feat(auth): replace .env/godotenv secret handling with config-based secrets

Secrets (JWT keys, LDAP sync password, OIDC client id/secret, cross-login
keys) are now configured directly in config.json under the auth section
where they are used. Each secret can still be supplied via its existing
environment variable, which takes precedence over the config value.

The godotenv dependency, the .env file, configs/env-template.txt and the
loadEnvironment() bootstrap step are removed. -init now writes the demo
JWT keys into config.json instead of a .env file.

Closes #283

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 3a7cb814c53f

cmd/cc-backend/cli.go

@@ -17,7 +17,7 @@ var (
 )
 
 func cliInit() {
-	flag.BoolVar(&flagInit, "init", false, "Setup var directory, initialize sqlite database file, config.json and .env")
+	flag.BoolVar(&flagInit, "init", false, "Setup var directory, initialize sqlite database file and config.json")
 	flag.BoolVar(&flagReinitDB, "init-db", false, "Go through job-archive and re-initialize the 'job', 'tag', and 'jobtag' tables (all running jobs will be lost!)")
 	flag.BoolVar(&flagSyncLDAP, "sync-ldap", false, "Sync the 'hpc_user' table with ldap")
 	flag.BoolVar(&flagServer, "server", false, "Start a server, continues listening on port after initialization and argument handling")

cmd/cc-backend/init.go

@@ -18,13 +18,6 @@ import (
 	"github.com/ClusterCockpit/cc-lib/v2/util"
 )
 
-const envString = `
-# Base64 encoded Ed25519 keys (DO NOT USE THESE TWO IN PRODUCTION!)
-# You can generate your own keypair using the gen-keypair tool
-JWT_PUBLIC_KEY="kzfYrYy+TzpanWZHJ5qSdMj5uKUWgq74BWhQG6copP0="
-JWT_PRIVATE_KEY="dtPC/6dWJFKZK7KZ78CvWuynylOmjBFyMsUWArwmodOTN9itjL5POlqdZkcnmpJ0yPm4pRaCrvgFaFAbpyik/Q=="
-`
-
 const configString = `
 {
   "main": {
@@ -54,7 +47,9 @@ const configString = `
   },
   "auth": {
     "jwts": {
-      "max-age": "2000h"
+      "max-age": "2000h",
+      "public-key": "kzfYrYy+TzpanWZHJ5qSdMj5uKUWgq74BWhQG6copP0=",
+      "private-key": "dtPC/6dWJFKZK7KZ78CvWuynylOmjBFyMsUWArwmodOTN9itjL5POlqdZkcnmpJ0yPm4pRaCrvgFaFAbpyik/Q=="
     }
   }
 }
@@ -69,10 +64,6 @@ func initEnv() {
 		cclog.Abortf("Could not write default ./config.json with permissions '0o666'. Application initialization failed, exited.\nError: %s\n", err.Error())
 	}
 
-	if err := os.WriteFile(".env", []byte(envString), 0o666); err != nil {
-		cclog.Abortf("Could not write default ./.env file with permissions '0o666'. Application initialization failed, exited.\nError: %s\n", err.Error())
-	}
-
 	if err := os.Mkdir("var", 0o777); err != nil {
 		cclog.Abortf("Could not create default ./var folder with permissions '0o777'. Application initialization failed, exited.\nError: %s\n", err.Error())
 	}

cmd/cc-backend/main.go

@@ -39,7 +39,6 @@ import (
 	"github.com/ClusterCockpit/cc-lib/v2/schema"
 	"github.com/ClusterCockpit/cc-lib/v2/util"
 	"github.com/google/gops/agent"
-	"github.com/joho/godotenv"
 
 	_ "github.com/mattn/go-sqlite3"
 )
@@ -89,13 +88,6 @@ func initGops() error {
 	return nil
 }
 
-func loadEnvironment() error {
-	if err := godotenv.Load(); err != nil {
-		return fmt.Errorf("loading .env file: %w", err)
-	}
-	return nil
-}
-
 func initConfiguration() error {
 	ccconf.Init(flagConfigFile)
 
@@ -224,7 +216,14 @@ func checkDefaultSecurityKeys() {
 	// Default JWT public key from init.go
 	defaultJWTPublic := "kzfYrYy+TzpanWZHJ5qSdMj5uKUWgq74BWhQG6copP0="
 
-	if os.Getenv("JWT_PUBLIC_KEY") == defaultJWTPublic {
+	// Resolve the public key the same way the authenticators do: environment
+	// variable takes precedence over the value configured in config.json.
+	pubKey := os.Getenv("JWT_PUBLIC_KEY")
+	if pubKey == "" && auth.Keys.JwtConfig != nil {
+		pubKey = auth.Keys.JwtConfig.PublicKey
+	}
+
+	if pubKey == defaultJWTPublic {
 		cclog.Warn("Using default JWT keys - not recommended for production environments")
 	}
 }
@@ -495,7 +494,7 @@ func run() error {
 	if flagInit {
 		initEnv()
 		cclog.Exit("Successfully setup environment!\n" +
-			"Please review config.json and .env and adjust it to your needs.\n" +
+			"Please review config.json and adjust it to your needs.\n" +
 			"Add your job-archive at ./var/job-archive.")
 	}
 
@@ -505,17 +504,12 @@ func run() error {
 	}
 
 	// Initialize subsystems in dependency order:
-	// 1. Load environment variables from .env file (contains sensitive configuration)
-	// 2. Load configuration from config.json (may reference environment variables)
-	// 3. Handle database migration commands if requested
-	// 4. Initialize database connection (requires config for connection string)
-	// 5. Handle user commands if requested (requires database and authentication config)
-	// 6. Initialize subsystems like archive and metrics (require config and database)
-
-	// Load environment and configuration
-	if err := loadEnvironment(); err != nil {
-		return err
-	}
+	// 1. Load configuration from config.json (secrets live in config; individual
+	//    secrets may be overridden via environment variables)
+	// 2. Handle database migration commands if requested
+	// 3. Initialize database connection (requires config for connection string)
+	// 4. Handle user commands if requested (requires database and authentication config)
+	// 5. Initialize subsystems like archive and metrics (require config and database)
 
 	if err := initConfiguration(); err != nil {
 		return err