From 3ed12f770c1ea30f95ef1ff1c487f9cad18aa840 Mon Sep 17 00:00:00 2001 From: 7ttp <117663341+7ttp@users.noreply.github.com> Date: Sun, 23 Nov 2025 22:53:44 +0530 Subject: [PATCH 1/4] fix: enable es256 jwt signing algorithm support for gotrue --- internal/start/start.go | 15 ++++- pkg/api/client.gen.go | 135 ++++++++++++++++++++++++++++++++++++++++ pkg/api/types.gen.go | 9 +++ 3 files changed, 158 insertions(+), 1 deletion(-) diff --git a/internal/start/start.go b/internal/start/start.go index 625a8eb00..e32c70092 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -531,9 +531,22 @@ EOF fmt.Sprintf("GOTRUE_RATE_LIMIT_WEB3=%v", utils.Config.Auth.RateLimit.Web3), } - // Since signing key is validated by ResolveJWKS, simply read the key file. if keys, err := afero.ReadFile(fsys, utils.Config.Auth.SigningKeysPath); err == nil && len(keys) > 0 { env = append(env, "GOTRUE_JWT_KEYS="+string(keys)) + algSet := map[string]bool{"HS256": true} + for _, key := range utils.Config.Auth.SigningKeys { + switch key.Algorithm { + case config.AlgRS256: + algSet["RS256"] = true + case config.AlgES256: + algSet["ES256"] = true + } + } + algorithms := make([]string, 0, len(algSet)) + for alg := range algSet { + algorithms = append(algorithms, alg) + } + env = append(env, "GOTRUE_JWT_VALID_METHODS="+strings.Join(algorithms, ",")) } if utils.Config.Auth.Email.Smtp != nil && utils.Config.Auth.Email.Smtp.Enabled { diff --git a/pkg/api/client.gen.go b/pkg/api/client.gen.go index 59cf7da68..46557d73f 100644 --- a/pkg/api/client.gen.go +++ b/pkg/api/client.gen.go @@ -464,6 +464,11 @@ type ClientInterface interface { V1RunAQuery(ctx context.Context, ref string, body V1RunAQueryJSONRequestBody, reqEditors ...RequestEditorFn) (*http.Response, error) + // V1ReadOnlyQueryWithBody request with any body + V1ReadOnlyQueryWithBody(ctx context.Context, ref string, contentType string, body io.Reader, reqEditors ...RequestEditorFn) (*http.Response, error) + + V1ReadOnlyQuery(ctx context.Context, ref string, body V1ReadOnlyQueryJSONRequestBody, reqEditors ...RequestEditorFn) (*http.Response, error) + // V1EnableDatabaseWebhook request V1EnableDatabaseWebhook(ctx context.Context, ref string, reqEditors ...RequestEditorFn) (*http.Response, error) @@ -2251,6 +2256,30 @@ func (c *Client) V1RunAQuery(ctx context.Context, ref string, body V1RunAQueryJS return c.Client.Do(req) } +func (c *Client) V1ReadOnlyQueryWithBody(ctx context.Context, ref string, contentType string, body io.Reader, reqEditors ...RequestEditorFn) (*http.Response, error) { + req, err := NewV1ReadOnlyQueryRequestWithBody(c.Server, ref, contentType, body) + if err != nil { + return nil, err + } + req = req.WithContext(ctx) + if err := c.applyEditors(ctx, req, reqEditors); err != nil { + return nil, err + } + return c.Client.Do(req) +} + +func (c *Client) V1ReadOnlyQuery(ctx context.Context, ref string, body V1ReadOnlyQueryJSONRequestBody, reqEditors ...RequestEditorFn) (*http.Response, error) { + req, err := NewV1ReadOnlyQueryRequest(c.Server, ref, body) + if err != nil { + return nil, err + } + req = req.WithContext(ctx) + if err := c.applyEditors(ctx, req, reqEditors); err != nil { + return nil, err + } + return c.Client.Do(req) +} + func (c *Client) V1EnableDatabaseWebhook(ctx context.Context, ref string, reqEditors ...RequestEditorFn) (*http.Response, error) { req, err := NewV1EnableDatabaseWebhookRequest(c.Server, ref) if err != nil { @@ -7802,6 +7831,53 @@ func NewV1RunAQueryRequestWithBody(server string, ref string, contentType string return req, nil } +// NewV1ReadOnlyQueryRequest calls the generic V1ReadOnlyQuery builder with application/json body +func NewV1ReadOnlyQueryRequest(server string, ref string, body V1ReadOnlyQueryJSONRequestBody) (*http.Request, error) { + var bodyReader io.Reader + buf, err := json.Marshal(body) + if err != nil { + return nil, err + } + bodyReader = bytes.NewReader(buf) + return NewV1ReadOnlyQueryRequestWithBody(server, ref, "application/json", bodyReader) +} + +// NewV1ReadOnlyQueryRequestWithBody generates requests for V1ReadOnlyQuery with any type of body +func NewV1ReadOnlyQueryRequestWithBody(server string, ref string, contentType string, body io.Reader) (*http.Request, error) { + var err error + + var pathParam0 string + + pathParam0, err = runtime.StyleParamWithLocation("simple", false, "ref", runtime.ParamLocationPath, ref) + if err != nil { + return nil, err + } + + serverURL, err := url.Parse(server) + if err != nil { + return nil, err + } + + operationPath := fmt.Sprintf("/v1/projects/%s/database/query/read-only", pathParam0) + if operationPath[0] == '/' { + operationPath = "." + operationPath + } + + queryURL, err := serverURL.Parse(operationPath) + if err != nil { + return nil, err + } + + req, err := http.NewRequest("POST", queryURL.String(), body) + if err != nil { + return nil, err + } + + req.Header.Add("Content-Type", contentType) + + return req, nil +} + // NewV1EnableDatabaseWebhookRequest generates requests for V1EnableDatabaseWebhook func NewV1EnableDatabaseWebhookRequest(server string, ref string) (*http.Request, error) { var err error @@ -10384,6 +10460,11 @@ type ClientWithResponsesInterface interface { V1RunAQueryWithResponse(ctx context.Context, ref string, body V1RunAQueryJSONRequestBody, reqEditors ...RequestEditorFn) (*V1RunAQueryResponse, error) + // V1ReadOnlyQueryWithBodyWithResponse request with any body + V1ReadOnlyQueryWithBodyWithResponse(ctx context.Context, ref string, contentType string, body io.Reader, reqEditors ...RequestEditorFn) (*V1ReadOnlyQueryResponse, error) + + V1ReadOnlyQueryWithResponse(ctx context.Context, ref string, body V1ReadOnlyQueryJSONRequestBody, reqEditors ...RequestEditorFn) (*V1ReadOnlyQueryResponse, error) + // V1EnableDatabaseWebhookWithResponse request V1EnableDatabaseWebhookWithResponse(ctx context.Context, ref string, reqEditors ...RequestEditorFn) (*V1EnableDatabaseWebhookResponse, error) @@ -12772,6 +12853,27 @@ func (r V1RunAQueryResponse) StatusCode() int { return 0 } +type V1ReadOnlyQueryResponse struct { + Body []byte + HTTPResponse *http.Response +} + +// Status returns HTTPResponse.Status +func (r V1ReadOnlyQueryResponse) Status() string { + if r.HTTPResponse != nil { + return r.HTTPResponse.Status + } + return http.StatusText(0) +} + +// StatusCode returns HTTPResponse.StatusCode +func (r V1ReadOnlyQueryResponse) StatusCode() int { + if r.HTTPResponse != nil { + return r.HTTPResponse.StatusCode + } + return 0 +} + type V1EnableDatabaseWebhookResponse struct { Body []byte HTTPResponse *http.Response @@ -14912,6 +15014,23 @@ func (c *ClientWithResponses) V1RunAQueryWithResponse(ctx context.Context, ref s return ParseV1RunAQueryResponse(rsp) } +// V1ReadOnlyQueryWithBodyWithResponse request with arbitrary body returning *V1ReadOnlyQueryResponse +func (c *ClientWithResponses) V1ReadOnlyQueryWithBodyWithResponse(ctx context.Context, ref string, contentType string, body io.Reader, reqEditors ...RequestEditorFn) (*V1ReadOnlyQueryResponse, error) { + rsp, err := c.V1ReadOnlyQueryWithBody(ctx, ref, contentType, body, reqEditors...) + if err != nil { + return nil, err + } + return ParseV1ReadOnlyQueryResponse(rsp) +} + +func (c *ClientWithResponses) V1ReadOnlyQueryWithResponse(ctx context.Context, ref string, body V1ReadOnlyQueryJSONRequestBody, reqEditors ...RequestEditorFn) (*V1ReadOnlyQueryResponse, error) { + rsp, err := c.V1ReadOnlyQuery(ctx, ref, body, reqEditors...) + if err != nil { + return nil, err + } + return ParseV1ReadOnlyQueryResponse(rsp) +} + // V1EnableDatabaseWebhookWithResponse request returning *V1EnableDatabaseWebhookResponse func (c *ClientWithResponses) V1EnableDatabaseWebhookWithResponse(ctx context.Context, ref string, reqEditors ...RequestEditorFn) (*V1EnableDatabaseWebhookResponse, error) { rsp, err := c.V1EnableDatabaseWebhook(ctx, ref, reqEditors...) @@ -17878,6 +17997,22 @@ func ParseV1RunAQueryResponse(rsp *http.Response) (*V1RunAQueryResponse, error) return response, nil } +// ParseV1ReadOnlyQueryResponse parses an HTTP response from a V1ReadOnlyQueryWithResponse call +func ParseV1ReadOnlyQueryResponse(rsp *http.Response) (*V1ReadOnlyQueryResponse, error) { + bodyBytes, err := io.ReadAll(rsp.Body) + defer func() { _ = rsp.Body.Close() }() + if err != nil { + return nil, err + } + + response := &V1ReadOnlyQueryResponse{ + Body: bodyBytes, + HTTPResponse: rsp, + } + + return response, nil +} + // ParseV1EnableDatabaseWebhookResponse parses an HTTP response from a V1EnableDatabaseWebhookWithResponse call func ParseV1EnableDatabaseWebhookResponse(rsp *http.Response) (*V1EnableDatabaseWebhookResponse, error) { bodyBytes, err := io.ReadAll(rsp.Body) diff --git a/pkg/api/types.gen.go b/pkg/api/types.gen.go index 811f7c646..807a266ce 100644 --- a/pkg/api/types.gen.go +++ b/pkg/api/types.gen.go @@ -4222,6 +4222,12 @@ type V1ProjectWithDatabaseResponse struct { // V1ProjectWithDatabaseResponseStatus defines model for V1ProjectWithDatabaseResponse.Status. type V1ProjectWithDatabaseResponseStatus string +// V1ReadOnlyQueryBody defines model for V1ReadOnlyQueryBody. +type V1ReadOnlyQueryBody struct { + Parameters *[]interface{} `json:"parameters,omitempty"` + Query string `json:"query"` +} + // V1RestorePitrBody defines model for V1RestorePitrBody. type V1RestorePitrBody struct { RecoveryTimeTargetUnix int64 `json:"recovery_time_target_unix"` @@ -4722,6 +4728,9 @@ type V1PatchAMigrationJSONRequestBody = V1PatchMigrationBody // V1RunAQueryJSONRequestBody defines body for V1RunAQuery for application/json ContentType. type V1RunAQueryJSONRequestBody = V1RunQueryBody +// V1ReadOnlyQueryJSONRequestBody defines body for V1ReadOnlyQuery for