adiuvAI/api
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): migrate JWT from HS256 to RS256

Browse Source 
- Add services/auth/app/config.py with JWT_PRIVATE_KEY and JWT_PUBLIC_KEY
  (Auth Service local config - private key never leaves this service)
- Update routes.py: sign tokens with RS256 private key
- Update deps.py + verify.py: verify tokens with RS256 public key
- Update shared/config.py: replace JWT_SECRET/JWT_ALGORITHM with
  JWT_PUBLIC_KEY (for optional local verification by other services)
- Add sys.path fix in main.py for local dev without PYTHONPATH
This commit is contained in:
Roberto Musso
2026-03-22 00:50:36 +01:00
parent aa219a4d08
commit 9feeaa79c8
6 changed files with 49 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
shared/config.py
View File

@@ -13,10 +13,11 @@ class Settings(BaseSettings):
# ── Database ─────────────────────────────────────────────────────
DATABASE_URL: str = "postgresql+asyncpg://postgres:postgres@localhost:5432/adiuva"
# ── JWT (Auth Service owns the secret; others only need it for
# local dev without Traefik ForwardAuth) ───────────────────────
JWT_SECRET: str = "change-me-in-production"
JWT_ALGORITHM: str = "HS256"
# ── JWT ────────────────────────────────────────────────────────
# RS256 public key (PEM). Used by any service that needs to verify
# JWTs locally (optional — Traefik ForwardAuth handles this in prod).
# The private key lives ONLY in the Auth Service config.
JWT_PUBLIC_KEY: str = ""
JWT_ACCESS_TOKEN_EXPIRE_MINUTES: int = 30
JWT_REFRESH_TOKEN_EXPIRE_DAYS: int = 30