Switch to asymetric keys for jwt signing

2025-05-24 02:02:36 -04:00 · 2024-09-03 14:23:52 +02:00 · 2024-09-03 14:23:52 +02:00 · caa4cf4c8d
commit caa4cf4c8d
parent e197062f64
2 changed files with 31 additions and 16 deletions
--- a/auth/config.go
+++ b/auth/config.go
@ -3,7 +3,9 @@ package main
 import (
 	"context"
 	"crypto/rand"
-	"encoding/base64"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"time"

 	"github.com/golang-jwt/jwt/v5"
@ -11,14 +13,15 @@ import (
 )

 type Configuration struct {
-	JwtSecret     []byte
-	Issuer        string
-	DefaultClaims jwt.MapClaims
+	JwtPrivateKey   *rsa.PrivateKey
+	JwtPublicKey    *rsa.PublicKey
+	Issuer          string
+	DefaultClaims   jwt.MapClaims
 	ExpirationDelay time.Duration
 }

 const (
-	JwtSecret = "jwt_secret"
+	JwtPrivateKey = "jwt_private_key"
 )

 func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {
@ -32,22 +35,34 @@ func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {

 	for _, conf := range confs {
 		switch conf.Key {
-		case JwtSecret:
-			secret, err := base64.StdEncoding.DecodeString(conf.Value)
+		case JwtPrivateKey:
+			block, _ := pem.Decode([]byte(conf.Value))
+			key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
 			if err != nil {
 				return nil, err
 			}
-			ret.JwtSecret = secret
+			ret.JwtPrivateKey = key
+			ret.JwtPublicKey = &key.PublicKey
 		}
 	}

-	if ret.JwtSecret == nil {
-		ret.JwtSecret = make([]byte, 128)
-		rand.Read(ret.JwtSecret)
+	if ret.JwtPrivateKey == nil {
+		ret.JwtPrivateKey, err = rsa.GenerateKey(rand.Reader, 4096)
+		if err != nil {
+			return nil, err
+		}
+		ret.JwtPublicKey = &ret.JwtPrivateKey.PublicKey
+
+		pemd := pem.EncodeToMemory(
+			&pem.Block{
+				Type:  "RSA PRIVATE KEY",
+				Bytes: x509.MarshalPKCS1PrivateKey(ret.JwtPrivateKey),
+			},
+		)

 		_, err := db.SaveConfig(ctx, dbc.SaveConfigParams{
-			Key:   JwtSecret,
-			Value: base64.StdEncoding.EncodeToString(ret.JwtSecret),
+			Key:   JwtPrivateKey,
+			Value: string(pemd),
 		})
 		if err != nil {
 			return nil, err
--- a/auth/session.go
+++ b/auth/session.go
@ -100,7 +100,6 @@ type Jwt struct {
 // @Summary      Get JWT
 // @Description  Convert a session token to a short lived JWT.
 // @Tags         sessions
-// @Accept       json
 // @Produce      json
 // @Security     Token
 // @Success      200  {object}  Jwt
@ -129,6 +128,7 @@ func (h *Handler) CreateJwt(c echo.Context) error {

 	claims := maps.Clone(session.User.Claims)
 	claims["sub"] = session.User.Id.String()
+	claims["sid"] = session.Id.String()
 	claims["iss"] = h.config.Issuer
 	claims["exp"] = &jwt.NumericDate{
 		Time: time.Now().UTC().Add(time.Hour),
@ -136,8 +136,8 @@ func (h *Handler) CreateJwt(c echo.Context) error {
 	claims["iss"] = &jwt.NumericDate{
 		Time: time.Now().UTC(),
 	}
-	jwt := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	t, err := jwt.SignedString(h.config.JwtSecret)
+	jwt := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	t, err := jwt.SignedString(h.config.JwtPrivateKey)
 	if err != nil {
 		return err
 	}