fix: JWKS URL Configurable

sensorbucket · May 6, 2024 · ec408ac · ec408ac
1 parent 73e6c74
commit ec408ac
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/services/core/main.go b/services/core/main.go
@@ -18,6 +18,7 @@ import (
 	"github.com/rs/cors"
 
 	"sensorbucket.nl/sensorbucket/internal/env"
+	"sensorbucket.nl/sensorbucket/pkg/auth"
 	"sensorbucket.nl/sensorbucket/pkg/mq"
 	"sensorbucket.nl/sensorbucket/services/core/devices"
 	deviceinfra "sensorbucket.nl/sensorbucket/services/core/devices/infra"
@@ -45,6 +46,7 @@ var (
 	AMQP_PREFETCH                = env.Could("AMQP_PREFETCH", "5")
 	HTTP_ADDR                    = env.Could("HTTP_ADDR", ":3000")
 	HTTP_BASE                    = env.Could("HTTP_BASE", "http://localhost:3000/api")
+	AUTH_JWKS_URL                = env.Could("AUTH_JWKS_URL", "http://oathkeeper:4456/.well-known/jwks.json")
 	SYS_ARCHIVE_TIME             = env.Could("SYS_ARCHIVE_TIME", "30")
 )
 
@@ -91,7 +93,8 @@ func Run() error {
 
 	// Setup HTTP Transport
 	r := chi.NewRouter()
-	r.Use(middleware.Logger)
+	jwks := auth.NewJWKSHttpClient(AUTH_JWKS_URL)
+	r.Use(middleware.Logger, auth.Authenticate(jwks), auth.Protect())
 	deviceshttp.SetupRoutes(r)
 	measurementhttp.SetupRoutes(r)
 	processinghttp.SetupRoutes(r)

diff --git a/services/dashboard/main.go b/services/dashboard/main.go
@@ -29,9 +29,10 @@ func main() {
 }
 
 var (
-	HTTP_ADDR = env.Could("HTTP_ADDR", ":3000")
-	HTTP_BASE = env.Could("HTTP_BASE", "")
-	SB_API    = env.Must("SB_API")
+	HTTP_ADDR     = env.Could("HTTP_ADDR", ":3000")
+	HTTP_BASE     = env.Could("HTTP_BASE", "")
+	AUTH_JWKS_URL = env.Could("AUTH_JWKS_URL", "http://oathkeeper:4456/.well-known/jwks.json")
+	SB_API        = env.Must("SB_API")
 )
 
 //go:embed static/*
@@ -43,7 +44,7 @@ func Run() error {
 	defer cancel()
 
 	router := chi.NewRouter()
-	jwks := auth.NewJWKSHttpClient("http://oathkeeper:4456/.well-known/jwks.json")
+	jwks := auth.NewJWKSHttpClient(AUTH_JWKS_URL)
 	router.Use(middleware.Logger, auth.Authenticate(jwks), auth.Protect())
 
 	var baseURL *url.URL

diff --git a/services/tenants/main.go b/services/tenants/main.go
@@ -32,6 +32,7 @@ var (
 	HTTP_WEBUI_ADDR  = env.Could("HTTP_WEBUI_ADDR", ":3001")
 	HTTP_WEBUI_BASE  = env.Could("HTTP_WEBUI_BASE", "http://localhost:3000/auth")
 	KRATOS_ADMIN_API = env.Could("KRATOS_ADMIN_API", "http://kratos:4434/")
+	AUTH_JWKS_URL    = env.Could("AUTH_JWKS_URL", "http://oathkeeper:4456/.well-known/jwks.json")
 	SB_API           = env.Must("SB_API")
 	DB_DSN           = env.Must("DB_DSN")
 )
@@ -129,7 +130,14 @@ func runWebUI(errC chan<- error, db *sqlx.DB) (func(context.Context), error) {
 	apiKeyStore := tenantsinfra.NewAPIKeyStorePSQL(db)
 	apiKeySvc := apikeys.NewAPIKeyService(tenantStore, apiKeyStore)
 
-	ui, err := webui.New(HTTP_WEBUI_BASE, SB_API, tenantSvc, apiKeySvc, userPreferences)
+	ui, err := webui.New(
+		HTTP_WEBUI_BASE,
+		AUTH_JWKS_URL,
+		SB_API,
+		tenantSvc,
+		apiKeySvc,
+		userPreferences,
+	)
 	if err != nil {
 		errC <- err
 		return noopCleanup, nil

diff --git a/services/tenants/transports/webui/webui.go b/services/tenants/transports/webui/webui.go
@@ -25,6 +25,7 @@ type WebUI struct {
 
 func New(
 	baseURLString,
+	jwksURL,
 	sensorbucketAPIEndpoint string,
 	tenantsService *tenants.TenantService,
 	apiKeys *apikeys.Service,
@@ -51,7 +52,7 @@ func New(
 	client := api.NewAPIClient(cfg)
 
 	ui.router.Use(middleware.Logger)
-	jwks := auth.NewJWKSHttpClient("http://oathkeeper:4456/.well-known/jwks.json")
+	jwks := auth.NewJWKSHttpClient(jwksURL)
 	authMW := auth.Authenticate(jwks)
 	// Middleware to pass on basic auth to the client api
 	// TODO: This also exists in dashboard/main.go, perhaps make it a package?