Update READMEs

configs/README.md

@@ -52,6 +52,7 @@ All security relevant configuration. e.g., keys and passwords, are set using env
 
 An example env file is found in this directory. Copy it to `.env` in the project root and adapt it for your needs.
 
-* `JWT_PUBLIC_KEY` and `JWT_PRIVATE_KEY`:  Base64 encoded Ed25519 keys used for JSON Web Token (JWT) authentication . TODO: Details! You can generate your own keypair using `go run utils/gen-keypair.go`
+* `JWT_PUBLIC_KEY` and `JWT_PRIVATE_KEY`: Base64 encoded Ed25519 keys used for JSON Web Token (JWT) authentication. You can generate your own keypair using `go run utils/gen-keypair.go`. More information in [README_TOKENS.md](./README_TOKENS.md)
 * `SESSION_KEY`: Some random bytes used as secret for cookie-based sessions.
 * `LDAP_ADMIN_PASSWORD`: The LDAP admin user password (optional).
+* `CROSS_LOGIN_JWT_HS512_KEY`: Used for token based logins via another authentication service.

configs/README_TOKENS.md

@@ -5,7 +5,9 @@ JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and s
 This information can be verified and trusted because it is digitally signed.
 In ClusterCockpit JWTs are signed using a public/private key pair using ECDSA.
 Because tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
-Currently JWT tokens in ClusterCockpit not yet expire.
+Expiration of the generated tokens as well as the max. length of a browser session can be configured in the `config.json` file described [here](./README.md).
+
+The [Ed25519](https://ed25519.cr.yp.to/) algorithm for signatures was used because it is compatible with other tools that require authentication, such as NATS.io, and because these elliptic-curve methods provide simillar security with smaller keys compared to something like RSA. They are sligthly more expensive to validate, but that effect is negligible.
 
 ## JWT Payload
 
@@ -14,33 +16,36 @@ Currently ClusterCockpit sets the following claims:
 * `iat`: Issued at claim. The “iat” claim is used to identify the the time at which the JWT was issued. This claim can be used to determine the age of the JWT.
 * `sub`: Subject claim. Identifies the subject of the JWT, in our case this is the username.
 * `roles`: An array of strings specifying the roles set for the subject.
+* `exp`: Expiration date of the token (only if explicitly configured)
+
+It is important to know that JWTs are not encrypted, only signed. This means that outsiders cannot create new JWTs or modify existing ones, but they are able to read out the username.
 
 ## Workflow
 
 1. Create a new ECDSA Public/private keypair:
 ```
-$ go build ./tools/gen-keypair.go
+$ go build ./cmd/gen-keypair/
 $ ./gen-keypair
 ```
 2. Add keypair in your `.env` file. A template can be found in `./configs`.
 
-There are two usage scenarios:
-* The APIs are used during a browser session. In this case on login a JWT token is issued on login, that is used by the web frontend to authorize against the GraphQL and REST APIs.
-* The REST API is used outside a browser session, e.g. by scripts. In this case you have to issue a token manually. This possible from within the configuration view or on the command line. It is recommended to issue a JWT token in this case for a special user that only has the `api` role. By using different users for different purposes a fine grained access control and access revocation management is possible.
+When a user logs in via the `/login` page using a browser, a session cookie (secured using the random bytes in the `SESSION_KEY` env. variable you shoud change as well) is used for all requests after the successfull login. The JWTs make it easier to use the APIs of ClusterCockpit using scripts or other external programs. The token is specified n the `Authorization` HTTP header using the [Bearer schema](https://datatracker.ietf.org/doc/html/rfc6750) (there is an example below). Tokens can be issued to users from the configuration view in the Web-UI or the command line. In order to use the token for API endpoints such as `/api/jobs/start_job/`, the user that executes it needs to have the `api` role. Regular users can only perform read-only queries and only look at data connected to jobs they started themselves.
 
-The token is commonly specified in the Authorization HTTP header using the Bearer schema.
+## cc-metric-store
+
+The [cc-metric-store](https://github.com/ClusterCockpit/cc-metric-store) also uses JWTs for authentication. As it does not issue new tokens, it does not need to kown the private key. The public key of the keypair that is used to generate the JWTs that grant access to the `cc-metric-store` can be specified in its `config.json`. When configuring the `metricDataRepository` object in the `cluster.json` file, you can put a token issued by ClusterCockpit itself.
 
 ## Setup user and JWT token for REST API authorization
 
 1. Create user:
 ```
-$ ./cc-backend --add-user <username>:api:<Password> --no-server
+$ ./cc-backend --add-user <username>:api:<password> --no-server
 ```
 2. Issue token for user:
 ```
-$ ./cc-backend -jwt <username>  -no-server
+$ ./cc-backend --jwt <username> --no-server
 ```
 3. Use issued token token on client side:
 ```
-$ curl -X GET "<API ENDPOINT>" -H "accept: application/json"  -H "Content-Type: application/json"  -H "Authorization: Bearer <JWT TOKEN>"
+$ curl -X GET "<API ENDPOINT>" -H "accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer <JWT TOKEN>"
 ```