From 8ef4fe5e55362ec40ad1c4baae7f3ed2f54aebf7 Mon Sep 17 00:00:00 2001
From: Zoe Roux <zoe.roux@zoriya.dev>
Date: Mon, 31 Mar 2025 09:41:10 +0200
Subject: [PATCH] Remove db conf handling and read private key from storage

---
 auth/.env.example                             |  3 +
 auth/config.go                                | 61 ++++++----------
 auth/dbc/config.sql.go                        | 73 -------------------
 auth/dbc/models.go                            |  5 --
 auth/sql/migrations/000002_config.down.sql    |  5 --
 auth/sql/migrations/000002_config.up.sql      |  8 --
 ...ions.down.sql => 000002_sessions.down.sql} |  0
 ...sessions.up.sql => 000002_sessions.up.sql} |  0
 auth/sql/queries/config.sql                   | 21 ------
 9 files changed, 25 insertions(+), 151 deletions(-)
 delete mode 100644 auth/dbc/config.sql.go
 delete mode 100644 auth/sql/migrations/000002_config.down.sql
 delete mode 100644 auth/sql/migrations/000002_config.up.sql
 rename auth/sql/migrations/{000003_sessions.down.sql => 000002_sessions.down.sql} (100%)
 rename auth/sql/migrations/{000003_sessions.up.sql => 000002_sessions.up.sql} (100%)
 delete mode 100644 auth/sql/queries/config.sql

diff --git a/auth/.env.example b/auth/.env.example
index de7c4b08..830ca1ac 100644
--- a/auth/.env.example
+++ b/auth/.env.example
@@ -4,6 +4,9 @@
 # http route prefix (will listen to $KEIBI_PREFIX/users for example)
 KEIBI_PREFIX=""
 
+# path of the private key used to sign jwts. If this is empty, a new one will be generated on startup
+RSA_PRIVATE_KEY_PATH=""
+
 # The url you can use to reach your kyoo instance. This is used during oidc to redirect users to your instance.
 PUBLIC_URL=http://localhost:8901
 
diff --git a/auth/config.go b/auth/config.go
index 737226da..0eb53d66 100644
--- a/auth/config.go
+++ b/auth/config.go
@@ -27,56 +27,39 @@ var DefaultConfig = Configuration{
 	ExpirationDelay: 30 * 24 * time.Hour,
 }
 
-const (
-	JwtPrivateKey = "jwt_private_key"
-)
-
 func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {
-	ctx := context.Background()
-	confs, err := db.LoadConfig(ctx)
-	if err != nil {
-		return nil, err
-	}
-
 	ret := DefaultConfig
 
-	for _, conf := range confs {
-		switch conf.Key {
-		case JwtPrivateKey:
-			block, _ := pem.Decode([]byte(conf.Value))
-			key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-			if err != nil {
-				return nil, err
-			}
-			ret.JwtPrivateKey = key
-			ret.JwtPublicKey = &key.PublicKey
-		}
-	}
-
 	ret.PublicUrl = os.Getenv("PUBLIC_URL")
 	ret.Prefix = os.Getenv("KEIBI_PREFIX")
 
-	if ret.JwtPrivateKey == nil {
+	rsa_pk_path := os.Getenv("RSA_PRIVATE_KEY_PATH")
+	if rsa_pk_path != "" {
+		privateKeyData, err := os.ReadFile(rsa_pk_path)
+		if err != nil {
+			return nil, err
+		}
+
+		block, _ := pem.Decode(privateKeyData)
+		if block == nil || block.Type != "RSA PRIVATE KEY" {
+			return nil, err
+		}
+
+		ret.JwtPrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			pkcs8Key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+			if err != nil {
+				return nil, err
+			}
+			ret.JwtPrivateKey = pkcs8Key.(*rsa.PrivateKey)
+		}
+	} else {
+		var err error
 		ret.JwtPrivateKey, err = rsa.GenerateKey(rand.Reader, 4096)
 		if err != nil {
 			return nil, err
 		}
 		ret.JwtPublicKey = &ret.JwtPrivateKey.PublicKey
-
-		pemd := pem.EncodeToMemory(
-			&pem.Block{
-				Type:  "RSA PRIVATE KEY",
-				Bytes: x509.MarshalPKCS1PrivateKey(ret.JwtPrivateKey),
-			},
-		)
-
-		_, err := db.SaveConfig(ctx, dbc.SaveConfigParams{
-			Key:   JwtPrivateKey,
-			Value: string(pemd),
-		})
-		if err != nil {
-			return nil, err
-		}
 	}
 
