Mathis/lemma
1
0
Fork 0
mirror of https://github.com/lordmathis/lemma.git synced 2025-11-05 15:44:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Load or generate signing key from file

Browse Source
This commit is contained in:
Matúš Námešný
2025-10-11 20:55:44 +02:00
parent c0bcb3069b
commit 8920027a9c
6 changed files with 187 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
server/internal/secrets/jwt_key.go Normal file
View File

@@ -0,0 +1,82 @@
package secrets
import (
"crypto/rand"
"encoding/base64"
"fmt"
"os"
"path/filepath"
)
const (
// JWTKeyBytes is the size of the JWT signing key in bytes (256 bits)
JWTKeyBytes = 32
// JWTKeyFile is the filename for the JWT signing key
JWTKeyFile = "jwt_signing_key"
// JWTKeyPerm is the file permission for the JWT signing key (owner read/write only)
JWTKeyPerm = 0600
)
// EnsureJWTSigningKey ensures a JWT signing key exists in the secrets directory.
// If no key exists, it generates and stores a new one with restrictive permissions.
// Returns the base64-encoded signing key.
func EnsureJWTSigningKey(secretsDir string) (string, error) {
log := getLogger()
// Ensure the secrets directory exists with restrictive permissions
if err := os.MkdirAll(secretsDir, 0700); err != nil {
return "", fmt.Errorf("failed to create secrets directory: %w", err)
}
keyPath := filepath.Join(secretsDir, JWTKeyFile)
// Check if the key file already exists
if _, err := os.Stat(keyPath); err == nil {
// Key file exists, read it
keyBytes, err := os.ReadFile(keyPath)
if err != nil {
return "", fmt.Errorf("failed to read JWT signing key: %w", err)
}
key := string(keyBytes)
if key == "" {
return "", fmt.Errorf("JWT signing key file is empty")
}
log.Debug("loaded existing JWT signing key from file")
return key, nil
}
// Key file doesn't exist, generate a new key
log.Info("generating new JWT signing key")
key, err := generateJWTSigningKey()
if err != nil {
return "", fmt.Errorf("failed to generate JWT signing key: %w", err)
}
// Write the key to the file with restrictive permissions
if err := os.WriteFile(keyPath, []byte(key), JWTKeyPerm); err != nil {
return "", fmt.Errorf("failed to write JWT signing key: %w", err)
}
// Double-check permissions (some systems might ignore mode in WriteFile)
if err := os.Chmod(keyPath, JWTKeyPerm); err != nil {
return "", fmt.Errorf("failed to set JWT signing key permissions: %w", err)
}
log.Info("JWT signing key generated and stored", "path", keyPath)
return key, nil
}
// generateJWTSigningKey generates a cryptographically secure random signing key
func generateJWTSigningKey() (string, error) {
keyBytes := make([]byte, JWTKeyBytes)
if _, err := rand.Read(keyBytes); err != nil {
return "", fmt.Errorf("failed to generate random bytes: %w", err)
}
// Encode to base64 for easy storage and handling
key := base64.StdEncoding.EncodeToString(keyBytes)
return key, nil
}