feature: RS256 JWT signature

* feature: First user as superadmin
* enhancement: Add Kaigara to the Dockerfile
* enhancement: Add .drone.yml w/ Docker build

Author: Danylo Patsora

.drone.yml

@@ -0,0 +1,26 @@
+---
+type: docker
+kind: pipeline
+name: "Main"
+
+steps:
+  - name: Docker build Git SHA
+    image: plugins/docker:20
+    pull: if-not-exists
+    environment:
+      DOCKER_BUILDKIT: 1
+    settings:
+      username:
+        from_secret: quay_username
+      password:
+        from_secret: quay_password
+      repo: quay.io/openware/gotrue
+      registry: quay.io
+      tag: ${DRONE_COMMIT:0:7}
+      purge: false
+    when:
+      event:
+        - push
+      branch:
+        - stable/ow
+        - feature/asymmetric-auth

Dockerfile

@@ -3,7 +3,7 @@ ENV GO111MODULE=on
 ENV CGO_ENABLED=0
 ENV GOOS=linux
 
-RUN apk add --no-cache make git
+RUN apk add --no-cache make git  curl
 
 WORKDIR /go/src/github.com/netlify/gotrue
 
@@ -15,11 +15,16 @@ RUN make deps
 COPY . /go/src/github.com/netlify/gotrue
 RUN make build
 
+ARG KAIGARA_VERSION=v1.0.10
+RUN curl -Lo ./kaigara  https://github.com/openware/kaigara/releases/download/${KAIGARA_VERSION}/kaigara \
+  && chmod +x ./kaigara
+
 FROM alpine:3.17
 RUN adduser -D -u 1000 netlify
 
 RUN apk add --no-cache ca-certificates
 COPY --from=build /go/src/github.com/netlify/gotrue/gotrue /usr/local/bin/gotrue
+COPY --from=build /go/src/github.com/netlify/gotrue/kaigara /usr/local/bin/kaigara
 COPY --from=build /go/src/github.com/netlify/gotrue/migrations /usr/local/etc/gotrue/migrations/
 
 ENV GOTRUE_DB_MIGRATIONS_PATH /usr/local/etc/gotrue/migrations

README.md

@@ -395,13 +395,17 @@ by default.
 
 ```properties
 GOTRUE_JWT_SECRET=supersecretvalue
+GOTRUE_JWT_ALGORITHM=RS256
 GOTRUE_JWT_EXP=3600
 GOTRUE_JWT_AUD=netlify
 ```
+`JWT_ALGORITHM` - `string`
+
+The signing algorithm for the JWT. Defaults to HS256.
 
 `JWT_SECRET` - `string` **required**
 
-The secret used to sign JWT tokens with.
+The secret used to sign JWT tokens with. If signing alogrithm is RS256, secret has to be Base64 encoded RSA private key.
 
 `JWT_EXP` - `number`
 

api/admin_test.go

@@ -11,11 +11,12 @@ import (
 	"time"
 
 	jwt "github.com/golang-jwt/jwt"
-	"github.com/netlify/gotrue/conf"
-	"github.com/netlify/gotrue/models"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
+
+	"github.com/netlify/gotrue/conf"
+	"github.com/netlify/gotrue/models"
 )
 
 type AdminTestSuite struct {

api/api.go

@@ -9,13 +9,16 @@ import (
 	"github.com/didip/tollbooth/v5"
 	"github.com/didip/tollbooth/v5/limiter"
 	"github.com/go-chi/chi"
+	"github.com/sirupsen/logrus"
+
 	"github.com/netlify/gotrue/conf"
-	"github.com/netlify/gotrue/mailer"
-	"github.com/netlify/gotrue/observability"
 	"github.com/netlify/gotrue/storage"
+
 	"github.com/rs/cors"
 	"github.com/sebest/xff"
-	"github.com/sirupsen/logrus"
+
+	"github.com/netlify/gotrue/mailer"
+	"github.com/netlify/gotrue/observability"
 )
 
 const (

api/audit_test.go

@@ -9,11 +9,12 @@ import (
 	"time"
 
 	jwt "github.com/golang-jwt/jwt"
-	"github.com/netlify/gotrue/conf"
-	"github.com/netlify/gotrue/models"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
+
+	"github.com/netlify/gotrue/conf"
+	"github.com/netlify/gotrue/models"
 )
 
 type AuditTestSuite struct {
@@ -49,12 +50,12 @@ func (ts *AuditTestSuite) makeSuperAdmin(email string) string {
 	u.Role = "supabase_admin"
 
 	var token string
-	token, err = generateAccessToken(ts.API.db, u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	token, err = generateAccessToken(ts.API.db, u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.GetSigningMethod(), ts.Config.JWT.GetSigningKey())
 	require.NoError(ts.T(), err, "Error generating access token")
 
