From e7ed36caff31271a7257db8eb198dc8017aff8c5 Mon Sep 17 00:00:00 2001
From: Zoe Roux <zoe.roux@zoriya.dev>
Date: Thu, 7 Nov 2024 11:34:22 +0100
Subject: [PATCH] Add jwt verification on the api

---
 api/.env.example |   5 +++++
 api/bun.lockb    | Bin 39931 -> 40649 bytes
 api/package.json |   1 +
 api/src/index.ts |  15 +++++++++++++++
 4 files changed, 21 insertions(+)

diff --git a/api/.env.example b/api/.env.example
index dfd8f53b..7a77e2a1 100644
--- a/api/.env.example
+++ b/api/.env.example
@@ -1,6 +1,11 @@
 # vi: ft=sh
 # shellcheck disable=SC2034
 
+# either an hard-coded secret to decode jwts or empty to use keibi's public secret.
+# this should only be used in tests
+JWT_SECRET=
+# keibi's server to retrive the public jwt secret
+AUHT_SERVER=http://auth:4568
 
 POSTGRES_USER=kyoo
 POSTGRES_PASSWORD=password
diff --git a/api/bun.lockb b/api/bun.lockb
index d58c717cce10db8e16acf760c8be303bfd13470d..1af685df995ba353940fba7c93ee6c1c2851a607 100755
GIT binary patch
delta 5957
zcmcgw3s{t87XJQ$k@-Oo62#vTP+KiUM}~`lLky6BBRiPdJ}6%B0>UUa<s#sPalK-Z
z;wiJWY+ZXwebP#*)pmW_GAm3`%1tYG)h##OOmlbD+S2wt|NQ^p7W-uT<bDt5d(ZjK
z`R?Z&=KsF_t)Xq7VVz~L@9aHOPi`nLJ`vXMqCD;1gLm!^@H;ojy!FzlAz8(<cAiS!
zEYvcmB`?aH;qnMV%&7FRmBpTx^(`$?jjfUpAwsz8s*B1C(f%~#K*$?`LBKT{Ru&I)
zl~*T;Rj>&_JLJlWic(PpITUhHX?>Mzh7ftaLMV{4fIMz8kjI-<Q8Cw5B!o@tFZ_h)
zDMX`tB^Vh7vw{79`M~bL7|rmcNr-UBqhZ9j4R{Ce4u2u==k`Oz3o5FbS>q}#6b<Oi
zc7?!Rz+4TJG#sE|ATUfc3ins&%{w@&VTXqMG~BM?BN{H%uuQ{zAa>%;)-Ybf{u=fG
z@`A5pp^Tqt_yJ=h8d9($EXEy<QG$VQW5>LpJwTTKx1HVE#u|B|+p;r^Ys28Y<HDku
zHO08jGIkb}C=mNb<&5fHCGZJRYxX$F4PY1)Ur@SF_+WHZU1v^36&taasGhPr!gJ%-
zfP8M-X`WBG^-`qAVReW8t|M2>teMTD=nj3hb+6AUL-1z>%Z|5qyDGW%znQXi?DkmN
z*zI{KiyVG-X&W`6{u{NSjwIP+m&YR*k}#uzLQIMB8<568l30?0sLf=T(nyx=(l5y&
