Merge pull request #60 from AgentWorkforce/migration/relayfile-phase2-remove-hs256

migration(auth): remove HS256 path + JWTSecret config (phase 2)

Author: khaliqgant

cmd/relayfile/main.go

@@ -45,9 +45,7 @@ func main() {
 		ExternalWritebackMode:  boolEnv("RELAYFILE_EXTERNAL_WRITEBACK", true),
 	})
 	server, err := httpapi.NewServerWithConfig(store, httpapi.ServerConfig{
-		JWTSecret:          os.Getenv("RELAYFILE_JWT_SECRET"),
 		JWKSURL:            strings.TrimSpace(os.Getenv("RELAYAUTH_JWKS_URL")),
-		AcceptHS256:        !strings.EqualFold(strings.TrimSpace(os.Getenv("RELAYFILE_VERIFIER_ACCEPT_HS256")), "false"),
 		InternalHMACSecret: os.Getenv("RELAYFILE_INTERNAL_HMAC_SECRET"),
 		InternalMaxSkew:    durationEnv("RELAYFILE_INTERNAL_MAX_SKEW", 5*time.Minute),
 		RateLimitMax:       intEnv("RELAYFILE_RATE_LIMIT_MAX", 0),

internal/httpapi/auth.go

@@ -20,12 +20,13 @@ import (
 )
 
 const (
-	defaultRelayAuthJWKSURL = "https://api.relayauth.dev/.well-known/jwks.json"
 	defaultJWKSFetchTimeout = 5 * time.Second
 	jwksCacheTTL            = 5 * time.Minute
 	jwksStaleGraceWindow    = time.Minute
 )
 
+var defaultRelayAuthJWKSURL = "https://api.relayauth.dev/.well-known/jwks.json"
+
 type authError struct {
 	status  int
 	code    string
@@ -44,8 +45,6 @@ type tokenClaims struct {
 }
 
 type bearerVerifier struct {
-	jwtSecret        string
-	acceptHS256      bool
 	jwksURL          string
 	jwksFetchTimeout time.Duration
 	jwksCache        *jwksCache
@@ -76,8 +75,6 @@ type jwkKey struct {
 
 func newBearerVerifier(cfg ServerConfig) *bearerVerifier {
 	return &bearerVerifier{
-		jwtSecret:        cfg.JWTSecret,
-		acceptHS256:      cfg.AcceptHS256,
 		jwksURL:          cfg.JWKSURL,
 		jwksFetchTimeout: cfg.JWKSFetchTimeout,
 		jwksCache: &jwksCache{
@@ -161,16 +158,6 @@ func parseBearer(authHeader string, verifier *bearerVerifier, now time.Time) (to
 
 	signingInput := parts[0] + "." + parts[1]
 	switch header.Alg {
-	case "HS256":
-		if !verifier.acceptHS256 {
-			return tokenClaims{}, &authError{status: 401, code: "unauthorized", message: "hs256 disabled"}
-		}
-		mac := hmac.New(sha256.New, []byte(verifier.jwtSecret))
-		_, _ = mac.Write([]byte(signingInput))
-		expected := mac.Sum(nil)
-		if !hmac.Equal(sigBytes, expected) {
-			return tokenClaims{}, &authError{status: 401, code: "unauthorized", message: "jwt signature mismatch"}
-		}
 	case "RS256":
 		publicKey, authErr := verifier.lookupRSAPublicKey(header.Kid, now)
 		if authErr != nil {

internal/httpapi/auth_test.go

@@ -2,7 +2,6 @@ package httpapi
 
 import (
 	"crypto"
-	"crypto/hmac"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
@@ -285,60 +284,21 @@ func TestParseBearerRS256ExpiredToken(t *testing.T) {
 	}
 }
 
