaims jwt.MapClaims
GuestClaims jwt.MapClaims GuestClaims jwt.MapClaims
ProtectedClaims []string ProtectedClaims []string
ExpirationDelay time.Duration ExpirationDelay time.Duration
EnvApiKeys map[string]ApiKeyWToken EnvApiKeys map[string]ApiKeyWToken
} }
var DefaultConfig = Configuration{ var DefaultConfig = Configuration{
@ -36,7 +40,7 @@ var DefaultConfig = Configuration{
FirstUserClaims: make(jwt.MapClaims), FirstUserClaims: make(jwt.MapClaims),
ProtectedClaims: []string{"permissions"}, ProtectedClaims: []string{"permissions"},
ExpirationDelay: 30 * 24 * time.Hour, ExpirationDelay: 30 * 24 * time.Hour,
EnvApiKeys: make(map[string]ApiKeyWToken), EnvApiKeys: make(map[string]ApiKeyWToken),
} }
func LoadConfiguration(db *dbc.Queries) (*Configuration, error) { func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {
@ -100,11 +104,20 @@ func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
ret.JwtPublicKey = &ret.JwtPrivateKey.PublicKey
} }
ret.JwtPublicKey = &ret.JwtPrivateKey.PublicKey
key, err := jwk.Import(ret.JwtPublicKey)
if err != nil {
return nil, err
}
thumbprint, err := key.Thumbprint(crypto.SHA256)
if err != nil {
return nil, err
}
ret.JwtKid = base64.RawStdEncoding.EncodeToString(thumbprint)
for _, env := range os.Environ() { for _, env := range os.Environ() {
if !strings.HasPrefix(env, "KEIBI_APIKEY_"){ if !strings.HasPrefix(env, "KEIBI_APIKEY_") {
continue continue
} }
v := strings.Split(env, "=") v := strings.Split(env, "=")
@ -128,8 +141,8 @@ func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {
name = strings.ToLower(name) name = strings.ToLower(name)
ret.EnvApiKeys[name] = ApiKeyWToken{ ret.EnvApiKeys[name] = ApiKeyWToken{
ApiKey: ApiKey{ ApiKey: ApiKey{
Id: uuid.New(), Id: uuid.New(),
Name: name, Name: name,
Claims: claims, Claims: claims,
}, },
Token: v[1], Token: v[1],

3
auth/jwt.go
View File

@ -79,6 +79,7 @@ func (h *Handler) createGuestJwt() *string {
Time: time.Now().UTC().Add(time.Hour), Time: time.Now().UTC().Add(time.Hour),
} }
jwt := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) jwt := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
jwt.Header["kid"] = h.config.JwtKid
t, err := jwt.SignedString(h.config.JwtPrivateKey) t, err := jwt.SignedString(h.config.JwtPrivateKey)
if err != nil { if err != nil {
return nil return nil
@ -112,6 +113,7 @@ func (h *Handler) createJwt(token string) (string, error) {
Time: time.Now().UTC().Add(time.Hour), Time: time.Now().UTC().Add(time.Hour),
} }
jwt := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) jwt := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
jwt.Header["kid"] = h.config.JwtKid
t, err := jwt.SignedString(h.config.JwtPrivateKey) t, err := jwt.SignedString(h.config.JwtPrivateKey)
if err != nil { if err != nil {
return "", err return "", err
@ -144,6 +146,7 @@ func (h *Handler) GetJwks(c echo.Context) error {
key.Set("use", "sig") key.Set("use", "sig")
key.Set("key_ops", "verify") key.Set("key_ops", "verify")
key.Set("kid", h.config.JwtKid)
set := jwk.NewSet() set := jwk.NewSet()
set.AddKey(key) set.AddKey(key)
return c.JSON(200, set) return c.JSON(200, set)