z+vPV6LX1+a$H|EXe;+z1r?P>+U0&iN#0aQ-D8xTeei71ro?-nH4Zgl~&_C7KfWXP8
z!?H~}Mvefx)Qg%>Pog%|%_MiXOFhYfdM!0|x67vyHPbPKpbk@_F%6!ROwR5$sh%8x
zcIh9~gt~y*P`^TQkX`Ca4%8E=3H26g3$hzqaFk=|aFES-8k~~?LsEPZxK6dH!OOkn
z<wB7ja#U>rIETt@^KzHH+{hlfcA1wu<mJNP;hw(JyxcS3veoe}dbtERjHhjpm)j36
zlMZ8{a1}6EyVJ|9*E#7pHHF%ZcOkk)lN0AzL2{T~-p#Ul1sws22A@z`6P9Xp!ehr$
zbC}KeI5_M*JjGXKxM>7j)2S+#dAXzDa@006l8r;<3ccJ;FL%|;*^!()cB{QyhnMTq
zTi4D4m#vPs!^>Uva!JUs9&IDIOlt0(;_G3sP`QuV1TNRhk<LjcsL5=X{Sj(IRiA4K
zNR&p9+}CbghPGI04zfuvQBz;L+_SI8!3DMWB}!9Cj<8Fc$btGWHAUEsMg(9IHT&5@
z?g3}TXz*Eqs}(Xyes@utpUF@jK?fsJrF|qv+6_LDG$u0DFe;MPM5fAhh}Z;lGEqoG
zqH!mrBsy%eN!Q5{WtY>DB{;f#2+<=wKy7F{j5dxawapmPPly;^uAC0e(+=;KR#00%
zTO&e1Fd;D1B>_}K&~jE)3!@Q)OBCFWOH#{^LGFj^Qwt-HhjT+>_b~qzVZ_NqAo$h)
zifm}(3WbpeP66?mrh$-6M23dgtSV;#x!jDr_$k`_U_9mjj-LJVN^X4tyyK~w{msZb
zF97lJ)@u46!p0vmxXt>;E?3GsT%hfMk?(e)CNuI*7i%&j%lb*)jNHCdvtwj=8HmSU
z4pMtD!woAy>}0D!91UwhT)INGU#DunkKBCAQN^ph4Pm7&t*=_EVfH<lbsSZVw<oMT
zGv9(!dv5C%4Al{TdOOWqcwoNMo5P7`WSO0&0Q6(R>XxHMo4?B_z??s6J8$s2QPp^R
z!paj~w-8kW{v*7)46D}qy9%Syf*w9lZyVM=d3O4T(fxBj`s1X0X?^>Osf(VS)+fO6
z)Pda-QVVk?m`;7Vwq*CbHGAis``L@r>jzD&c(48L)GeD@E2AhPyZ6uEzY<*Vmx%5M
z#;$EjS$ARj`0Z1opICHo@`HP3SMJFF^7Q>LJ-s3Q+m;Qh)_h<-GHn+vP1<<uo71I_
z56oP=qcl79nP99>5;uC>08XWjtUNlA9Y_h;Irz=EG&_%0j}D}>kY<o|bRH!+0_l;_
zInpdT1L+*3Oh=AXL@kay+BhbVu0SfL^f7r-2|b3|)p~hMlp(kcxd)#@?qfjy*^ZwG
zq4<g5E5%T<v(dBxpF^x}Ju}v1;C6c6X}Y=fIUfr48`ipR!k(UVU(QVb)h_lUAuhOR
zd~w>G8{c{gH#tFk<ecre=rVge=1_IHKu*7$C(=P&#)G&Yw`YJ@Hv!ZO)O!vpl;6*#
z8^x*PcxX<nD?zJ3OF``O?1y!rdQb}J9#AUC4oU=Zu;GWAz|S!?nes;sPD2DzOG(eL
z2f;Oi9s(@`u@f(%7fL2issYDAn+D?La*j&|jRf&8E>7l)K}$d!q#XG7f;b0{0%d}D
z>-fpc-(>v7${(2`gNj^vL6gCqn~MtN?s9B!fN=)csjcT-*Q8t?i|3dQng-&e!8lVx
zUO$h`7g7S^@2nzFA!rt;7&NgQ70Q>3Xi(`8y1z8uiZ2Pb{`qC#t5Hi7YAn({^3?2t