-func TestParseBearerHS256AcceptedWhenEnabled(t *testing.T) {
-	t.Parallel()
-
-	now := time.Now().UTC()
-	token := mustTestHS256JWT(t, "test-secret", map[string]any{
-		"workspace_id": "ws-hs",
-		"agent_name":   "LegacyWorker",
-		"scopes":       []string{"fs:read"},
-		"exp":          now.Add(time.Hour).Unix(),
-		"aud":          "relayfile",
-	})
-
-	claims, authErr := parseBearer("Bearer "+token, newBearerVerifier(ServerConfig{
-		JWTSecret:   "test-secret",
-		AcceptHS256: true,
-	}), now)
-	if authErr != nil {
-		t.Fatalf("parseBearer returned auth error: %+v", authErr)
-	}
-	if claims.WorkspaceID != "ws-hs" || claims.AgentName != "LegacyWorker" {
-		t.Fatalf("unexpected claims: %+v", claims)
-	}
-}
-
-func TestParseBearerHS256RejectedWhenDisabled(t *testing.T) {
-	t.Parallel()
-
-	now := time.Now().UTC()
-	token := mustTestHS256JWT(t, "test-secret", map[string]any{
-		"workspace_id": "ws-hs",
-		"agent_name":   "LegacyWorker",
-		"scopes":       []string{"fs:read"},
-		"exp":          now.Add(time.Hour).Unix(),
-		"aud":          "relayfile",
-	})
-
-	_, authErr := parseBearer("Bearer "+token, newBearerVerifier(ServerConfig{
-		JWTSecret: "test-secret",
-	}), now)
-	if authErr == nil {
-		t.Fatal("expected auth error when HS256 is disabled")
-	}
-	if authErr.message != "hs256 disabled" {
-		t.Fatalf("expected hs256 disabled message, got %q", authErr.message)
-	}
-}
-
 func TestParseBearerClaimNormalization(t *testing.T) {
 	t.Parallel()
 
 	now := time.Now().UTC()
+	privateKey := mustRSATestKey(t)
+	jwksServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_ = json.NewEncoder(w).Encode(jwksDocument{
+			Keys: []jwkKey{mustRSATestJWK("kid-1", &privateKey.PublicKey)},
+		})
+	}))
+	defer jwksServer.Close()
+
 	verifier := newBearerVerifier(ServerConfig{
-		JWTSecret:   "test-secret",
-		AcceptHS256: true,
+		JWKSURL:          jwksServer.URL,
+		JWKSFetchTimeout: time.Second,
 	})
 
 	tests := []struct {
@@ -390,9 +350,7 @@ func TestParseBearerClaimNormalization(t *testing.T) {
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			token := mustTestHS256JWT(t, "test-secret", tt.payload)
+			token := mustTestRS256JWT(t, privateKey, "kid-1", tt.payload)
 			claims, authErr := parseBearer("Bearer "+token, verifier, now)
 			if authErr != nil {
 				t.Fatalf("parseBearer returned auth error: %+v", authErr)
@@ -515,19 +473,6 @@ func mustRSATestKey(t *testing.T) *rsa.PrivateKey {
 	return privateKey
 }
 
-func mustTestHS256JWT(t *testing.T, secret string, payload map[string]any) string {
-	t.Helper()
-
-	return mustTestJWTWithClaims(t, map[string]any{
-		"alg": "HS256",
-		"typ": "JWT",
-	}, payload, func(signingInput string) []byte {
-		mac := hmac.New(sha256.New, []byte(secret))
-		_, _ = mac.Write([]byte(signingInput))
-		return mac.Sum(nil)
-	})
-}
-
 func mustTestRS256JWT(t *testing.T, privateKey *rsa.PrivateKey, kid string, payload map[string]any) string {
 	t.Helper()
 

internal/httpapi/server.go

@@ -22,9 +22,7 @@ import (
 )
 
 type ServerConfig struct {
-	JWTSecret          string
 	JWKSURL            string
-	AcceptHS256        bool
 	JWKSFetchTimeout   time.Duration
 	InternalHMACSecret string
 	InternalMaxSkew    time.Duration
@@ -55,30 +53,20 @@ type rateEntry struct {
 }
 
