Feat/add jwks command

[xenOs76]

Summary by CodeRabbit

• New Features

  • Added JWT inspection and validation functionality supporting local files and remote token providers.
  • Added JWKS generation from public key files with syntax-highlighted output.

• Documentation

  • Updated README with JWT/JWKS sections, examples, and sample output images.
  • Enhanced command descriptions and help text for clarity.

[coderabbitai]

Warning

Rate limit exceeded

@xenOs76 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6aa63ab6-e1e0-42d2-a386-9750cca96669

📥 Commits

Reviewing files that changed from the base of the PR and between a8c548f and a43ff2c.

📒 Files selected for processing (6)

• README.md
• cmd/jwks.go
• cmd/jwtinfo.go
• internal/jwks/jwks.go
• internal/jwtinfo/jwtinfo.go
• internal/jwtinfo/jwtinfo_test.go

📝 Walkthrough

Walkthrough

This PR updates the project's documentation to emphasize secure HTTP endpoint maintenance, adds new JWT/JWKS inspection and generation commands, refactors JWT handling to support context cancellation, introduces a new JWKS package with comprehensive tests, updates development environment test configurations, and refreshes multiple Go dependencies.

Changes

Cohort / File(s)	Summary
CLI Documentation & Help Text README.md, cmd/root.go, cmd/certinfo.go, cmd/requests.go, cmd/man.go	Updated top-level help descriptions and added documentation sections for new jwtinfo and jwks subcommands; reworded existing command help text to target maintainers of secure HTTP endpoints; minor formatting adjustments.
New JWKS Package cmd/jwks.go, internal/jwks/jwks.go, internal/jwks/jwks_test.go	Introduced new jwks Cobra command accepting --public-key-file (required) and optional --kid flag; implemented GenerateJWKS function that loads PEM public keys, derives key IDs via SHA-256 thumbprint, and outputs pretty-printed JWKS JSON; comprehensive unit tests for RSA, ECDSA, Ed25519 key types and error cases.
JWT Info Refactoring cmd/jwtinfo.go, internal/jwtinfo/jwtinfo.go, internal/jwtinfo/jwtinfo_test.go	Updated command help text; added context.Context parameter to RequestToken and ParseWithJWKS for caller-controlled cancellation; refactored ParseRequestJSONValues to avoid mutating input map; switched JSON validation to json.Valid; corrected token time-claims helper naming and narrowed numeric field conversion logic; updated test suite with context arguments and validation flags.
Development & Dependency Updates devenv.nix, go.mod	Extended certificate generation to create corresponding public-key files for RSA/ECDSA/Ed25519 variants; added new JWTInfo test script for Auth0 with intentional validation URL mismatch; removed token environment variable exports; updated direct dependencies (chroma, rootcerts, goutil, go-proxyproto, golang.org/x/term) and refreshed indirect dependencies; removed github.com/goforj/godump dependency.
Miscellaneous Updates internal/certinfo/certinfo.go, internal/style/style.go	Updated GoDoc comment formatting for SetPrivateKeyFromFile; changed default syntax highlighting style from "dracula" to "catppuccin-frappe".

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add JwtInfo command #21: Modifies jwtinfo CLI command and internal/jwtinfo package with similar function signature updates and control flow changes.
• refactor(jwtinfo): ParseTokenData function to Parse methods #22: Applies overlapping refactoring in internal/jwtinfo package, converting token parsing operations and threading context through function calls.
• docs: update README and command descriptions, add certinfo screenshots #19: Updates same CLI documentation surfaces (README, cmd/root.go, cmd/certinfo.go) with reworded help text and command descriptions.

Poem

🐰 With JWKS keys and JWTs bright,
Our wrench now handles crypto right—
Context flows through every call,
New docs for maintainers, one and all!
From frappe styles to public keys so keen,
The cleanest wrench you've ever seen! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.82% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately reflects the primary change: adding a new jwks subcommand to the CLI tool, which is evident across multiple files including cmd/jwks.go (new file), cmd/root.go (updated help text), and internal/jwks/ (new package).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add_jwks_command

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 24 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/jwtinfo.go (1)

38-38: ⚠️ Potential issue | 🟡 Minor

Fix typo in validation URL example.

The example says jkws.json; this should be jwks.json to avoid copy/paste confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/jwtinfo.go` at line 38, Update the example value for the VALIDATION_URL
environment variable to use the correct JWKS filename: replace the typo
"jkws.json" with "jwks.json" in the export VALIDATION_URL line so the sample
shows export VALIDATION_URL="https://url.to/jwks.json".

🧹 Nitpick comments (2)

devenv.nix (1)

618-625: Negative-path JWT test script should assert expected failure output.

This script currently just runs the command. Consider asserting a known error substring (e.g., with grep) so it acts as a deterministic test rather than a manual probe.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@devenv.nix` around lines 618 - 625, The test script
scripts.run-jwtinfo-test-auth0-wrong-validation-url.exec currently just invokes
./dist/https-wrench jwtinfo and should instead assert a deterministic failure:
capture the command output (or pipe through tee) and grep for a known error
substring (e.g., "validation failed", "invalid signature", or the specific
message your tool emits) and fail the script if the substring is not found (exit
non-zero); update the script wrapper around the ./dist/https-wrench jwtinfo
invocation to run the command, search its stdout/stderr for the expected error
text, and return non-zero when the expected failure message is absent so the CI
step becomes a deterministic negative test.

internal/jwtinfo/jwtinfo_test.go (1)

284-290: Use deadline-backed contexts in these network-path tests.