ziQ|s^*&t1`TCA1?{;l_9sUq2EZ>dwNBEPaYX%*SZoaXiD!DH=s`J1uNrAA-(_4L5+
z(I;tZnNwOrm&+7sBL$QzX8o)1Z0^PF?`}RL4AK&-CB_mjL@U|Li_Q9TMUPXPKDItI
zeF4uNi|OM;7QI%kNO|-T>dMwD<q?wkkkR9^mL8w4djFG89u1XJ@3F>NVl6SpX;`IV
z{up{*SdDAfd)b*;e-D+0c=jm1pc$2lbb}Vcs(UxjhwJ4lLwBt7-SQQW!kz*jq30@<
zgu&3`hpM~w{-MT!?JFK)eT*f^5+jnK!Cks1KW~~?<XT=D${UZjVB<M-9U~V&kNbDK
z3#P2~+j?}Mx;}N}YO>B#q$bLlr<gaxsyD2R#bf543Wz?#R&lD;%hWhe8PN_sJl4JD
z)xE(Vo&0!3r~Xq-GkDbgw2%Ya)Ro7oJ%t~&&+Bd0-*SdWzfk17v}6TNGsa?#$I@q$
zG+&Wcl3A}QcYdD){l&u-F=j;TiLWzYA7@E`xzOK43P%6>(DLy8QJ#@7m^evK%va3%
z8%kJ^BY#%O@sZHSTN1hFXzG|B*H?cv+7RqckDIzHQ|+H%iM0wpf9hA&J3)U=`sBhZ
zeg4qzdWUK-f(KCFX|R9S-jr?e-OB!ogk`ZNSz=?vXB1K!+D~Qm$DP;CwruMeo_(#;
zs0VGSQl$R$yDG)3KMnn6`;s{qO#|QUw92MSRZ4>Xlw=A?jou?Ye5g~eKQ_JXci*E~
z=gMC1)GVbl`XcmqoY%$0>_O)ZX`M!RBB@sJ5%xf}V%FccX7>6<?hzGwwbSY>y;`j#
z=<i`~Uv)<<dg>R{srNjY3HN4m%q#DmpOxRK89*;A&`v^sXA2A;b$;`%+P6B5aw)w=
zkqT*Yjbhec={mLqN4#<O`LUf=;k33UQ~nq76H=qwMt_2JmsgN%vBs)bpx}!!x>k|+
zq(i%@&HbsMR!QjcxK+LWR=3*s*^+{gk#*|yswSUy)+**Mk6YFAaVydz^fhWeRc*q3
zG<<=Q(B;vp-So#rvR$}yPV=u;cTV^fEnc9QyF6O8Cm*dMCDA*m`2@8I3+Y=lG>}pk
zC)JX(PLYzSxXx+*!tBW=uNHr}>B!!uq3~m?C7ILb4LVZiRP@I*{k=;K6oh0vJyvJN
zjw0$6v;M%=GCaR|&`b9uBT2@>=VL8N*Jxb5BJHLp>lIpF-^art4ezawlg`rT=&L`k
zy|MaOd;UL<D(D-B1dE)sk@`0%($i#XP|W%x-TaJq+@fmQLac(V5N(&Jq9M*dga4JG
zWGtp<8`AtMHPO16t~LyyUJE0A<}9dg9kNi0peY;t10W0^HXQXZD@}j&&O3OM+yEGc
Se3)QKrppVXTBA1}_4zmYKT^*C

delta 5676
zcmeHL3viUx6~1?qO|pR`APM1T6B2M#VsOc3vm_xQ8<dde8j`6Ef{=s|!a`n>2P6=(
z2q@J0h^ON#f}*1m85o$LsMt~z>H`&&j<s5)45)+>Ys7+zNWXLU|2MWxJC4)GbjCY-
z?sv{T_kGVf```QOFHINrnC`YEEIymP`EyVC??<dnKJ~%y;*yUq+fh2#bbqAlm2VF1
zsb6GY+AUOC+*KB5&8zVVLR2<-6x*nmtnccI>wH2AF;WQcistJ2g-|~LISlgcz;IxP
zj*T_fc<P(eL_6vXLpkKehK5?P2y!Ik>e{v@Po)qAfkJ4I(}CRYBp~-!)zGliQ!Ru|
