feat!: drop support for storing JWK on the filesystem (#1088)

2026-02-15 11:40:13 +00:00 · 2025-11-14 12:02:51 +01:00
parent e1c5021eee
commit f0144584af
12 changed files with 241 additions and 1326 deletions
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -52,8 +52,6 @@ type EnvConfigSchema struct {
 	S3SecretAccessKey               string     `env:"S3_SECRET_ACCESS_KEY"`
 	S3ForcePathStyle                bool       `env:"S3_FORCE_PATH_STYLE"`
 	S3DisableDefaultIntegrityChecks bool       `env:"S3_DISABLE_DEFAULT_INTEGRITY_CHECKS"`
-	KeysPath                        string     `env:"KEYS_PATH"`
-	KeysStorage                     string     `env:"KEYS_STORAGE"`
 	EncryptionKey                   []byte     `env:"ENCRYPTION_KEY" options:"file"`
 	Port                            string     `env:"PORT"`
 	Host                            string     `env:"HOST" options:"toLower"`
@@ -90,7 +88,6 @@ func defaultConfig() EnvConfigSchema {
 		LogLevel:              "info",
 		DbProvider:            "sqlite",
 		FileBackend:           "filesystem",
-		KeysPath:              "data/keys",
 		AuditLogRetentionDays: 90,
 		AppURL:                AppUrl,
 		Port:                  "1411",
@@ -119,21 +116,20 @@ func parseEnvConfig() error {
 		return fmt.Errorf("error preparing env config: %w", err)
 	}

-	err = validateEnvConfig(&EnvConfig)
-	if err != nil {
-		return err
-	}
-
 	return nil

 }

-// validateEnvConfig checks the EnvConfig for required fields and valid values
-func validateEnvConfig(config *EnvConfigSchema) error {
+// ValidateEnvConfig checks the EnvConfig for required fields and valid values
+func ValidateEnvConfig(config *EnvConfigSchema) error {
 	if _, err := sloggin.ParseLevel(config.LogLevel); err != nil {
 		return errors.New("invalid LOG_LEVEL value. Must be 'debug', 'info', 'warn' or 'error'")
 	}

+	if len(config.EncryptionKey) < 16 {
+		return errors.New("ENCRYPTION_KEY must be at least 16 bytes long")
+	}
+
 	switch config.DbProvider {
 	case DbProviderSqlite:
 		if config.DbConnectionString == "" {
@@ -168,28 +164,10 @@ func validateEnvConfig(config *EnvConfigSchema) error {
 		}
 	}

-	switch config.KeysStorage {
-	// KeysStorage defaults to "file" if empty
-	case "":
-		config.KeysStorage = "file"
-	case "database":
-		if config.EncryptionKey == nil {
-			return errors.New("ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
-		}
-	case "file":
-		// All good, these are valid values
-	default:
-		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", config.KeysStorage)
-	}
-
 	switch config.FileBackend {
-	case "s3":
-		if config.KeysStorage == "file" {
-			return errors.New("KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
-		}
-	case "database":
+	case "s3", "database":
 		// All good, these are valid values
-	case "", "filesystem":
+	case "", "fs":
 		if config.UploadPath == "" {
 			config.UploadPath = defaultFsUploadPath
 		}