feat!: drop support for storing JWK on the filesystem (#1088)

2026-02-15 02:20:10 +00:00 · 2025-11-14 12:02:51 +01:00
parent 2694d79add
commit e22822890f
13 changed files with 243 additions and 1315 deletions
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -47,8 +47,6 @@ type EnvConfigSchema struct {
 	S3AccessKeyID      string     `env:"S3_ACCESS_KEY_ID"`
 	S3SecretAccessKey  string     `env:"S3_SECRET_ACCESS_KEY"`
 	S3ForcePathStyle   bool       `env:"S3_FORCE_PATH_STYLE"`
-	KeysPath           string     `env:"KEYS_PATH"`
-	KeysStorage        string     `env:"KEYS_STORAGE"`
 	EncryptionKey      []byte     `env:"ENCRYPTION_KEY" options:"file"`
 	Port               string     `env:"PORT"`
 	Host               string     `env:"HOST" options:"toLower"`
@@ -84,7 +82,6 @@ func defaultConfig() EnvConfigSchema {
 		LogLevel:      "info",
 		DbProvider:    "sqlite",
 		FileBackend:   "fs",
-		KeysPath:      "data/keys",
 		AppURL:        AppUrl,
 		Port:          "1411",
 		Host:          "0.0.0.0",
@@ -112,21 +109,20 @@ func parseEnvConfig() error {
 		return fmt.Errorf("error preparing env config: %w", err)
 	}

-	err = validateEnvConfig(&EnvConfig)
-	if err != nil {
-		return err
-	}
-
 	return nil

 }

-// validateEnvConfig checks the EnvConfig for required fields and valid values
-func validateEnvConfig(config *EnvConfigSchema) error {
+// ValidateEnvConfig checks the EnvConfig for required fields and valid values
+func ValidateEnvConfig(config *EnvConfigSchema) error {
 	if _, err := sloggin.ParseLevel(config.LogLevel); err != nil {
 		return errors.New("invalid LOG_LEVEL value. Must be 'debug', 'info', 'warn' or 'error'")
 	}

+	if len(config.EncryptionKey) < 16 {
+		return errors.New("ENCRYPTION_KEY must be at least 16 bytes long")
+	}
+
 	switch config.DbProvider {
 	case DbProviderSqlite:
 		if config.DbConnectionString == "" {
@@ -161,25 +157,8 @@ func validateEnvConfig(config *EnvConfigSchema) error {
 		}
 	}

-	switch config.KeysStorage {
-	// KeysStorage defaults to "file" if empty
-	case "":
-		config.KeysStorage = "file"
-	case "database":
-		if config.EncryptionKey == nil {
-			return errors.New("ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
-		}
-	case "file":
-		// All good, these are valid values
-	default:
-		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", config.KeysStorage)
-	}
-
 	switch config.FileBackend {
 	case "s3":
-		if config.KeysStorage == "file" {
-			return errors.New("KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
-		}
 	case "", "fs":
 		if config.UploadPath == "" {
 			config.UploadPath = defaultFsUploadPath