zZ+|vOh*3gxdfS49u%N<?z<8h=I2?GnUh!~<5Ydn`P>Hb{cp1<fDg=JsuOah<s+$(H
zcxo4lIyB~bWx&zE={hFr7^Nc*5+yo?_Y7L|3f|T6fQ~zLd`QO)IyUQAp`#m!m3XJ>
zc$JQkI+}ny;m<Hz#t(ITov{-Ild%F!#v6)WMgaF>#XO;HK$d^l%D&&iI(eY~$jZ>K
z4W09f7gjH5VVkRKLWYDgWgCr^&7&8?CWOc8Gm-&d6dIhM=>gFiwnbS+W~}do*8q8+
z9JD4N+TJ$KXP|}w|GnWhENEfd6ovse^u8K!%tX%y?Ud={33kbD>OuYi^&uZg2_Y^^
z4s1OQ1DMDjl4{ulsQ{8>NlNMqaY+XySX{D&JQkPbIg=1GRPCEBsiuo2I&I0~3ZX8`
z%>hD8fhvIPp{bT9A<go28=7i5A3&!=v&?nyi#gP9$&fFTXP8S`s0Vow^&$6C!f=-i
zA`kLgsAss#auiNcfi46Mgru4sFpPAn8=fI+$rI+1A5#zVQtCs#of5)bGJ-tF3#kYB
zFQ_lvWnPD!E2jSN4D(TNZpFpJF@0Q}pL^cV1;hOdRlQPh`HJiIb0-y77m*nlVJKVu
z+&;x^AC(yh`}MUf@pBJ?%T>J{_j3~wDtu)Pe(o7?IjY_TKbH;D@s+JNIQbg&M7qpl
z;XHX%hy7eY2~jS~<1DKq7#NmnIyZ`*ipnx)!yt=kdsK$`E^uze{lU*A!1R1&t$yw$
zaD}Q~ID$#O;>!HoBZ|9bbY`HxC>gQGS8b)@>c(aU`isKG7|Nf5%T>K?@^dHsTp}W<
zPrD3Uj;goE&wb<PrjIqWw;G&0L_JoQ<s#%s%I0<rOO*+f5aTkp!n=}bdw7Q2N<A?y
zOHho@zy<9JPL;DLA=V}DBoFdmQ%|hR^kob!8J8t<sb`$abVn?m9+zc$GnTH7%d(i@
zd`@&9LiX5Hb1I}X>JQ0~w^3i5%W?=ZdrknsGh`Hb;$4=qIG?wuGIKYiB%X@pkiQ(3
z&2~FJqY}n041$@d#0ZBJuq>4r%^;kfD#tmg^u3VY7$4oqt+692{VT*SiBu50SWH#5
z{}y>x86Y^caDfmO#B?36(=i9g={wlT|4w4AD*j&}PZ{ZlOhD463DKRr&iNo%w`c)z
z`Y&SVzimK1z*g0p5BVV5b(xVDx=NQBSze7V2bEU)00lmU7sws10dZnv`4$jc(0UNt
z_Rm3_hC;4?htmEda<TG_n{?(!2T?oqL+qFv{_}P}ItcF%do<hQ|B-`y8}TjAxHo^|
zPvXd(S4gLF!|3t6LOG8H^2+G`yfC^UzfhLbmi#ix%MT-SL7}Xql7ce&64KL<sz?@=
z(bj@6sxB;))wB!J?7}dLDk_vUy_H3ArV%f|3-M*|eHn-^Dld%>j--m<KzTX!T;Cb8
z5nuPL?zP_#V&Za&FAn)`>F$8ui8nkuD)jCe%oXX28Y=Q+BdUCR$(OjW5X5W2Wl1GN
z<`9Gdl&%QKA&a9+Hi*+K5Vzy<=^)mXfcP&belaqn7d$=;&1`WbXT_()H+kBt$+9G|
zlVjCd&^i#uH9q_0pcNqYicHWnP!?zkh<nAi3*Y-xY{KU$ubsC=#k*U9w}Cc*HiCWz
zx*g;Nae!S3nhz=mRR}?QmXzGc;mrlg2Jydd8Ymsa;f`Y_2jUJ8+b8?*wIKc$xDGS}
z#JhvfOTK5Q`vyJ-)lTG4<<hdyQ~KItYU!M3f-LXtUwU57<T>!T^K`7xk=McN;gjM!
