feat: make JWTSecretKey optional in JWE configuration, add test for missing jwt-secret-key, make --jwt-secret-key optional to use JSON serialization+JWE encryption instead of JWT signing+JWE encryption, fix #25

Signed-off-by: Slach <[email protected]>
Co-authored-by: aider (openrouter/x-ai/grok-code-fast-1) <[email protected]>

Author: Slach

CHANGELOG.md

@@ -1,3 +1,7 @@
+# v1.1.1
+IMPROVEMENTS
+- make `--jwt-secret-key` optional to use JSON serialization+JWE encryption instead of JWT signing+JWE encryption, fix https://github.com/Altinity/altinity-mcp/issues/25
+
 # v1.1.0
 IMPROVEMENTS
 - switch to go 1.25, update go.mod

cmd/altinity-mcp/main.go

@@ -335,8 +335,8 @@ func (a *application) jweTokenGeneratorHandler(w http.ResponseWriter, r *http.Re
 	}
 
 	cfg := a.GetCurrentConfig()
-	if cfg.Server.JWE.JWESecretKey == "" || cfg.Server.JWE.JWTSecretKey == "" {
-		http.Error(w, "Missing JWE or JWT secret key", http.StatusInternalServerError)
+	if cfg.Server.JWE.JWESecretKey == "" {
+		http.Error(w, "Missing JWE secret key", http.StatusInternalServerError)
 		return
 	}
 	if !cfg.Server.JWE.Enabled {
@@ -1096,13 +1096,10 @@ func newApplication(ctx context.Context, cfg config.Config, cmd CommandInterface
 	} else {
 		log.Debug().Msg("JWE encryption enabled, skipping default ClickHouse connection test")
 
-		// Validate both secrets are set when JWE auth is enabled
+		// Validate JWE secret key is set when JWE auth is enabled
 		if cfg.Server.JWE.JWESecretKey == "" {
 			return nil, fmt.Errorf("JWE encryption is enabled but no JWE secret key is provided")
 		}
-		if cfg.Server.JWE.JWTSecretKey == "" {
-			return nil, fmt.Errorf("JWE encryption is enabled but no JWT secret key is provided")
-		}
 	}
 
 	// Create MCP server

cmd/altinity-mcp/main_test.go

@@ -1061,7 +1061,7 @@ func TestNewApplication(t *testing.T) {
 				JWE: config.JWEConfig{
 					Enabled:      true,
 					JWESecretKey: "jwe-secret",
-					JWTSecretKey: "", // Empty secret key should cause error
+					JWTSecretKey: "", // Empty secret key is now allowed
 				},
 			},
 		}
@@ -1077,9 +1077,38 @@ func TestNewApplication(t *testing.T) {
 
 		ctx := context.Background()
 		app, err := newApplication(ctx, cfg, cmd)
-		require.Error(t, err)
-		require.Nil(t, app)
-		require.Contains(t, err.Error(), "JWE encryption is enabled but no JWT secret key is provided")
+		require.NoError(t, err)
+		require.NotNil(t, app)
+
+		claims := map[string]interface{}{
+			"host":     "localhost",
+			"port":     8123,
+			"database": "default",
+			"username": "default",
+			"protocol": "http",
+			"exp":      time.Now().Add(time.Hour).Unix(),
+		}
+		body, err := json.Marshal(claims)
+		require.NoError(t, err)
+
+		req := httptest.NewRequest(http.MethodPost, "/jwe-token-generator", bytes.NewReader(body))
+		w := httptest.NewRecorder()
+
+		app.jweTokenGeneratorHandler(w, req)
+
+		require.Equal(t, http.StatusOK, w.Code)
+
+		var resp map[string]string
+		err = json.NewDecoder(w.Body).Decode(&resp)
+		require.NoError(t, err)
+		require.Contains(t, resp, "token")
+
+		// Verify the token
+		parsedClaims, err := jwe_auth.ParseAndDecryptJWE(resp["token"], []byte(cfg.Server.JWE.JWESecretKey), []byte(cfg.Server.JWE.JWTSecretKey))
+		require.NoError(t, err)
+		require.Equal(t, "localhost", parsedClaims["host"])
+		require.Equal(t, float64(8123), parsedClaims["port"])
+		app.Close()
 	})
 
 	t.Run("jwe_enabled_with_secret", func(t *testing.T) {