pham/tokens-reef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1da074cfd684759ae2403cc49c975ff759d63f2d
tokens-reef/backend/internal/config/config_helpers.go
pham 75d03e4713 feat add jwt secret ops status
2026-04-24 08:32:16 +08:00

153 lines
3.6 KiB
Go
Raw Blame History

package config
import (
"crypto/rand"
"encoding/hex"
"fmt"
"log/slog"
"net/url"
"strings"
"github.com/spf13/viper"
)
// normalizeStringSlice normalizes a string slice by trimming empties.
func normalizeStringSlice(values []string) []string {
if len(values) == 0 {
return values
}
out := make([]string, 0, len(values))
for _, v := range values {
if t := strings.TrimSpace(v); t != "" {
out = append(out, t)
}
}
return out
}
func isWeakJWTSecret(secret string) bool {
lower := strings.ToLower(strings.TrimSpace(secret))
if lower == "" {
return true
}
weak := map[string]struct{}{
"change-me-in-production": {}, "changeme": {}, "secret": {}, "password": {},
"123456": {}, "12345678": {}, "admin": {}, "jwt-secret": {},
}
_, exists := weak[lower]
return exists
}
func generateJWTSecret(byteLength int) (string, error) {
if byteLength <= 0 {
byteLength = 32
}
buf := make([]byte, byteLength)
if _, err := rand.Read(buf); err != nil {
return "", err
}
return hex.EncodeToString(buf), nil
}
// GetServerAddress returns server address before full config validation (for setup wizard).
func GetServerAddress() string {
v := viper.New()
v.SetConfigName("config")
v.SetConfigType("yaml")
v.AddConfigPath(".")
v.AddConfigPath("./config")
v.AddConfigPath("/etc/sub2api")
v.AutomaticEnv()
v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
v.SetDefault("server.host", "0.0.0.0")
v.SetDefault("server.port", 8080)
_ = v.ReadInConfig()
return fmt.Sprintf("%s:%d", v.GetString("server.host"), v.GetInt("server.port"))
}
// ValidateAbsoluteHTTPURL validates an absolute HTTP(S) URL.
func ValidateAbsoluteHTTPURL(raw string) error {
raw = strings.TrimSpace(raw)
if raw == "" {
return fmt.Errorf("empty url")
}
u, err := url.Parse(raw)
if err != nil {
return err
}
if !u.IsAbs() {
return fmt.Errorf("must be absolute")
}
if !isHTTPScheme(u.Scheme) {
return fmt.Errorf("unsupported scheme: %s", u.Scheme)
}
if strings.TrimSpace(u.Host) == "" {
return fmt.Errorf("missing host")
}
if u.Fragment != "" {
return fmt.Errorf("must not include fragment")
}
return nil
}
// ValidateFrontendRedirectURL validates frontend redirect URL (absolute http(s) or relative path).
func ValidateFrontendRedirectURL(raw string) error {
raw = strings.TrimSpace(raw)
if raw == "" {
return fmt.Errorf("empty url")
}
if strings.ContainsAny(raw, "\r\n") {
return fmt.Errorf("contains invalid characters")
}
if strings.HasPrefix(raw, "/") {
if strings.HasPrefix(raw, "//") {
return fmt.Errorf("must not start with //")
}
return nil
}
u, err := url.Parse(raw)
if err != nil {
return err
}
if !u.IsAbs() {
return fmt.Errorf("must be absolute http(s) url or relative path")
}
if !isHTTPScheme(u.Scheme) {
return fmt.Errorf("unsupported scheme: %s", u.Scheme)
}
if strings.TrimSpace(u.Host) == "" {
return fmt.Errorf("missing host")
}
if u.Fragment != "" {
return fmt.Errorf("must not include fragment")
}
return nil
}
func scopeContainsOpenID(scopes string) bool {
for _, scope := range strings.Fields(strings.ToLower(strings.TrimSpace(scopes))) {
if scope == "openid" {
return true
}
}
return false
}
func IsWeakJWTSecret(secret string) bool {
return isWeakJWTSecret(secret)
}
func isHTTPScheme(scheme string) bool {
return strings.EqualFold(scheme, "http") || strings.EqualFold(scheme, "https")
}
func warnIfInsecureURL(field, raw string) {
u, err := url.Parse(strings.TrimSpace(raw))
if err != nil {
return
}
if strings.EqualFold(u.Scheme, "http") {
slog.Warn("url uses http scheme; use https in production to avoid token leakage", "field", field)
}
}
Reference in New Issue View Git Blame Copy Permalink