chore: conditionally validate jwt secret

sweatybridge · sweatybridge · commit 2ed57b5d6541 · 2025-08-12T19:03:36.000+08:00
diff --git a/pkg/config/apikeys.go b/pkg/config/apikeys.go
@@ -6,7 +6,6 @@ import (
 	"crypto/elliptic"
 	"crypto/rsa"
 	"encoding/base64"
-	"io/fs"
 	"math/big"
 	"time"
 
@@ -16,22 +15,22 @@ import (
 )
 
 // generateAPIKeys generates JWT tokens using the appropriate signing method
-func (a *auth) generateAPIKeys(fsys fs.FS) error {
+func (a *auth) generateAPIKeys() error {
 	// Generate anon key if not provided
 	if len(a.AnonKey.Value) == 0 {
-		if signed, err := a.generateJWT("anon"); err != nil {
+		signed, err := a.generateJWT("anon")
+		if err != nil {
 			return err
-		} else {
-			a.AnonKey.Value = signed
 		}
+		a.AnonKey.Value = signed
 	}
 	// Generate service_role key if not provided
 	if len(a.ServiceRoleKey.Value) == 0 {
-		if signed, err := a.generateJWT("service_role"); err != nil {
+		signed, err := a.generateJWT("service_role")
+		if err != nil {
 			return err
-		} else {
-			a.ServiceRoleKey.Value = signed
 		}
+		a.ServiceRoleKey.Value = signed
 	}
 	return nil
 }
@@ -43,6 +42,9 @@ func (a auth) generateJWT(role string) (string, error) {
 		return generateAsymmetricJWT(a.SigningKeys[0], claims)
 	}
 	// Fallback to generating symmetric keys
+	if len(a.JwtSecret.Value) < 16 {
+		return "", errors.Errorf("Invalid config for auth.jwt_secret. Must be at least 16 characters")
+	}
 	signed, err := claims.NewToken().SignedString([]byte(a.JwtSecret.Value))
 	if err != nil {
 		return "", errors.Errorf("failed to generate JWT: %w", err)
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -585,10 +585,6 @@ func (c *config) Load(path string, fsys fs.FS) error {
 	if err := c.loadFromFile(builder.ConfigPath, fsys); err != nil {
 		return err
 	}
-	// Generate JWT tokens
-	if len(c.Auth.JwtSecret.Value) < 16 {
-		return errors.Errorf("Invalid config for auth.jwt_secret. Must be at least 16 characters")
-	}
 	// TODO: move linked pooler connection string elsewhere
 	if connString, err := fs.ReadFile(fsys, builder.PoolerUrlPath); err == nil && len(connString) > 0 {
 		c.Db.Pooler.ConnectionString = string(connString)
@@ -844,7 +840,7 @@ func (c *config) Validate(fsys fs.FS) error {
 				return errors.Errorf("failed to decode signing keys: %w", err)
 			}
 		}
-		if err := c.Auth.generateAPIKeys(fsys); err != nil {
+		if err := c.Auth.generateAPIKeys(); err != nil {
 			return err
 		}
 		if err := c.Auth.Hook.validate(); err != nil {

Original file line number	Diff line number	Diff line change
`@@ -585,10 +585,6 @@ func (c *config) Load(path string, fsys fs.FS) error {`
`585`	`585`	`if err := c.loadFromFile(builder.ConfigPath, fsys); err != nil {`
`586`	`586`	`return err`
`587`	`587`	`}`
`588`		`- // Generate JWT tokens`
`589`		`- if len(c.Auth.JwtSecret.Value) < 16 {`
`590`		`- return errors.Errorf("Invalid config for auth.jwt_secret. Must be at least 16 characters")`
`591`		`- }`
`592`	`588`	`// TODO: move linked pooler connection string elsewhere`
`593`	`589`	`if connString, err := fs.ReadFile(fsys, builder.PoolerUrlPath); err == nil && len(connString) > 0 {`
`594`	`590`	`c.Db.Pooler.ConnectionString = string(connString)`
`@@ -844,7 +840,7 @@ func (c *config) Validate(fsys fs.FS) error {`
`844`	`840`	`return errors.Errorf("failed to decode signing keys: %w", err)`
`845`	`841`	`}`
`846`	`842`	`}`
`847`		`- if err := c.Auth.generateAPIKeys(fsys); err != nil {`
	`843`	`+ if err := c.Auth.generateAPIKeys(); err != nil {`
`848`	`844`	`return err`
`849`	`845`	`}`
`850`	`846`	`if err := c.Auth.Hook.validate(); err != nil {`