From ec204d04e1144de10487628751b989515fc00f2d Mon Sep 17 00:00:00 2001
From: Zoe Roux <zoe.roux@zoriya.dev>
Date: Sat, 19 Jul 2025 00:14:00 +0200
Subject: [PATCH] Add jwt check with jwks in transcoder

---
 transcoder/.env.example    |  2 --
 transcoder/main.go         | 30 ++++++++++++++++++++----------
 transcoder/src/settings.go | 18 ++++++++----------
 3 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/transcoder/.env.example b/transcoder/.env.example
index f62bf54b..577830c4 100644
--- a/transcoder/.env.example
+++ b/transcoder/.env.example
@@ -1,8 +1,6 @@
 # vi: ft=sh
 # shellcheck disable=SC2034
 
-# used to verify who's making the jwt
-JWT_ISSUER=$PUBLIC_URL
 # keibi's server to retrieve the public jwt secret
 JWKS_URL=http://auth:4568/.well-known/jwks.json
 
diff --git a/transcoder/main.go b/transcoder/main.go
index 4902eb04..a8492d25 100644
--- a/transcoder/main.go
+++ b/transcoder/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 
@@ -88,16 +89,25 @@ func main() {
 	g := e.Group("/video")
 	g.Use(echojwt.WithConfig(echojwt.Config{
 		KeyFunc: func(token *jwt.Token) (any, error) {
-			return jwks.CachedSet(src.Settings.JwksUrl)
-			// kid, ok := token.Header["kid"]
-			// if !ok {
-			// 	return nil, errors.New("missing kid in jwt")
-			// }
-			// keys, err := jwks.CachedSet(src.Settings.JwksUrl)
-			// if err != nil {
-			// 	return nil, err
-			// }
-			// return keys.LookupKeyID(kid.(string))
+			keys, err := jwks.CachedSet(src.Settings.JwksUrl)
+			if err != nil {
+				return nil, err
+			}
+			kid, ok := token.Header["kid"].(string)
+			if !ok {
+				return nil, errors.New("missing kid in jwt")
+			}
+			key, found := keys.LookupKeyID(kid)
+			if !found {
+				return nil, fmt.Errorf("unable to find key %q", kid)
+			}
+
+			var pubkey interface{}
+			if err := jwk.Export(key, &pubkey); err != nil {
+				return nil, fmt.Errorf("Unable to get the public key. Error: %s", err.Error())
+			}
+
+			return pubkey, nil
 		},
 	}))
 
diff --git a/transcoder/src/settings.go b/transcoder/src/settings.go
index df180525..be2d1771 100644
--- a/transcoder/src/settings.go
+++ b/transcoder/src/settings.go
@@ -14,11 +14,10 @@ func GetEnvOr(env string, def string) string {
 }
 
 type SettingsT struct {
-	Outpath   string
-	SafePath  string
-	JwksUrl   string
-	JwtIssuer string
-	HwAccel   HwAccelT
+	Outpath  string
+	SafePath string
+	JwksUrl  string
+	HwAccel  HwAccelT
 }
 
 type HwAccelT struct {
@@ -31,9 +30,8 @@ type HwAccelT struct {
 
 var Settings = SettingsT{
 	// we manually add a folder to make sure we do not delete user data.
-	Outpath:   path.Join(GetEnvOr("GOCODER_CACHE_ROOT", "/cache"), "kyoo_cache"),
-	SafePath:  GetEnvOr("GOCODER_SAFE_PATH", "/video"),
-	JwksUrl:   GetEnvOr("JWKS_URL", "http://auth:4568/.well-known/jwks.json"),
-	JwtIssuer: GetEnvOr("JWT_ISSUER", "http://localhost:8901"),
-	HwAccel:   DetectHardwareAccel(),
+	Outpath:  path.Join(GetEnvOr("GOCODER_CACHE_ROOT", "/cache"), "kyoo_cache"),
+	SafePath: GetEnvOr("GOCODER_SAFE_PATH", "/video"),
+	JwksUrl:  GetEnvOr("JWKS_URL", "http://auth:4568/.well-known/jwks.json"),
+	HwAccel:  DetectHardwareAccel(),
 }