mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 17:51:08 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
40 lines
1.5 KiB
Bash
Executable File
40 lines
1.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# AZ-532 — generate a fresh ES256 (prime256v1) JWT signing key for the admin API.
|
|
#
|
|
# Usage:
|
|
# scripts/generate-jwt-key.sh [<kid>] [<output-dir>]
|
|
#
|
|
# <kid> optional; defaults to a timestamped value (kid-YYYYMMDD-HHMMSS).
|
|
# Kid becomes the filename: <output-dir>/<kid>.pem.
|
|
# <output-dir> optional; defaults to ./secrets/jwt-keys.
|
|
#
|
|
# Rotation procedure (per AZ-532 task spec):
|
|
# 1) Run this script on the admin host with a NEW <kid>. The new private key
|
|
# lands next to the existing one.
|
|
# 2) Restart admin (or send SIGHUP if hot-reload is wired). JWKS now exposes
|
|
# both kids; the OLD kid is still active for signing.
|
|
# 3) Wait verifier-cache TTL (Cache-Control: max-age=3600 → 1 h).
|
|
# 4) Set JwtConfig__ActiveKid=<new-kid> and restart admin. Admin signs with
|
|
# the new key; in-flight tokens minted with the old key still verify.
|
|
# 5) Wait until all old-kid access tokens have expired (TTL = 15 min).
|
|
# 6) Delete the old PEM and restart admin. JWKS now lists only the new kid.
|
|
|
|
set -euo pipefail
|
|
|
|
kid="${1:-kid-$(date -u +%Y%m%d-%H%M%S)}"
|
|
out_dir="${2:-secrets/jwt-keys}"
|
|
|
|
mkdir -p "$out_dir"
|
|
out_file="$out_dir/$kid.pem"
|
|
|
|
if [[ -e "$out_file" ]]; then
|
|
echo "ERROR: $out_file already exists. Pick a different kid." >&2
|
|
exit 1
|
|
fi
|
|
|
|
openssl ecparam -name prime256v1 -genkey -noout -out "$out_file"
|
|
chmod 600 "$out_file"
|
|
|
|
echo "Generated ES256 key at $out_file"
|
|
echo "Set JwtConfig__ActiveKid=$kid (or the kid you intend to make active) and restart admin."
|