 func NewServer(store *relayfile.Store) *Server {
-	server, err := NewServerWithConfig(store, ServerConfig{
-		JWTSecret:   "dev-secret",
-		AcceptHS256: true,
-	})
+	server, err := NewServerWithConfig(store, ServerConfig{})
 	if err != nil {
 		panic(err)
 	}
-	log.Println("WARNING: using default JWTSecret — set a strong secret via configuration for production use")
 	return server
 }
 
 func NewServerWithConfig(store *relayfile.Store, cfg ServerConfig) (*Server, error) {
-	if !cfg.AcceptHS256 && cfg.JWTSecret == "" && cfg.JWKSURL == "" && cfg.JWKSFetchTimeout == 0 {
-		cfg.AcceptHS256 = true
-	}
 	if cfg.JWKSURL == "" {
 		cfg.JWKSURL = defaultRelayAuthJWKSURL
 	}
 	if cfg.JWKSFetchTimeout <= 0 {
 		cfg.JWKSFetchTimeout = defaultJWKSFetchTimeout
 	}
-	if cfg.AcceptHS256 && cfg.JWTSecret == "" {
-		return nil, fmt.Errorf("RELAYFILE_JWT_SECRET is required when RELAYFILE_VERIFIER_ACCEPT_HS256 is not false")
-	}
 	if cfg.InternalHMACSecret == "" {
 		cfg.InternalHMACSecret = "dev-internal-secret"
 		log.Println("WARNING: using default InternalHMACSecret — set a strong secret via configuration for production use")

internal/httpapi/server_test.go

@@ -656,8 +656,6 @@ func TestForkTreeMergesParentOverlayWritesAndDeletes(t *testing.T) {
 
 func TestWriteFilePayloadTooLarge(t *testing.T) {
 	server := mustNewServerWithConfig(t, relayfile.NewStore(), ServerConfig{
-		JWTSecret:    "dev-secret",
-		AcceptHS256:  true,
 		MaxBodyBytes: 128,
 	})
 	token := mustTestJWT(t, "dev-secret", "ws_payload_limit", "Worker1", []string{"fs:write"}, time.Now().Add(time.Hour))
@@ -687,10 +685,7 @@ func TestWriteFilePayloadTooLarge(t *testing.T) {
 }
 
 func TestBinaryEncodingRoundTripAndExport(t *testing.T) {
-	server := mustNewServerWithConfig(t, relayfile.NewStoreWithOptions(relayfile.StoreOptions{DisableWorkers: true}), ServerConfig{
-		JWTSecret:   "dev-secret",
-		AcceptHS256: true,
-	})
+	server := mustNewServerWithConfig(t, relayfile.NewStoreWithOptions(relayfile.StoreOptions{DisableWorkers: true}), ServerConfig{})
 	token := mustTestJWT(t, "dev-secret", "ws_binary", "Worker1", []string{"fs:read", "fs:write"}, time.Now().Add(time.Hour))
 	encoded := base64.StdEncoding.EncodeToString([]byte{0x00, 0x7f, 0xff, 0x10})
 
@@ -2326,8 +2321,6 @@ func TestInternalWebhookIngressHMAC(t *testing.T) {
 
 func TestInternalWebhookIngressPayloadTooLarge(t *testing.T) {
 	server := mustNewServerWithConfig(t, relayfile.NewStore(), ServerConfig{
-		JWTSecret:          "dev-secret",
-		AcceptHS256:        true,
 		InternalHMACSecret: "dev-internal-secret",
 		MaxBodyBytes:       256,
 	})
@@ -4605,8 +4598,6 @@ func TestInternalIngressAppliesToFilesystemAPI(t *testing.T) {
 
