package cli import ( "errors" "fmt" "log/slog" "time" "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwt" "code.icb4dc0.de/prskr/searcherside/core/ports" "code.icb4dc0.de/prskr/searcherside/internal/cli" ) var ErrJwtSecretRequired = errors.New("JWT secret is required") type TokenHandler struct { Token struct { Secret cli.HexString `name:"secret" help:"JWT secret"` Lifetime time.Duration `name:"lifetime" help:"JWT lifetime" default:"24h"` Subject string `name:"subject" help:"JWT subject" default:"${WHOAMI=nobody}"` Claims []cli.TokenClaim `name:"claims" help:"JWT claims"` } `embed:"" prefix:"token."` } func (h *TokenHandler) Run(stdout ports.STDOUT, logger *slog.Logger) error { now := time.Now().UTC() if len(h.Token.Secret) == 0 { return ErrJwtSecretRequired } if tokenLength := len(h.Token.Secret); tokenLength < jwtSecretLength { logger.Warn( "The secret does not have the recommended length", slog.Int("actual_length", tokenLength), slog.Int("recommended_length", jwtSecretLength), ) } token := jwt.New() for _, claim := range h.Token.Claims { if err := token.Set(claim.Key, claim.Value); err != nil { return err } } if err := token.Set(jwt.SubjectKey, h.Token.Subject); err != nil { return err } if err := token.Set(jwt.NotBeforeKey, now); err != nil { return err } if err := token.Set(jwt.ExpirationKey, now.Add(h.Token.Lifetime)); err != nil { return err } tokenString, err := jwt.Sign(token, jwt.WithKey(jwa.HS256, h.Token.Secret.Raw())) if err != nil { return err } _, err = fmt.Fprintln(stdout, string(tokenString)) return err }