feat: Add option to use HS512 secret for JWT instead of ED25519 (#680)

* Add functionality for HS512 JWT tokens * Add HS512_SECRET to installation docs * Update CHANGELOG.md regarding HS512 * Move HS512_SECRET to advenced section in docs * Move token Keyfunc logic to Server function * Add Keyfunc to spelling * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Martin Weidenauer <mweidenauer@nanx0as46153.anx.local> Co-authored-by: Xe Iaso <me@xeiaso.net>
2025-06-26 12:06:44 +02:00 · 2025-06-26 12:06:44 +02:00 · 59f5b07281
commit 59f5b07281
parent 1562f88c35
7 changed files with 68 additions and 36 deletions
--- a/lib/config.go
+++ b/lib/config.go
@ -36,7 +36,8 @@ type Options struct {
 	BasePrefix        string
 	WebmasterEmail    string
 	RedirectDomains   []string
-	PrivateKey        ed25519.PrivateKey
+	ED25519PrivateKey ed25519.PrivateKey
+	HS512Secret       []byte
 	CookieExpiration  time.Duration
 	StripBasePrefix   bool
 	OpenGraph         config.OpenGraph
@ -88,13 +89,13 @@ func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty
 }

 func New(opts Options) (*Server, error) {
-	if opts.PrivateKey == nil {
+	if opts.ED25519PrivateKey == nil && opts.HS512Secret == nil {
 		slog.Debug("opts.PrivateKey not set, generating a new one")
 		_, priv, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return nil, fmt.Errorf("lib: can't generate private key: %v", err)
 		}
-		opts.PrivateKey = priv
+		opts.ED25519PrivateKey = priv
 	}

 	anubis.BasePrefix = opts.BasePrefix
@ -106,14 +107,14 @@ func New(opts Options) (*Server, error) {
 	}

 	result := &Server{
-		next:       opts.Next,
-		priv:       opts.PrivateKey,
-		pub:        opts.PrivateKey.Public().(ed25519.PublicKey),
-		policy:     opts.Policy,
-		opts:       opts,
-		DNSBLCache: decaymap.New[string, dnsbl.DroneBLResponse](),
-		OGTags:     ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph),
-		cookieName: cookieName,
+		next:        opts.Next,
+		ed25519Priv: opts.ED25519PrivateKey,
+		hs512Secret: opts.HS512Secret,
+		policy:      opts.Policy,
+		opts:        opts,
+		DNSBLCache:  decaymap.New[string, dnsbl.DroneBLResponse](),
+		OGTags:      ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph),
+		cookieName:  cookieName,
 	}

 	mux := http.NewServeMux()