feat: asymmetric signed api keys

cemalkilic · cemalkilic · commit 7e68a154f9af · 2025-08-12T08:51:18.000+02:00
diff --git a/pkg/config/apikeys.go b/pkg/config/apikeys.go
@@ -0,0 +1,212 @@
+package config
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/base64"
+	"fmt"
+	"io/fs"
+	"math/big"
+	"os"
+	"time"
+
+	"github.com/go-errors/errors"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+	"github.com/supabase/cli/pkg/fetcher"
+)
+
+// generateAPIKeys generates JWT tokens using the appropriate signing method
+func (c *config) generateAPIKeys(fsys fs.FS) error {
+	// Load signing keys if path is provided
+	var signingKeys []JWK
+	if len(c.Auth.SigningKeysPath) > 0 {
+		f, err := fsys.Open(c.Auth.SigningKeysPath)
+		if err != nil {
+			// Ignore missing signing key path - will fall back to symmetric signing
+			fmt.Fprintf(os.Stderr, "Warning: Failed to generate asymmetric keys, falling back to symmetric: %v\n", err)
+		} else {
+			parsedKeys, _ := fetcher.ParseJSON[[]JWK](f)
+			signingKeys = parsedKeys
+			c.Auth.SigningKeys = signingKeys // Store for later use
+		}
+	}
+
+	// Generate anon key if not provided
+	if len(c.Auth.AnonKey.Value) == 0 {
+		if len(signingKeys) > 0 {
+			if signed, err := generateAsymmetricJWT(signingKeys[0], "anon"); err != nil {
+				// Fall back to symmetric signing if asymmetric fails
+				fmt.Fprintf(os.Stderr, "Warning: Failed to generate asymmetric anon key, falling back to symmetric: %v\n", err)
+				c.Auth.AnonKey.Value = generateSymmetricJWT(c.Auth.JwtSecret.Value, "anon")
+			} else {
+				c.Auth.AnonKey.Value = signed
+			}
+		} else {
+			c.Auth.AnonKey.Value = generateSymmetricJWT(c.Auth.JwtSecret.Value, "anon")
+		}
+	}
+
+	// Generate service_role key if not provided
+	if len(c.Auth.ServiceRoleKey.Value) == 0 {
+		if len(signingKeys) > 0 {
+			if signed, err := generateAsymmetricJWT(signingKeys[0], "service_role"); err != nil {
+				// Fall back to symmetric signing if asymmetric fails
+				fmt.Fprintf(os.Stderr, "Warning: Failed to generate asymmetric service_role key, falling back to symmetric: %v\n", err)
+				c.Auth.ServiceRoleKey.Value = generateSymmetricJWT(c.Auth.JwtSecret.Value, "service_role")
+			} else {
+				c.Auth.ServiceRoleKey.Value = signed
+			}
+		} else {
+			c.Auth.ServiceRoleKey.Value = generateSymmetricJWT(c.Auth.JwtSecret.Value, "service_role")
+		}
+	}
+
+	return nil
+}
+
+// createJWTClaims creates standardized JWT claims for API keys
+func createJWTClaims(role string) CustomClaims {
+	now := time.Now()
+	return CustomClaims{
+		Issuer: "supabase-demo",
+		Role:   role,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(now.Add(time.Hour * 24 * 365 * 10)), // 10 years
+		},
+	}
+}
+
+// generateSymmetricJWT generates a JWT using symmetric signing with jwt_secret
+func generateSymmetricJWT(jwtSecret, role string) string {
+	claims := createJWTClaims(role)
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+
+	signed, err := token.SignedString([]byte(jwtSecret))
+	if err != nil {
+		// This should not happen if JWT secret is valid, but return empty string as fallback
+		fmt.Fprintf(os.Stderr, "Error: Failed to generate %s key: %v\n", role, err)
+		return ""
+	}
+	return signed
+}
+
+// generateAsymmetricJWT generates a JWT token signed with the provided JWK private key
+func generateAsymmetricJWT(jwk JWK, role string) (string, error) {
+	privateKey, err := jwkToPrivateKey(jwk)
+	if err != nil {
+		return "", errors.Errorf("failed to convert JWK to private key: %w", err)
+	}
+
+	claims := createJWTClaims(role)
+
+	// Determine signing method based on algorithm
+	var token *jwt.Token
+	switch jwk.Algorithm {
+	case "RS256":
+		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	case "ES256":
+		token = jwt.NewWithClaims(jwt.SigningMethodES256, claims)
+	default:
+		return "", errors.Errorf("unsupported algorithm: %s", jwk.Algorithm)
+	}
+
+	if jwk.KeyID != uuid.Nil {
+		token.Header["kid"] = jwk.KeyID.String()
+	}
+
+	tokenString, err := token.SignedString(privateKey)
+	if err != nil {
+		return "", errors.Errorf("failed to sign JWT: %w", err)
+	}
+
+	return tokenString, nil
+}
+
