Transcoder: If empty JWKS env var, do not enable JWKS (#1025)

2025-07-31 14:33:50 -04:00 · 2025-07-23 13:49:52 +01:00 · 2025-07-23 13:49:52 +01:00 · bfff409142
commit bfff409142
parent e9a34967f1
3 changed files with 36 additions and 32 deletions
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -10,6 +10,8 @@ x-transcoder: &transcoder-base
    - "7666:7666"
  restart: unless-stopped
  cpus: 1
+  environment:
+    - JWKS_URL=http://auth:4568/.well-known/jwks.json
  env_file:
    - ./.env
  volumes:
--- a/transcoder/main.go
+++ b/transcoder/main.go
@ -76,40 +76,42 @@ func main() {
 		return
 	}

-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	jwks, err := jwk.NewCache(ctx, httprc.NewClient())
-	if err != nil {
-		e.Logger.Fatal("failed to create jwk cache: ", err)
-		return
-	}
-	jwks.Register(ctx, src.Settings.JwksUrl)
-
 	g := e.Group("/video")
-	g.Use(echojwt.WithConfig(echojwt.Config{
-		KeyFunc: func(token *jwt.Token) (any, error) {
-			keys, err := jwks.CachedSet(src.Settings.JwksUrl)
-			if err != nil {
-				return nil, err
-			}
-			kid, ok := token.Header["kid"].(string)
-			if !ok {
-				return nil, errors.New("missing kid in jwt")
-			}
-			key, found := keys.LookupKeyID(kid)
-			if !found {
-				return nil, fmt.Errorf("unable to find key %q", kid)
-			}

-			var pubkey interface{}
-			if err := jwk.Export(key, &pubkey); err != nil {
-				return nil, fmt.Errorf("Unable to get the public key. Error: %s", err.Error())
-			}
+	if src.Settings.JwksUrl != "" {
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()

-			return pubkey, nil
-		},
-	}))
+		jwks, err := jwk.NewCache(ctx, httprc.NewClient())
+		if err != nil {
+			e.Logger.Fatal("failed to create jwk cache: ", err)
+			return
+		}
+		jwks.Register(ctx, src.Settings.JwksUrl)
+		g.Use(echojwt.WithConfig(echojwt.Config{
+			KeyFunc: func(token *jwt.Token) (any, error) {
+				keys, err := jwks.CachedSet(src.Settings.JwksUrl)
+				if err != nil {
+					return nil, err
+				}
+				kid, ok := token.Header["kid"].(string)
+				if !ok {
+					return nil, errors.New("missing kid in jwt")
+				}
+				key, found := keys.LookupKeyID(kid)
+				if !found {
+					return nil, fmt.Errorf("unable to find key %q", kid)
+				}
+
+				var pubkey interface{}
+				if err := jwk.Export(key, &pubkey); err != nil {
+					return nil, fmt.Errorf("Unable to get the public key. Error: %s", err.Error())
+				}
+
+				return pubkey, nil
+			},
+		}))
+	}

 	api.RegisterStreamHandlers(g, transcoder)
 	api.RegisterMetadataHandlers(g, metadata)
--- a/transcoder/src/settings.go
+++ b/transcoder/src/settings.go
@ -32,6 +32,6 @@ var Settings = SettingsT{
 	// we manually add a folder to make sure we do not delete user data.
 	Outpath:  path.Join(GetEnvOr("GOCODER_CACHE_ROOT", "/cache"), "kyoo_cache"),
 	SafePath: GetEnvOr("GOCODER_SAFE_PATH", "/video"),
-	JwksUrl:  GetEnvOr("JWKS_URL", "http://auth:4568/.well-known/jwks.json"),
+	JwksUrl:  os.Getenv("JWKS_URL"),
 	HwAccel:  DetectHardwareAccel(),
 }