Skip to content

jwt: Add unified_secret handling#34

Open
nuclearcat wants to merge 1 commit intokernelci:mainfrom
nuclearcat:unified-secret
Open

jwt: Add unified_secret handling#34
nuclearcat wants to merge 1 commit intokernelci:mainfrom
nuclearcat:unified-secret

Conversation

@nuclearcat
Copy link
Copy Markdown
Member

@nuclearcat nuclearcat commented Apr 14, 2026

No description provided.

@nuclearcat
jwt: Add unified_secret handling
d25e45b 
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
@nuclearcat nuclearcat requested a review from Copilot April 14, 2026 12:57
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for verifying JWTs using an additional configuration key (unified_secret) as a fallback to jwt_secret, centralizing the verification logic in a helper.

Changes:

  • Introduces verify_with_key_str helper to verify a token with a provided secret and validate required claims.
  • Updates verify_jwt_token to try jwt_secret first, then fall back to unified_secret if present.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/storjwt.rs
Comment on lines 22 to 24
let toml_cfg = get_config_content();
let parsed_toml = toml_cfg.parse::<Table>().unwrap();
let key_str = parsed_toml["jwt_secret"].as_str().unwrap();
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jwt_secret is still accessed via parsed_toml["jwt_secret"].as_str().unwrap(), which will panic before the new unified_secret fallback is attempted. If the intent is to support configs that only define unified_secret (or temporarily omit jwt_secret), switch this to an optional lookup (e.g., get("jwt_secret").and_then(|v| v.as_str())) and only attempt verification when present, otherwise fall through to unified_secret.

Copilot uses AI. Check for mistakes.
src/storjwt.rs
Comment on lines +48 to +49

Err(jwt::Error::InvalidSignature)
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When jwt_secret verification fails and unified_secret is not configured, the function returns a generic jwt::Error::InvalidSignature here, discarding the original verification error from the first attempt. Consider carrying the first error through (e.g., store it and return it when no fallback key exists) so failures are diagnosed accurately.

Copilot uses AI. Check for mistakes.
src/storjwt.rs
Comment on lines +36 to +40
if let Some(unified) = parsed_toml.get("unified_secret").and_then(|v| v.as_str()) {
match verify_with_key_str(token_str, unified) {
Ok(claims) => {
debug_log!("email (unified_secret): {}", claims["email"]);
return Ok(claims);
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New unified_secret verification path isn’t covered by existing tests (e2e tests currently only configure/sign with jwt_secret). Add a test that signs a token with unified_secret (and optionally ensures fallback works when jwt_secret is wrong/missing) to prevent regressions.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nuclearcat