z#X?XOXaT4aR1KO{iwx<}c1o_lnr7FhMPq31)MJavXO|rQ&?M*EZFZYeh|6hzy(Vq+
ze!W{RqJ##AY^Qk*Zn>VeHE8l4I@sX08h4fh8-DxdoG*@OCb>G<mSju9w$U|>n$@`L
ze02S%J#TM5E}*wVpCZH)RM}YLG%no{$GT70@2ptPqbFl{hcK??ahptkOu20LCnlL>
zb0pgwDWZTbHfpk}H~QvSY29b`S+6ak|F(Bdp1dzoW=*p@Y?#DrRJ=@cz5_ij3f>ma
zj-$CbGe3`%SNoPPPC$b*@=ll){l&#!ndWoLB%2+RAD~UkH0vc@Kk%1HPu&{0<tx_n
z`Jz91Yndiv=ufCM2?ozM$GJO0W><UG)kgC6rP%DSIf`r2oTbo5LGLZU>8{|%j$EPU
zr+TT;H6z^R_YIV8&KR88DynPJtX<H<R=wt$f~CiXB_8LN4%M=UwlrySKkaSOV%|e7
zShF`_#!J~F4{lYnOjfnd2GM6tW1Pk-#pJ|Y)$Tv9UXLBdDpPPo#yf^d+kGZ>!W##b
zCdr1@Z8WV}lPagi=CN`c-QKKOjoW^C-XpKCi+(B2*AqGuhiM=5#_K>-c>bKK#lM>h
zeTprWZ6SlsHancgd&s>bywe@?cI2q`PFu2F7%wC1E<L^Z!kDOfXxK{7(oAz(G^=`m
zz#=`*Wo}Igs{1$)wqQ@QB`1jw>8=*dX*^i$|EO#0sOa4DgL>mhV@lEM&uqD8cl)3w
zlGdz<j8~l)?;wx%tX}eI$Q5r7R+>s9TQ%vX#8%B(0mp*hdS3~ib>GZWbuSLqYNqm5
z&1t+%yeK}+y|T}gJ*YR{W!_)AXr}$%_x2BJc2Y^3J_+M7XTj)iED>>$=LRdiOUE&Z
zGjsuy;7G;hwAq^U{L#LuIfJ#LX!3H+X}leUMbGHlyrcEyLA~+1v~8wm-ZIx!4-IO{
zXneaq3FArXtt}&B4@~SU9;_5fyO!rz`VpKg7~V#gFxZgCl5Vpn3*+VJlY5&#-{LyA
zSM{SbpOJfoW*zcal%9`8lUGqUa^C&OAXV(9!z(oBkVl~O##7grufMjJzBZ+LaKH@|
z+ooBEJOb5{k3f?LXen~uX??&m^l+Qz9CEu=GvjftH0wxWOzg-f2M0`~ehfI|cB_`W
z-I}bUjCP0gPy_f$w6Wc7Jz@35qkT2+bsv6i<0Rz-=^Tg$XrSF)?7*WE@BL$k?r(c|
z$=e=;(lnbB0ZSOqPF<7d+;Qd8)6zKz!$Fd5X~sj8r6Kb-r%N8(3k@7@3gT}j?O*AT
zoNEZ{5vv^5hH<`U$~%u-@4WVkg-@C!`yj`X4w|=0vl{QL`A1?bH?4eUHTrV+ob&<e
zTBXS+XdCi2I=IRadPcvMoM|UhM|S8K{@+BZ>ZYQO3DnpT)B8Zj`Iz3X9y}88SE9}V
ATmS$7

diff --git a/api/package.json b/api/package.json
index 1e3a9830..c75a936e 100644
--- a/api/package.json
+++ b/api/package.json
@@ -8,6 +8,7 @@
 		"test": "bun test"
 	},
 	"dependencies": {
+		"@elysiajs/jwt": "^1.1.1",
 		"@elysiajs/swagger": "^1.1.5",
 		"drizzle-kit": "^0.26.2",
 		"drizzle-orm": "^0.35.3",
diff --git a/api/src/index.ts b/api/src/index.ts
index bac98e54..51978e1e 100644
--- a/api/src/index.ts
+++ b/api/src/index.ts
@@ -3,10 +3,25 @@ import { swagger } from "@elysiajs/swagger";
 import { db } from "./db";
 import { migrate } from "drizzle-orm/node-postgres/migrator";
 import { movies } from "./controllers/movies";
+import jwt from "@elysiajs/jwt";
 
 await migrate(db, { migrationsFolder: "" });
 
+let secret = process.env.JWT_SECRET;
+if (!secret) {
+	const auth = process.env.AUTH_SERVER ?? "http://auth:4568";
+	const ret = await fetch(`${auth}/info`);
+	const info = await ret.json();
+	secret = info.publicKey;
+}
+
+if (!secret) {
+	console.error("missing jwt secret or auth server. exiting");
+	process.exit(1);
+}
+
 const app = new Elysia()
+	.use(jwt({ secret }))
 	.use(swagger())
 	.get("/", () => "Hello Elysia")
 	.use(movies)