application/json ContentType. +type V1ReadOnlyQueryJSONRequestBody = V1ReadOnlyQueryBody + // V1CreateAFunctionJSONRequestBody defines body for V1CreateAFunction for application/json ContentType. type V1CreateAFunctionJSONRequestBody = V1CreateFunctionBody From 96729079f0f99b619fa6eecf999637618f4fee12 Mon Sep 17 00:00:00 2001 From: Han Qiao Date: Mon, 24 Nov 2025 16:07:11 +0800 Subject: [PATCH 2/4] Apply suggestion from @sweatybridge --- internal/start/start.go | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/internal/start/start.go b/internal/start/start.go index e32c70092..223ea2b5b 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -533,20 +533,10 @@ EOF if keys, err := afero.ReadFile(fsys, utils.Config.Auth.SigningKeysPath); err == nil && len(keys) > 0 { env = append(env, "GOTRUE_JWT_KEYS="+string(keys)) - algSet := map[string]bool{"HS256": true} - for _, key := range utils.Config.Auth.SigningKeys { - switch key.Algorithm { - case config.AlgRS256: - algSet["RS256"] = true - case config.AlgES256: - algSet["ES256"] = true - } - } - algorithms := make([]string, 0, len(algSet)) - for alg := range algSet { - algorithms = append(algorithms, alg) + // TODO: deprecate HS256 when it's no longer supported + if len(utils.Config.Auth.SigningKeys) > 0 { + env = append(env, "GOTRUE_JWT_VALID_METHODS=HS256,RS256,ES256") } - env = append(env, "GOTRUE_JWT_VALID_METHODS="+strings.Join(algorithms, ",")) } if utils.Config.Auth.Email.Smtp != nil && utils.Config.Auth.Email.Smtp.Enabled { From 30fd1a6aac9d8fecf2342b20bb0b4dab60f77a57 Mon Sep 17 00:00:00 2001 From: Han Qiao Date: Mon, 24 Nov 2025 16:08:25 +0800 Subject: [PATCH 3/4] Refactor JWT valid methods assignment --- internal/start/start.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/start/start.go b/internal/start/start.go index 223ea2b5b..0d9f6d5a3 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -534,9 +534,7 @@ EOF if keys, err := afero.ReadFile(fsys, utils.Config.Auth.SigningKeysPath); err == nil && len(keys) > 0 { env = append(env, "GOTRUE_JWT_KEYS="+string(keys)) // TODO: deprecate HS256 when it's no longer supported - if len(utils.Config.Auth.SigningKeys) > 0 { - env = append(env, "GOTRUE_JWT_VALID_METHODS=HS256,RS256,ES256") - } + env = append(env, "GOTRUE_JWT_VALID_METHODS=HS256,RS256,ES256") } if utils.Config.Auth.Email.Smtp != nil && utils.Config.Auth.Email.Smtp.Enabled { From 6daf5cd06e9838a282922a7557d87ddb7ad9e88c Mon Sep 17 00:00:00 2001 From: Han Qiao Date: Mon, 24 Nov 2025 16:09:08 +0800 Subject: [PATCH 4/4] Add comment on signing key validation process Added comment about signing key validation and reading key file. --- internal/start/start.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/start/start.go b/internal/start/start.go index 0d9f6d5a3..e4bab5081 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -531,6 +531,7 @@ EOF fmt.Sprintf("GOTRUE_RATE_LIMIT_WEB3=%v", utils.Config.Auth.RateLimit.Web3), } + // Since signing key is validated by ResolveJWKS, simply read the key file. if keys, err := afero.ReadFile(fsys, utils.Config.Auth.SigningKeysPath); err == nil && len(keys) > 0 { env = append(env, "GOTRUE_JWT_KEYS="+string(keys)) // TODO: deprecate HS256 when it's no longer supported