[major] require JWKS_URI env var (#85)

lehigh-university-libraries · Feb 1, 2025 · f09b78c · f09b78c
1 parent 7339772
commit f09b78c
Show file tree

Hide file tree

Showing 13 changed files with 41 additions and 18 deletions.
diff --git a/ci/k8s/crayfits.yaml b/ci/k8s/crayfits.yaml
@@ -29,6 +29,9 @@ spec:
         - name: scyllaridae-crayfits
           image: lehighlts/scyllaridae-fits:main-14a4905
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "32Mi"

diff --git a/ci/k8s/hls.yaml b/ci/k8s/hls.yaml
@@ -29,6 +29,9 @@ spec:
         - name: scyllaridae-hls
           image: lehighlts/scyllaridae-hls:main
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "512Mi"

diff --git a/ci/k8s/homarus.yaml b/ci/k8s/homarus.yaml
@@ -29,6 +29,9 @@ spec:
         - name: scyllaridae-ffmpeg
           image: lehighlts/scyllaridae-ffmpeg:main
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "128Mi"

diff --git a/ci/k8s/houdini.yaml b/ci/k8s/houdini.yaml
@@ -29,6 +29,9 @@ spec:
         - name: scyllaridae-imagemagick
           image: lehighlts/scyllaridae-imagemagick:main-8a5b743
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "256Mi"

diff --git a/ci/k8s/htr.yaml b/ci/k8s/htr.yaml
@@ -35,6 +35,9 @@ spec:
               secretKeyRef:
                 name: openai
                 key: api-key
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "128Mi"

diff --git a/ci/k8s/hypercube.yaml b/ci/k8s/hypercube.yaml
@@ -29,6 +29,9 @@ spec:
         - name: scyllaridae-tesseract
           image: lehighlts/scyllaridae-tesseract:main-14b2276
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "128Mi"

diff --git a/ci/k8s/libreoffice.yaml b/ci/k8s/libreoffice.yaml
@@ -28,6 +28,9 @@ spec:
         - name: scyllaridae-libreoffice
           image: lehighlts/scyllaridae-libreoffice:main
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "128Mi"

diff --git a/ci/k8s/mergepdf.yaml b/ci/k8s/mergepdf.yaml
@@ -30,8 +30,10 @@ spec:
           image: lehighlts/scyllaridae-mergepdf:main-1c3a177
           imagePullPolicy: IfNotPresent
           env:
-            - name: MAX_THREADS
-              value: "7"
+          - name: MAX_THREADS
+            value: "7"
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "128Mi"

diff --git a/ci/k8s/ocrpdf.yaml b/ci/k8s/ocrpdf.yaml
@@ -29,6 +29,9 @@ spec:
         - name: scyllaridae-ocrpdf
           image: lehighlts/scyllaridae-ocrpdf:main
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "128Mi"

diff --git a/ci/k8s/whisper.yaml b/ci/k8s/whisper.yaml
@@ -28,6 +28,9 @@ spec:
         - name: scyllaridae-whisper
           image: lehighlts/scyllaridae-whisper:main-14a4905
           imagePullPolicy: IfNotPresent
+          env:
+          - name: "JWKS_URI"
+            value: "https://preserve.lehigh.edu/oauth/discovery/keys"
           resources:
             requests:
               memory: "2Gi"

diff --git a/main_test.go b/main_test.go
@@ -48,6 +48,7 @@ type Test struct {
 }
 
 func TestMessageHandler_MethodNotAllowed(t *testing.T) {
+	os.Setenv("SKIP_JWT_VERIFY", "true")
 	testConfig := &scyllaridae.ServerConfig{}
 	server := &Server{Config: testConfig}
 

diff --git a/middleware.go b/middleware.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
-	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -89,8 +88,7 @@ func (s *Server) JWTAuthMiddleware(next http.Handler) http.Handler {
 
 		if os.Getenv("SKIP_JWT_VERIFY") != "true" {
 			tokenString := a[7:]
-			message := r.Context().Value(msgKey).(api.Payload)
-			err := s.verifyJWT(tokenString, message)
+			err := s.verifyJWT(tokenString)
 			if err != nil {
 				slog.Error("JWT verification failed", "err", err)
 				http.Error(w, "Unauthorized", http.StatusUnauthorized)
@@ -102,8 +100,8 @@ func (s *Server) JWTAuthMiddleware(next http.Handler) http.Handler {
 	})
 }
 
-func (s *Server) verifyJWT(tokenString string, message api.Payload) error {
-	keySet, err := s.fetchJWKS(message)
+func (s *Server) verifyJWT(tokenString string) error {
+	keySet, err := s.fetchJWKS()
 	if err != nil {
 		return fmt.Errorf("unable to fetch JWKS: %v", err)
 	}
@@ -135,22 +133,12 @@ func (s *Server) verifyJWT(tokenString string, message api.Payload) error {
 }
 
 // fetchJWKS fetches the JSON Web Key Set (JWKS) from the given URI
-func (s *Server) fetchJWKS(message api.Payload) (jwk.Set, error) {
+func (s *Server) fetchJWKS() (jwk.Set, error) {
 	var err error
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
 	jwksURI := os.Getenv("JWKS_URI")
-	// if the JWKS_URI isn't provided
-	// try grabbing the JWKS from the default islandora URI
-	if jwksURI == "" {
-		parsedURL, err := url.Parse(message.Attachment.Content.SourceURI)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing source URI: %v", err)
-		}
-
-		jwksURI = fmt.Sprintf("%s://%s/oauth/discovery/keys", parsedURL.Scheme, parsedURL.Host)
-	}
 	ks, ok := s.KeySets.Get(jwksURI)
 	if ok {
 		return ks, nil

diff --git a/server.go b/server.go
@@ -25,6 +25,11 @@ type Server struct {
 }
 
 func (server *Server) SetupRouter() *mux.Router {
+	if os.Getenv("JWKS_URI") == "" && os.Getenv("SKIP_JWT_VERIFY") != "true" {
+		slog.Error("Need to provide your JWKS URI in the JWKS_URI e.g. JWKS_URI=https://islandora.dev/oauth/discovery/keys")
+		os.Exit(1)
+	}
+
 	server.KeySets = lru.NewLRU[string, jwk.Set](25, nil, time.Minute*15)
 
 	r := mux.NewRouter()