 func TestRateLimitingByWorkspaceAndAgent(t *testing.T) {
 	server := mustNewServerWithConfig(t, relayfile.NewStore(), ServerConfig{
-		JWTSecret:          "dev-secret",
-		AcceptHS256:        true,
 		InternalHMACSecret: "dev-internal-secret",
 		RateLimitMax:       2,
 		RateLimitWindow:    time.Minute,
@@ -5482,33 +5473,17 @@ func mustTestJWTWithAudience(t *testing.T, secret, workspaceID, agentName string
 
 func mustTestJWTWithAudienceClaim(t *testing.T, secret, workspaceID, agentName string, scopes []string, aud any, exp time.Time) string {
 	t.Helper()
-	headerBytes, err := json.Marshal(map[string]any{
-		"alg": "HS256",
-		"typ": "JWT",
-	})
-	if err != nil {
-		t.Fatalf("marshal jwt header: %v", err)
-	}
-	payloadBytes, err := json.Marshal(map[string]any{
+	_ = secret
+
+	return mustTestRS256JWT(t, testBearerPrivateKey, testBearerJWTKID, map[string]any{
+		"wks":          workspaceID,
 		"workspace_id": workspaceID,
+		"sub":          agentName,
 		"agent_name":   agentName,
 		"scopes":       scopes,
 		"exp":          exp.Unix(),
 		"aud":          aud,
 	})
-	if err != nil {
-		t.Fatalf("marshal jwt payload: %v", err)
-	}
-	h := base64.RawURLEncoding.EncodeToString(headerBytes)
-	p := base64.RawURLEncoding.EncodeToString(payloadBytes)
-	signingInput := h + "." + p
-	sig := mustHMAC(secret, signingInput)
-	sigBytes, err := hexToBytes(sig)
-	if err != nil {
-		t.Fatalf("decode signature: %v", err)
-	}
-	jwtSig := base64.RawURLEncoding.EncodeToString(sigBytes)
-	return signingInput + "." + jwtSig
 }
 
 func mustHMAC(secret, data string) string {
@@ -5517,32 +5492,6 @@ func mustHMAC(secret, data string) string {
 	return fmt.Sprintf("%x", mac.Sum(nil))
 }
 
-func hexToBytes(h string) ([]byte, error) {
-	if len(h)%2 != 0 {
-		return nil, fmt.Errorf("invalid hex")
-	}
-	out := make([]byte, len(h)/2)
-	for i := 0; i < len(h); i += 2 {
-		var b byte
-		for j := 0; j < 2; j++ {
-			ch := h[i+j]
-			b <<= 4
-			switch {
-			case ch >= '0' && ch <= '9':
-				b |= ch - '0'
-			case ch >= 'a' && ch <= 'f':
-				b |= ch - 'a' + 10
-			case ch >= 'A' && ch <= 'F':
-				b |= ch - 'A' + 10
-			default:
-				return nil, fmt.Errorf("invalid hex char")
-			}
-		}
-		out[i/2] = b
-	}
-	return out, nil
-}
-
 type serverFailingAdapter struct {
 	provider string
 }

internal/httpapi/test_jwks_test.go

@@ -0,0 +1,38 @@
+package httpapi
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+)
+
+const testBearerJWTKID = "test-bearer-kid"
+
+var testBearerPrivateKey *rsa.PrivateKey
+
+func TestMain(m *testing.M) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+	testBearerPrivateKey = privateKey
+
+	jwksServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_ = json.NewEncoder(w).Encode(jwksDocument{
+			Keys: []jwkKey{mustRSATestJWK(testBearerJWTKID, &privateKey.PublicKey)},
+		})
+	}))
+
+	prevDefaultJWKSURL := defaultRelayAuthJWKSURL
+	defaultRelayAuthJWKSURL = jwksServer.URL
+
+	code := m.Run()
+
+	defaultRelayAuthJWKSURL = prevDefaultJWKSURL
+	jwksServer.Close()
+	os.Exit(code)
+}