feat(auth): replace .env/godotenv secret handling with config-based secrets

Secrets (JWT keys, LDAP sync password, OIDC client id/secret, cross-login keys) are now configured directly in config.json under the auth section where they are used. Each secret can still be supplied via its existing environment variable, which takes precedence over the config value. The godotenv dependency, the .env file, configs/env-template.txt and the loadEnvironment() bootstrap step are removed. -init now writes the demo JWT keys into config.json instead of a .env file. Closes #283 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 3a7cb814c53f
2026-06-18 01:17:29 +02:00 · 2026-06-17 12:28:17 +02:00
parent 07b9a57479
commit 83d04dff17
22 changed files with 151 additions and 95 deletions
--- a/internal/auth/schema.go
+++ b/internal/auth/schema.go
@@ -34,6 +34,22 @@ var configSchema = `
        "update-user-on-login": {
          "description": "Should an existent user attributes in the DB be updated at login attempt with values provided in JWT.",
          "type": "boolean"
+        },
+        "public-key": {
+          "description": "Base64 encoded Ed25519 public key used to validate JWTs. Overridden by the JWT_PUBLIC_KEY environment variable when set.",
+          "type": "string"
+        },
+        "private-key": {
+          "description": "Base64 encoded Ed25519 private key used to sign JWTs. Overridden by the JWT_PRIVATE_KEY environment variable when set.",
+          "type": "string"
+        },
+        "cross-login-public-key": {
+          "description": "Base64 encoded Ed25519 public key for accepting externally generated JWTs. Overridden by the CROSS_LOGIN_JWT_PUBLIC_KEY environment variable when set.",
+          "type": "string"
+        },
+        "cross-login-hs512-key": {
+          "description": "Base64 encoded HMAC (HS256/HS512) key for accepting externally generated session login tokens. Overridden by the CROSS_LOGIN_JWT_HS512_KEY environment variable when set.",
+          "type": "string"
        }
      },
      "required": ["max-age"]
@@ -52,6 +68,14 @@ var configSchema = `
        "update-user-on-login": {
          "description": "Should an existent user attributes in the DB be updated at login attempt with values provided.",
          "type": "boolean"
+        },
+        "client-id": {
+          "description": "OAuth2 client ID for the OIDC provider. Overridden by the OID_CLIENT_ID environment variable when set.",
+          "type": "string"
+        },
+        "client-secret": {
+          "description": "OAuth2 client secret for the OIDC provider. Overridden by the OID_CLIENT_SECRET environment variable when set.",
+          "type": "string"
        }
      },
      "required": ["provider"]
@@ -103,6 +127,10 @@ var configSchema = `
        "update-user-on-login": {
          "description": "Should an existent user attributes in the DB be updated at login attempt with values from LDAP.",
          "type": "boolean"
+        },
+        "sync-password": {
+          "description": "Password for the LDAP admin account used for syncing. Overridden by the LDAP_ADMIN_PASSWORD environment variable when set.",
+          "type": "string"
        }
      },
      "required": ["url", "user-base", "search-dn", "user-bind", "user-filter"]