From f82a71bba6c1c1e17fcf54a194bb81668a6a027e Mon Sep 17 00:00:00 2001
From: Patryk Kalinowski <pkal@horizon.io>
Date: Mon, 29 Jul 2024 20:59:06 +0200
Subject: [PATCH] JWT generation fixes (#61)

* config: add a separate [signing] section

* rpc: update the config use in JWT generation

* etc: configure JWT signing for all envs

* rpc: fix failing test
---
 config/config.go              |  7 ++++++-
 etc/waas-auth.dev.conf        |  4 ++++
 etc/waas-auth.next.conf       |  4 ++++
 etc/waas-auth.prod.conf       |  4 ++++
 etc/waas-auth.sample.conf     |  5 ++++-
 rpc/identity_provider.go      | 10 +++++-----
 rpc/identity_provider_test.go |  4 ++--
 7 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/config/config.go b/config/config.go
index 26724aff..690418a6 100644
--- a/config/config.go
+++ b/config/config.go
@@ -12,13 +12,13 @@ type Config struct {
 	Mode      Mode             `toml:"-"`
 	Region    string           `toml:"region"`
 	Service   ServiceConfig    `toml:"service"`
-	BaseURL   string           `toml:"base_url"`
 	Admin     AdminConfig      `toml:"admin"`
 	Endpoints EndpointsConfig  `toml:"endpoints"`
 	KMS       KMSConfig        `toml:"kms"`
 	SES       SESConfig        `toml:"ses"`
 	Builder   BuilderConfig    `toml:"builder"`
 	Database  DatabaseConfig   `toml:"database"`
+	Signing   SigningConfig    `toml:"signing"`
 	Telemetry telemetry.Config `toml:"telemetry"`
 	Tracing   TracingConfig    `toml:"tracing"`
 }
@@ -67,6 +67,11 @@ type BuilderConfig struct {
 	SecretID string `toml:"secret_id"`
 }
 
+type SigningConfig struct {
+	Issuer         string `toml:"issuer"`
+	AudiencePrefix string `toml:"audience_prefix"`
+}
+
 type TracingConfig struct {
 	Endpoint string `toml:"endpoint"`
 }
diff --git a/etc/waas-auth.dev.conf b/etc/waas-auth.dev.conf
index c7463f21..2aa2fbb8 100644
--- a/etc/waas-auth.dev.conf
+++ b/etc/waas-auth.dev.conf
@@ -49,3 +49,7 @@ QwIDAQAB
 [builder]
     base_url = "https://dev-api.sequence.build"
     secret_id = "dev-builder-jwt"
+
+[signing]
+    issuer = "https://dev-waas.sequence.app"
+    audience_prefix = "https://dev.sequence.build/project/"
diff --git a/etc/waas-auth.next.conf b/etc/waas-auth.next.conf
index 3b7c7a9c..e4c75c42 100644
--- a/etc/waas-auth.next.conf
+++ b/etc/waas-auth.next.conf
@@ -49,3 +49,7 @@ QwIDAQAB
 [builder]
     base_url = "https://next-api.sequence.build"
     secret_id = "next-builder-jwt"
+
+[signing]
+    issuer = "https://next-waas.sequence.app"
+    audience_prefix = "https://next.sequence.build/project/"
diff --git a/etc/waas-auth.prod.conf b/etc/waas-auth.prod.conf
index 6e9be980..b525895a 100644
--- a/etc/waas-auth.prod.conf
+++ b/etc/waas-auth.prod.conf
@@ -49,3 +49,7 @@ MQIDAQAB
 [builder]
     base_url = "https://api.sequence.build"
     secret_id = "prod-builder-jwt"
+
+[signing]
+    issuer = "https://waas.sequence.app"
+    audience_prefix = "https://sequence.build/project/"
diff --git a/etc/waas-auth.sample.conf b/etc/waas-auth.sample.conf
index 9c264c4b..f6518049 100644
--- a/etc/waas-auth.sample.conf
+++ b/etc/waas-auth.sample.conf
@@ -7,7 +7,6 @@ region = "us-east-1"
     enclave_port = 9123
     proxy_port = 9124
     debug_profiler = true
-    base_url = "http://localhost:9123"
 
 [telemetry]
     allow_any = true
@@ -52,3 +51,7 @@ QwIDAQAB
 [builder]
     base_url = "http://host.docker.internal:9999"
     secret_id = "BuilderJWT"
+
+[signing]
+    issuer = "http://localhost:9123"
+    audience_prefix = "http://host.docker.internal:9999/project/"
diff --git a/rpc/identity_provider.go b/rpc/identity_provider.go
index 74833296..4402e16c 100644
--- a/rpc/identity_provider.go
+++ b/rpc/identity_provider.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strconv"
 	"time"
 
 	"github.com/0xsequence/go-sequence/intents"
@@ -38,7 +39,7 @@ type jwks struct {
 
 func (s *RPC) handleOpenidConfiguration(w http.ResponseWriter, r *http.Request) {
 	cfg := &openidConfig{
-		JWKSURI: s.Config.BaseURL + "/.well-known/jwks.json",
+		JWKSURI: s.Config.Signing.Issuer + "/.well-known/jwks.json",
 	}
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
@@ -100,18 +101,17 @@ func (s *RPC) getIDToken(
 		return nil, fmt.Errorf("getting wallet address: %w", err)
 	}
 
-	aud := fmt.Sprintf("%s/project/%d", s.Config.Builder.BaseURL, tnt.ProjectID)
 	iat := time.Now()
 	exp := iat.Add(10 * time.Minute)
 
 	tokenBuilder := jwt.NewBuilder().
 		Subject(walletAddr).
-		Audience([]string{aud}).
-		Issuer(s.Config.BaseURL).
+		Audience([]string{s.Config.Signing.AudiencePrefix + strconv.Itoa(int(tnt.ProjectID))}).
+		Issuer(s.Config.Signing.Issuer).
 		IssuedAt(iat).
 		Expiration(exp).
 		Claim("auth_time", sessData.CreatedAt.Unix()).
-		Claim(s.Config.BaseURL+"/identity", identity)
+		Claim(s.Config.Signing.Issuer+"/identity", identity)
 
 	if account.Email != "" {
 		tokenBuilder.Claim("email", account.Email)
diff --git a/rpc/identity_provider_test.go b/rpc/identity_provider_test.go
index efb43d34..feeecf82 100644
--- a/rpc/identity_provider_test.go
+++ b/rpc/identity_provider_test.go
@@ -44,8 +44,8 @@ func TestRPC_SendIntent_GetIdToken(t *testing.T) {
 
 	srv := httptest.NewServer(svc.Handler())
 	defer srv.Close()
-	svc.Config.BaseURL = srv.URL
-	svc.Config.Builder.BaseURL = "https://sequence.build"
+	svc.Config.Signing.Issuer = srv.URL
+	svc.Config.Signing.AudiencePrefix = "https://sequence.build/project/"
 
 	intentData := &intents.IntentDataGetIdToken{
 		Wallet:    walletAddr,