 	return &ret, nil
diff --git a/auth/dbc/config.sql.go b/auth/dbc/config.sql.go
deleted file mode 100644
index 5ec22ed9..00000000
--- a/auth/dbc/config.sql.go
+++ /dev/null
@@ -1,73 +0,0 @@
-// Code generated by sqlc. DO NOT EDIT.
-// versions:
-//   sqlc v1.28.0
-// source: config.sql
-
-package dbc
-
-import (
-	"context"
-)
-
-const deleteConfig = `-- name: DeleteConfig :one
-delete from config
-where key = $1
-returning
-	key, value
-`
-
-func (q *Queries) DeleteConfig(ctx context.Context, key string) (Config, error) {
-	row := q.db.QueryRow(ctx, deleteConfig, key)
-	var i Config
-	err := row.Scan(&i.Key, &i.Value)
-	return i, err
-}
-
-const loadConfig = `-- name: LoadConfig :many
-select
-	key, value
-from
-	config
-`
-
-func (q *Queries) LoadConfig(ctx context.Context) ([]Config, error) {
-	rows, err := q.db.Query(ctx, loadConfig)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	var items []Config
-	for rows.Next() {
-		var i Config
-		if err := rows.Scan(&i.Key, &i.Value); err != nil {
-			return nil, err
-		}
-		items = append(items, i)
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	return items, nil
-}
-
-const saveConfig = `-- name: SaveConfig :one
-insert into config(key, value)
-	values ($1, $2)
-on conflict (key)
-	do update set
-		value = excluded.value
-	returning
-		key, value
-`
-
-type SaveConfigParams struct {
-	Key   string `json:"key"`
-	Value string `json:"value"`
-}
-
-func (q *Queries) SaveConfig(ctx context.Context, arg SaveConfigParams) (Config, error) {
-	row := q.db.QueryRow(ctx, saveConfig, arg.Key, arg.Value)
-	var i Config
-	err := row.Scan(&i.Key, &i.Value)
-	return i, err
-}
diff --git a/auth/dbc/models.go b/auth/dbc/models.go
index 122487ae..2310f424 100644
--- a/auth/dbc/models.go
+++ b/auth/dbc/models.go
@@ -11,11 +11,6 @@ import (
 	"github.com/google/uuid"
 )
 
-type Config struct {
-	Key   string `json:"key"`
-	Value string `json:"value"`
-}
-
 type OidcHandle struct {
 	UserPk       int32      `json:"userPk"`
 	Provider     string     `json:"provider"`
diff --git a/auth/sql/migrations/000002_config.down.sql b/auth/sql/migrations/000002_config.down.sql
deleted file mode 100644
index 2fd15f61..00000000
--- a/auth/sql/migrations/000002_config.down.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-begin;
-
-drop table config;
-
-commit;
diff --git a/auth/sql/migrations/000002_config.up.sql b/auth/sql/migrations/000002_config.up.sql
deleted file mode 100644
index 7d9e4b72..00000000
--- a/auth/sql/migrations/000002_config.up.sql
+++ /dev/null
@@ -1,8 +0,0 @@
-begin;
-
-create table config(
-	key varchar(256) not null primary key,
-	value text not null
-);
-
-commit;
diff --git a/auth/sql/migrations/000003_sessions.down.sql b/auth/sql/migrations/000002_sessions.down.sql
similarity index 100%
rename from auth/sql/migrations/000003_sessions.down.sql
rename to auth/sql/migrations/000002_sessions.down.sql
diff --git a/auth/sql/migrations/000003_sessions.up.sql b/auth/sql/migrations/000002_sessions.up.sql
similarity index 100%
rename from auth/sql/migrations/000003_sessions.up.sql
rename to auth/sql/migrations/000002_sessions.up.sql
diff --git a/auth/sql/queries/config.sql b/auth/sql/queries/config.sql
deleted file mode 100644
index 3f3db9d5..00000000
--- a/auth/sql/queries/config.sql
+++ /dev/null
@@ -1,21 +0,0 @@
--- name: LoadConfig :many
-select
-	*
-from
-	config;
-
--- name: SaveConfig :one
-insert into config(key, value)
-	values ($1, $2)
-on conflict (key)
-	do update set
-		value = excluded.value
-	returning
-		*;
-
--- name: DeleteConfig :one
-delete from config
-where key = $1
-returning
-	*;
-