These APIs are context-aware now, but the updated tests still only pass context.Background(). A short context.WithTimeout for the negative URL/JWKS cases would both bound CI runtime and verify that cancellation/deadline propagation actually works.

Also applies to: 402-408, 544-588

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/jwtinfo/jwtinfo_test.go` around lines 284 - 290, Replace the plain
context.Background() used in RequestToken calls with a deadline-backed context
created via context.WithTimeout (e.g., short timeout like 1-5s) and ensure you
call the returned cancel function (defer cancel()) so the test both bounds CI
runtime and verifies cancellation propagation; update the failing network-path
test invocations that pass context.Background() (notably the calls to
RequestToken with serverJwtEndpoint, reqValues, client, io.ReadAll) and make the
same change in the other mentioned test blocks (around the 402-408 and 544-588
ranges).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/jwks/jwks.go`:
- Around line 23-24: The comment and error text in GenerateJWKS incorrectly call
the SHA-256 of PKIX/SPKI bytes a "thumbprint" and also state that jwkset infers
a thumbprint-based kid while the code actually computes and sets kid; fix this
by either (A) implementing an RFC‑7638 JWK thumbprint: build the canonical JSON
representation of the JWK, compute its SHA‑256 thumbprint per RFC‑7638 and use
that as kid, and update comments/messages to say "RFC‑7638 thumbprint", or (B)
keep the current PKIX/SPKI SHA‑256 behavior but rename all mentions from
"thumbprint" to "SHA-256-derived kid" (or similar), update the top comment in
GenerateJWKS and the error/message strings emitted when creating the kid, and
remove the incorrect claim that jwkset infers a thumbprint-based kid since the
function sets kid explicitly; ensure references to the kid generation logic (the
kid variable and the code path that computes and sets it) are updated
consistently.

In `@internal/jwtinfo/jwtinfo.go`:
- Around line 213-215: The current isValidJSON uses json.Valid which accepts
non-object JSON; update validation so DecodeBase64 only accepts JSON objects for
JWT header/claims: modify isValidJSON to first check json.Valid(data) and then
ensure the top-level value is an object (e.g., verify the first non-whitespace
char is '{' and the last non-whitespace char is '}', or attempt to decode into
map[string]interface{}), and call this stricter isValidJSON from DecodeBase64 to
reject scalars/nulls early.

In `@README.md`:
- Around line 221-223: Update the README docs to fix typos: change the
validation example string VALIDATION_URL value from "https://url.to/jkws.json"
to "https://url.to/jwks.json", and correct any image alt text or captions that
say "jwtingo" to "jwtinfo" (search for occurrences around the example blocks and
lines referenced, and update the REQ_URL/REQ_VALUES example if any similar
misspellings exist).

---

Outside diff comments:
In `@cmd/jwtinfo.go`:
- Line 38: Update the example value for the VALIDATION_URL environment variable
to use the correct JWKS filename: replace the typo "jkws.json" with "jwks.json"
in the export VALIDATION_URL line so the sample shows export
VALIDATION_URL="https://url.to/jwks.json".

---

Nitpick comments:
In `@devenv.nix`:
- Around line 618-625: The test script
scripts.run-jwtinfo-test-auth0-wrong-validation-url.exec currently just invokes
./dist/https-wrench jwtinfo and should instead assert a deterministic failure:
capture the command output (or pipe through tee) and grep for a known error
substring (e.g., "validation failed", "invalid signature", or the specific
message your tool emits) and fail the script if the substring is not found (exit
non-zero); update the script wrapper around the ./dist/https-wrench jwtinfo
invocation to run the command, search its stdout/stderr for the expected error
text, and return non-zero when the expected failure message is absent so the CI
step becomes a deterministic negative test.

In `@internal/jwtinfo/jwtinfo_test.go`:
- Around line 284-290: Replace the plain context.Background() used in
RequestToken calls with a deadline-backed context created via
context.WithTimeout (e.g., short timeout like 1-5s) and ensure you call the
returned cancel function (defer cancel()) so the test both bounds CI runtime and
verifies cancellation propagation; update the failing network-path test
invocations that pass context.Background() (notably the calls to RequestToken
with serverJwtEndpoint, reqValues, client, io.ReadAll) and make the same change
in the other mentioned test blocks (around the 402-408 and 544-588 ranges).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a45af976-eb7c-4457-9756-79a88f897c15

📥 Commits

Reviewing files that changed from the base of the PR and between f71ed24 and a8c548f.

⛔ Files ignored due to path filters (3)

• assets/img/https-wrench_jwtinfo_read_validate_token.png is excluded by !**/*.png
• assets/img/https-wrench_jwtinfo_request_token.png is excluded by !**/*.png
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (15)

• README.md
• cmd/certinfo.go
• cmd/jwks.go
• cmd/jwtinfo.go
• cmd/man.go
• cmd/requests.go
• cmd/root.go
• devenv.nix
• go.mod
• internal/certinfo/certinfo.go
• internal/jwks/jwks.go
• internal/jwks/jwks_test.go
• internal/jwtinfo/jwtinfo.go
• internal/jwtinfo/jwtinfo_test.go
• internal/style/style.go