+// jwkToPrivateKey converts a JWK to a crypto.PrivateKey
+func jwkToPrivateKey(jwk JWK) (crypto.PrivateKey, error) {
+	switch jwk.KeyType {
+	case "RSA":
+		return jwkToRSAPrivateKey(jwk)
+	case "EC":
+		return jwkToECDSAPrivateKey(jwk)
+	default:
+		return nil, errors.Errorf("unsupported key type: %s", jwk.KeyType)
+	}
+}
+
+// jwkToRSAPrivateKey converts a JWK to an RSA private key
+func jwkToRSAPrivateKey(jwk JWK) (*rsa.PrivateKey, error) {
+	nBytes, err := base64.RawURLEncoding.DecodeString(jwk.Modulus)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode modulus: %w", err)
+	}
+	n := new(big.Int).SetBytes(nBytes)
+
+	eBytes, err := base64.RawURLEncoding.DecodeString(jwk.Exponent)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode exponent: %w", err)
+	}
+	e := int(new(big.Int).SetBytes(eBytes).Int64())
+
+	dBytes, err := base64.RawURLEncoding.DecodeString(jwk.PrivateExponent)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode private exponent: %w", err)
+	}
+	d := new(big.Int).SetBytes(dBytes)
+
+	pBytes, err := base64.RawURLEncoding.DecodeString(jwk.FirstPrimeFactor)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode first prime factor: %w", err)
+	}
+	p := new(big.Int).SetBytes(pBytes)
+
+	qBytes, err := base64.RawURLEncoding.DecodeString(jwk.SecondPrimeFactor)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode second prime factor: %w", err)
+	}
+	q := new(big.Int).SetBytes(qBytes)
+
+	return &rsa.PrivateKey{
+		PublicKey: rsa.PublicKey{N: n, E: e},
+		D:         d,
+		Primes:    []*big.Int{p, q},
+	}, nil
+}
+
+// jwkToECDSAPrivateKey converts a JWK to an ECDSA private key
+func jwkToECDSAPrivateKey(jwk JWK) (*ecdsa.PrivateKey, error) {
+	// Only support P-256 curve for ES256
+	if jwk.Curve != "P-256" {
+		return nil, errors.Errorf("unsupported curve: %s", jwk.Curve)
+	}
+
+	xBytes, err := base64.RawURLEncoding.DecodeString(jwk.X)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode x coordinate: %w", err)
+	}
+	x := new(big.Int).SetBytes(xBytes)
+
+	yBytes, err := base64.RawURLEncoding.DecodeString(jwk.Y)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode y coordinate: %w", err)
+	}
+	y := new(big.Int).SetBytes(yBytes)
+
+	dBytes, err := base64.RawURLEncoding.DecodeString(jwk.PrivateExponent)
+	if err != nil {
+		return nil, errors.Errorf("failed to decode private key: %w", err)
+	}
+	d := new(big.Int).SetBytes(dBytes)
+
+	return &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: elliptic.P256(),
+			X:     x,
+			Y:     y,
+		},
+		D: d,
+	}, nil
+}
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -589,22 +589,6 @@ func (c *config) Load(path string, fsys fs.FS) error {
 	if len(c.Auth.JwtSecret.Value) < 16 {
 		return errors.Errorf("Invalid config for auth.jwt_secret. Must be at least 16 characters")
 	}
-	if len(c.Auth.AnonKey.Value) == 0 {
-		anonToken := CustomClaims{Role: "anon"}.NewToken()
-		if signed, err := anonToken.SignedString([]byte(c.Auth.JwtSecret.Value)); err != nil {
-			return errors.Errorf("failed to generate anon key: %w", err)
-		} else {
-			c.Auth.AnonKey.Value = signed
-		}
-	}
-	if len(c.Auth.ServiceRoleKey.Value) == 0 {
-		anonToken := CustomClaims{Role: "service_role"}.NewToken()
-		if signed, err := anonToken.SignedString([]byte(c.Auth.JwtSecret.Value)); err != nil {
-			return errors.Errorf("failed to generate service_role key: %w", err)
-		} else {
-			c.Auth.ServiceRoleKey.Value = signed
-		}
-	}
 	// TODO: move linked pooler connection string elsewhere
 	if connString, err := fs.ReadFile(fsys, builder.PoolerUrlPath); err == nil && len(connString) > 0 {
 		c.Db.Pooler.ConnectionString = string(connString)
@@ -669,7 +653,19 @@ func (c *config) Load(path string, fsys fs.FS) error {
 	if err := c.resolve(builder, fsys); err != nil {
 		return err
 	}
-	return c.Validate(fsys)
+
+	validateErr := c.Validate(fsys)
+	if validateErr != nil {
+		return validateErr
+	}
+
+	// Generate API keys (anon/service role keys) after paths are resolved & validated
+	// as we might need to use user-provided signing keys
+	if err := c.generateAPIKeys(fsys); err != nil {
+		return err
+	}
+
+	return nil
 }
 
 func VersionCompare(a, b string) int {
