supabase / auth / 10113179755
67%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 127
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 58.131% (+0.1%) from 58.001%
10113179755

push

github

web-flow 
feat: add asymmetric jwt support (#1674)

## What kind of change does this PR introduce?
* Adds asymmetric JWT support to auth, with zero downtime key rotation

## What is the current behavior?
* Auth only supports symmetric JWTs which involves some downtime if the
key needs to be rolled

## What is the new behavior?

### Config changes
* Accepts a new env var `GOTRUE_JWT_KEYS` which takes in an array of JWK
* The private key is encoded as a JWK that contains the kid, use and alg
claims
* Defaults to use `GOTRUE_JWT_SECRET` and `GOTRUE_JWT_KEY_ID` if
`GOTRUE_JWT_KEYS` is missing, which is just the JWK representation of
the symmetric secret
* On config initialisation, `GOTRUE_JWT_KEYS` is transformed and stored
as JWKs in-memory.
* We use the `key_ops` claim in the JWK and to detect if they should be
used to sign or verify a JWT (see
[RFC](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2))
* All JWKs represented as public keys will have the `key_ops` claim set
to `["verify"]`, while the JWK represented as private keys will have the
`key_ops` claim set to `["sign", "verify"]` if it is used for signing

### Endpoint
* `GET /.well-known/jwks.json`: returns the JWKs for the auth service.
Given the following config (generated from [this
script](https://gist.github.com/kangmingtay/a1c83d9e1ea1f398d9388e2188deab2b)):
```bash
GOTRUE_JWT_KEYS='[{"kty":"oct","k":"KtxwCvCPABNiOmUBij2_uzlO8FM477lO1zpe_E6nQhE","kid":"81763ee4-803e-4420-bed2-6849ef963262","key_ops":["verify"],"alg":"HS256"},{"kty":"RSA","n":"htA_Lzcc3qojwvcrF1JU6yPPRLvxvCp8x3tx_lCO6GyBFktE6HLsIHEpcWfvkiJfwxMZ4npn2CWI4rjjNbT2BHqax7CUOgGFATNZe13kTukx8SUQY3GHCIzPiN39oc55HcMBB_u4sLQBFD3RUCEcLqrlvwYRcTuCY317Xyn3j1YZogZ9gm6fY70v0Sj2hxLxtURr0UQurqhqRqUbXcujI6x3JqKKuk4-1o_K6J8j97hj4AcGMjRgmyi7G_7jM9hZG2SPJiFP7kbCpU1iT0rYYZptxVNUpWe6u5kg6onzXUE_s7Wu64YT7FE7xIFLg9MUrohBqWqrOjmF4IqTaU95Nw","e":"AQAB","d":"CM6rChEeLDfOTUrrgEMLNC9rN5DVupbF_xxD9rrZkzqfdk7lihAT-AycigGhx5jCS9L... (continued)

130 of 182 new or added lines in 6 files covered. (71.43%)

3 existing lines in 2 files now uncovered.

8937 of 15374 relevant lines covered (58.13%)

55.17 hits per line

New Missed Lines in Diff

Lines Coverage File
1
74.51
 1.11% internal/api/auth.go
1
92.31
 internal/api/jwks.go
5
72.83
 0.04% internal/api/token.go
12
72.71
 -0.19% internal/conf/configuration.go
33
66.33
 internal/conf/jwk.go

Uncovered Existing Lines

Lines Coverage File
1
72.83
 0.04% internal/api/token.go
2
80.07
 -0.74% internal/api/middleware.go
Jobs
ID Job ID Ran Files Coverage
1 10113179755.1 127
58.13
 GitHub Action Run
Source Files on build 10113179755