Add jwt check with jwks in transcoder

2025-07-31 14:33:50 -04:00 · 2025-07-19 00:14:00 +02:00 · 2025-07-19 00:14:00 +02:00 · ec204d04e1
commit ec204d04e1
parent 460e4596f7
3 changed files with 28 additions and 22 deletions
--- a/transcoder/.env.example
+++ b/transcoder/.env.example
@ -1,8 +1,6 @@
 # vi: ft=sh
 # shellcheck disable=SC2034

-# used to verify who's making the jwt
-JWT_ISSUER=$PUBLIC_URL
 # keibi's server to retrieve the public jwt secret
 JWKS_URL=http://auth:4568/.well-known/jwks.json

--- a/transcoder/main.go
+++ b/transcoder/main.go
@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"

@ -88,16 +89,25 @@ func main() {
 	g := e.Group("/video")
 	g.Use(echojwt.WithConfig(echojwt.Config{
 		KeyFunc: func(token *jwt.Token) (any, error) {
-			return jwks.CachedSet(src.Settings.JwksUrl)
-			// kid, ok := token.Header["kid"]
-			// if !ok {
-			// 	return nil, errors.New("missing kid in jwt")
-			// }
-			// keys, err := jwks.CachedSet(src.Settings.JwksUrl)
-			// if err != nil {
-			// 	return nil, err
-			// }
-			// return keys.LookupKeyID(kid.(string))
+			keys, err := jwks.CachedSet(src.Settings.JwksUrl)
+			if err != nil {
+				return nil, err
+			}
+			kid, ok := token.Header["kid"].(string)
+			if !ok {
+				return nil, errors.New("missing kid in jwt")
+			}
+			key, found := keys.LookupKeyID(kid)
+			if !found {
+				return nil, fmt.Errorf("unable to find key %q", kid)
+			}
+
+			var pubkey interface{}
+			if err := jwk.Export(key, &pubkey); err != nil {
+				return nil, fmt.Errorf("Unable to get the public key. Error: %s", err.Error())
+			}
+
+			return pubkey, nil
 		},
 	}))

--- a/transcoder/src/settings.go
+++ b/transcoder/src/settings.go
@ -14,11 +14,10 @@ func GetEnvOr(env string, def string) string {
 }

 type SettingsT struct {
-	Outpath   string
-	SafePath  string
-	JwksUrl   string
-	JwtIssuer string
-	HwAccel   HwAccelT
+	Outpath  string
+	SafePath string
+	JwksUrl  string
+	HwAccel  HwAccelT
 }

 type HwAccelT struct {
@ -31,9 +30,8 @@ type HwAccelT struct {

 var Settings = SettingsT{
 	// we manually add a folder to make sure we do not delete user data.
-	Outpath:   path.Join(GetEnvOr("GOCODER_CACHE_ROOT", "/cache"), "kyoo_cache"),
-	SafePath:  GetEnvOr("GOCODER_SAFE_PATH", "/video"),
-	JwksUrl:   GetEnvOr("JWKS_URL", "http://auth:4568/.well-known/jwks.json"),
-	JwtIssuer: GetEnvOr("JWT_ISSUER", "http://localhost:8901"),
-	HwAccel:   DetectHardwareAccel(),
+	Outpath:  path.Join(GetEnvOr("GOCODER_CACHE_ROOT", "/cache"), "kyoo_cache"),
+	SafePath: GetEnvOr("GOCODER_SAFE_PATH", "/video"),
+	JwksUrl:  GetEnvOr("JWKS_URL", "http://auth:4568/.well-known/jwks.json"),
+	HwAccel:  DetectHardwareAccel(),
 }