use rsa key for jwt #27
Conversation
Codecov Report
@@ Coverage Diff @@
## master #27 +/- ##
=========================================
- Coverage 37.28% 33.5% -3.79%
=========================================
Files 9 13 +4
Lines 692 991 +299
=========================================
+ Hits 258 332 +74
- Misses 400 622 +222
- Partials 34 37 +3
Continue to review full report at Codecov.
|
|
So, I advice against this because... :) First off, your key would be visible in your bash history even if it's a dev environment that would be a bad idea. Unless you would like to use a vault and pass in an environment property which is a hassle. Second, the signing should happen via a public / private key-pair to be honest rather than a passed in OR generated jws key. So instead of doing this, try focusing on a key exchange solution? |
|
I can also add an environment variable for the key. Also why not support both a key and a public/private key-pair? If someone wants to spin up gaia just to try out or quickly dev with having to first generate a keypair is kinda annoying. |
|
Because providing the ability to circumvent security because of convenience is just asking for people to use it in production and they definitely will because it's easier. :) Instead do this:
Shouldn't be too difficult and would remove the need for yet another flag. EDIT jwt-go already provides examples and you can use |
|
Ok, no problem. I can make those changes later today. |
...
privateKey, _ := ioutil.ReadFile(privateKeyPath)
signKey, _ = jwt.ParseRSAPrivateKeyFromPEM(privateKey)
...
tokenString, err := t.SignedString(signKey)
...Something like this should work juuuust nicely. :) with err handling ofc. :P |
|
Yup, that's what I was planning. |
|
Cool. And here https://github.com/gaia-pipeline/gaia/blob/master/handlers/handler.go#L144 you can use the opposite ParseRSAPublicKeyFromPEM. Alright, I shuddup. It's just an interesting PR. :) |
|
Thanks a lot @rmb938 for your contribution. 🤗 I personally think that the initial startup of Gaia should be easy and simple. So what do you think about providing a parameter to set a public/private key and if this parameter is empty we generate a token (like we do it now). Do you think this is still an security issue? 😉 |
|
Yup that makes sense. What do you think about printing a warning message if the auto generated key is being used? That way users know they messed up something if they actually wanted to use a private key. |
|
@rmb938 @michelvocks Sounds cool! 👍 |
|
Awesome! 🤗 |
rmb938
changed the title
|
@michelvocks How does that look? |
| if _, ok := gaia.Cfg.JWTKey.(*rsa.PrivateKey); !ok { | ||
| return nil, signingMethodError | ||
| } | ||
| return gaia.Cfg.JWTKey.(*rsa.PrivateKey).Public(), nil |
There was a problem hiding this comment.
Oh cool, you can do .Public. Nice.
|
This is looking good. :) You'll have to write tests though. ;) :) |
if not given will auto-generate a HMAC key
|
@Skarlso @michelvocks Added tests for everything I added so we should be good to go :) |
|
Looking good! Good job with the tests! 👍 :) |
|
@rmb938 can you have a short look at my review comment? Would be nice if you could change this one thing. |
cmd/gaia/main.go
Outdated
| @@ -16,7 +20,8 @@ import ( | |||
| ) | |||
|
|
|||
| var ( | |||
| echoInstance *echo.Echo | |||
| echoInstance *echo.Echo | |||
| jwtPrivateKeyPath string | |||
There was a problem hiding this comment.
Do me a favor and move this variable to the gaia.Cfg struct.
I think it's a bit more tidy and makes more sense (in my opinion). 😄
Fixes #26