Add JWT-based auth to serve command #79
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds JWT-based authentication to the serve command, replacing the previous open access model with authenticated access modes. It introduces three authentication modes: base64 (default, backward-compatible), jwt (shared secret), and jwks (public key infrastructure).
Key changes:
- Implemented JWT authentication with HS256 shared secret and JWKS support
- Changed HTTP routes to be prefixed with
/webpuband removed the/list.jsonendpoint - Enhanced TLS configuration to require minimum TLSv1.2 for HTTPS connections
Reviewed Changes
Copilot reviewed 15 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/serve/auth/auth.go | Defines the AuthProvider interface for validating tokens |
| pkg/serve/auth/encoded.go | Implements base64url-encoded path authentication (backward-compatible) |
| pkg/serve/auth/jwt.go | Implements JWT authentication with HS256 shared secret |
| pkg/serve/auth/jwks.go | Implements JWT authentication with JWKS key sets |
| pkg/serve/server.go | Adds Auth field to ServerConfig and sets default auth provider |
| pkg/serve/router.go | Adds authentication middleware and changes route prefix to /webpub |
| pkg/serve/api.go | Updates handlers to retrieve path from context instead of route vars |
| pkg/serve/helpers.go | Refactors conditional logic to use switch statement |
| pkg/serve/client/http_client.go | Adds TLS 1.2 minimum version requirement |
| internal/cli/serve.go | Adds flags for authentication modes and configures auth providers |
| internal/cli/root.go | Fixes version package import |
| internal/version/version.go | Corrects package name from "cli" to "version" |
| go.mod, go.sum | Adds JWT-related dependencies |
| CHANGELOG.MD | Documents the changes for version 0.6.0 |
| .goreleaser.yml | Changes GOAMD64 target from v3 to v2 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }) | ||
| }) | ||
| pub.HandleFunc("", func(w http.ResponseWriter, req *http.Request) { | ||
| ru, _ := r.Get("manifest").URLPath("path", mux.Vars(req)["path"]) |
There was a problem hiding this comment.
The redirect handler uses mux.Vars(req)[\"path\"] which retrieves the token from the route, not the validated path from context. This should use req.Context().Value(ContextPathKey).(string) to be consistent with the other handlers and use the authenticated path.
| ru, _ := r.Get("manifest").URLPath("path", mux.Vars(req)["path"]) | |
| authPath := req.Context().Value(ContextPathKey).(string) | |
| ru, _ := r.Get("manifest").URLPath("path", authPath) |
| serveCmd.Flags().StringVarP(&indentFlag, "indent", "i", "", "Indentation used to pretty-print JSON files") | ||
| serveCmd.Flags().Var(&inferA11yFlag, "infer-a11y", "Infer accessibility metadata: no, merged, split") | ||
| serveCmd.Flags().BoolVarP(&debugFlag, "debug", "d", false, "Enable debug mode") | ||
| serveCmd.Flags().StringVarP(&mode, "mode", "m", "base64", "Access mode: base64 (default, base64url-encoded paths), jwt (JWT auth with a shared secret), jwks (JWT auth with keys in a JWKS)") |
There was a problem hiding this comment.
[nitpick] The flag description is very long and may be difficult to read in CLI help output. Consider breaking it into shorter text or moving detailed explanations to the Long description.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Added
-mflag allows for authenticated access to publications using a JWT in the route to the publication instead of the encoded path. The subject (sub) of the JWT will instead be used as the path to the publication. The first new mode isjwtmode, which uses the HS256 method of authentication and a shared secret that is either provided using--jwt-shared-secretor autogenerated at startup. The second mode,jwks, is combined with the--jwks-urlflag that points to JWKS file, which can contain multiple keys used to validate the JWT, allowing for key rotation and other algorithms using public/private keypairsChanged
v3tov2(closes Support lower AMD64 version? #78). The discussion regarding this is here. This allows execution of the built binaries on older x64 CPUs/webpub. So<domain>/<path>/manifest.jsonis now<domain>/webpub/<path>/manifest.jsonRemoved
/list.jsonroute in the serve command's webserver has been removed. It is not compatible with the new authenticated access schemes, and was only intended to be temporary. It may be replaced in the future by an OPDS2 feed