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
 	_, err = p.Parse(token, func(token *jwt.Token) (interface{}, error) {
-		return []byte(ts.Config.JWT.Secret), nil
+		return ts.Config.JWT.GetVerificationKey(), nil
 	})
 	require.NoError(ts.T(), err, "Error parsing token")
 

api/auth.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/gofrs/uuid"
 	jwt "github.com/golang-jwt/jwt"
+
 	"github.com/netlify/gotrue/models"
 	"github.com/netlify/gotrue/storage"
 )
@@ -68,9 +69,9 @@ func (a *API) parseJWTClaims(bearer string, r *http.Request) (context.Context, e
 	ctx := r.Context()
 	config := a.config
 
-	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
+	p := jwt.Parser{ValidMethods: []string{config.JWT.Algorithm}}
 	token, err := p.ParseWithClaims(bearer, &GoTrueClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return []byte(config.JWT.Secret), nil
+		return config.JWT.GetVerificationKey(), nil
 	})
 	if err != nil {
 		return nil, unauthorizedError("invalid JWT: unable to parse or verify signature, %v", err)

api/external.go

@@ -65,7 +65,7 @@ func (a *API) ExternalProviderRedirect(w http.ResponseWriter, r *http.Request) e
 	log := observability.GetLogEntry(r)
 	log.WithField("provider", providerType).Info("Redirecting to external provider")
 
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, ExternalProviderClaims{
+	token := jwt.NewWithClaims(config.JWT.GetSigningMethod(), ExternalProviderClaims{
 		NetlifyMicroserviceClaims: NetlifyMicroserviceClaims{
 			StandardClaims: jwt.StandardClaims{
 				ExpiresAt: time.Now().Add(5 * time.Minute).Unix(),
@@ -77,7 +77,7 @@ func (a *API) ExternalProviderRedirect(w http.ResponseWriter, r *http.Request) e
 		InviteToken: inviteToken,
 		Referrer:    redirectURL,
 	})
-	tokenString, err := token.SignedString([]byte(config.JWT.Secret))
+	tokenString, err := token.SignedString(config.JWT.GetSigningKey())
 	if err != nil {
 		return internalServerError("Error creating state").WithInternalError(err)
 	}
@@ -424,9 +424,9 @@ func (a *API) processInvite(r *http.Request, ctx context.Context, tx *storage.Co
 func (a *API) loadExternalState(ctx context.Context, state string) (context.Context, error) {
 	config := a.config
 	claims := ExternalProviderClaims{}
-	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
+	p := jwt.Parser{ValidMethods: []string{config.JWT.Algorithm}}
 	_, err := p.ParseWithClaims(state, &claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(config.JWT.Secret), nil
+		return config.JWT.GetVerificationKey(), nil
 	})
 	if err != nil || claims.Provider == "" {
 		return nil, badRequestError("OAuth state is invalid: %v", err)

api/external_apple_test.go

@@ -24,7 +24,7 @@ func (ts *ExternalTestSuite) TestSignupExternalApple() {
 	claims := ExternalProviderClaims{}
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
 	_, err = p.ParseWithClaims(q.Get("state"), &claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(ts.Config.JWT.Secret), nil
+		return ts.Config.JWT.GetVerificationKey(), nil
 	})
 	ts.Require().NoError(err)
 

api/external_azure_test.go

@@ -30,7 +30,7 @@ func (ts *ExternalTestSuite) TestSignupExternalAzure() {
 	claims := ExternalProviderClaims{}
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
 	_, err = p.ParseWithClaims(q.Get("state"), &claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(ts.Config.JWT.Secret), nil
+		return ts.Config.JWT.GetVerificationKey(), nil
 	})
 	ts.Require().NoError(err)