Skip to content

Commit 11fea2e

Browse files
authored
fix: use hardcoded signing key (#4693)
1 parent 2648482 commit 11fea2e

3 files changed

Lines changed: 16 additions & 23 deletions

File tree

internal/gen/bearerjwt/bearerjwt.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,11 +35,14 @@ func Run(ctx context.Context, claims jwt.Claims, w io.Writer, fsys afero.Fs) err
3535
func getSigningKey(ctx context.Context) (*config.JWK, error) {
3636
console := utils.NewConsole()
3737
if len(utils.Config.Auth.SigningKeysPath) == 0 {
38-
title := "Enter your signing key in JWK format: "
38+
title := "Enter your signing key in JWK format (or leave blank to use local default): "
3939
kid, err := console.PromptText(ctx, title)
4040
if err != nil {
4141
return nil, err
4242
}
43+
if len(kid) == 0 && len(utils.Config.Auth.SigningKeys) > 0 {
44+
return &utils.Config.Auth.SigningKeys[0], nil
45+
}
4346
key := config.JWK{}
4447
if err := json.Unmarshal([]byte(kid), &key); err != nil {
4548
return nil, errors.Errorf("failed to parse JWK: %w", err)

pkg/config/apikeys.go

Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -4,16 +4,13 @@ import (
44
"crypto"
55
"crypto/ecdsa"
66
"crypto/elliptic"
7-
"crypto/rand"
87
"crypto/rsa"
98
"encoding/base64"
109
"math/big"
1110
"time"
1211

1312
"github.com/go-errors/errors"
1413
"github.com/golang-jwt/jwt/v5"
15-
"github.com/google/uuid"
16-
"github.com/supabase/cli/pkg/cast"
1714
)
1815

1916
const (
@@ -49,25 +46,6 @@ func (a *auth) generateAPIKeys() error {
4946
} else if len(a.JwtSecret.Value) < 16 {
5047
return errors.Errorf("Invalid config for auth.jwt_secret. Must be at least 16 characters")
5148
}
52-
// Generate default signing key (P-256 curve for ES256)
53-
if len(a.SigningKeysPath) == 0 {
54-
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
55-
if err != nil {
56-
return errors.Errorf("failed to generate ECDSA key: %w", err)
57-
}
58-
a.SigningKeys = append(a.SigningKeys, JWK{
59-
KeyType: "EC",
60-
KeyID: uuid.New().String(),
61-
Use: "sig",
62-
KeyOps: []string{"sign", "verify"},
63-
Algorithm: "ES256",
64-
Extractable: cast.Ptr(true),
65-
Curve: "P-256",
66-
X: base64.RawURLEncoding.EncodeToString(privateKey.PublicKey.X.Bytes()),
67-
Y: base64.RawURLEncoding.EncodeToString(privateKey.PublicKey.Y.Bytes()),
68-
PrivateExponent: base64.RawURLEncoding.EncodeToString(privateKey.D.Bytes()),
69-
})
70-
}
7149
// Generate anon key if not provided
7250
if len(a.AnonKey.Value) == 0 {
7351
signed, err := a.generateJWT("anon")

pkg/config/config.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -386,6 +386,18 @@ func NewConfig(editors ...ConfigEditor) config {
386386
TestOTP: map[string]string{},
387387
},
388388
External: map[string]provider{},
389+
SigningKeys: []JWK{{
390+
KeyType: "EC",
391+
KeyID: "b81269f1-21d8-4f2e-b719-c2240a840d90",
392+
Use: "sig",
393+
KeyOps: []string{"sign", "verify"},
394+
Algorithm: "ES256",
395+
Extractable: cast.Ptr(true),
396+
Curve: "P-256",
397+
X: "M5Sjqn5zwC9Kl1zVfUUGvv9boQjCGd45G8sdopBExB4",
398+
Y: "P6IXMvA2WYXSHSOMTBH2jsw_9rrzGy89FjPf6oOsIxQ",
399+
PrivateExponent: "dIhR8wywJlqlua4y_yMq2SLhlFXDZJBCvFrY1DCHyVU",
400+
}},
389401
},
390402
Inbucket: inbucket{
391403
Image: Images.Inbucket,

0 commit comments

Comments
 (0)