feat(auth): replace .env/godotenv secret handling with config-based secrets

Secrets (JWT keys, LDAP sync password, OIDC client id/secret, cross-login keys) are now configured directly in config.json under the auth section where they are used. Each secret can still be supplied via its existing environment variable, which takes precedence over the config value. The godotenv dependency, the .env file, configs/env-template.txt and the loadEnvironment() bootstrap step are removed. -init now writes the demo JWT keys into config.json instead of a .env file. Closes #283 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 3a7cb814c53f
2026-06-18 01:17:29 +02:00 · 2026-06-17 12:28:17 +02:00
parent 07b9a57479
commit 83d04dff17
22 changed files with 151 additions and 95 deletions
--- a/internal/auth/jwtSession.go
+++ b/internal/auth/jwtSession.go
@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"os"
 	"strings"

 	cclog "github.com/ClusterCockpit/cc-lib/v2/ccLogger"
@@ -25,12 +24,12 @@ type JWTSessionAuthenticator struct {
 var _ Authenticator = (*JWTSessionAuthenticator)(nil)

 func (ja *JWTSessionAuthenticator) Init() error {
-	pubKey := os.Getenv("CROSS_LOGIN_JWT_HS512_KEY")
+	pubKey := secretFromEnv("CROSS_LOGIN_JWT_HS512_KEY", Keys.JwtConfig.CrossLoginHS512Key)
 	if pubKey == "" {
 		// Without a configured key the HMAC verification below would run against
 		// an empty key, which lets anyone forge a valid token. Refuse to register
 		// the authenticator in that case so JWT session login is simply disabled.
-		return errors.New("CROSS_LOGIN_JWT_HS512_KEY not set: JWT session login disabled")
+		return errors.New("cross login HS512 key not configured ('cross-login-hs512-key' in config or 'CROSS_LOGIN_JWT_HS512_KEY' env): JWT session login disabled")
 	}

 	bytes, err := base64.StdEncoding.DecodeString(pubKey)