go-duck-cli 1.1.16 → 1.1.18

package/generators/devops.js

@@ -161,6 +161,12 @@ services:
     environment:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres:5432/${config.datasource?.database || 'go_duck_master'}
+      KC_DB_USERNAME: ${config.datasource?.username || 'postgres'}
+      KC_DB_PASSWORD: ${config.datasource?.password || 'password'}
+    depends_on:
+      - postgres
     volumes:
       - ./keycloak/realm-config:/opt/keycloak/data/import
     ports:

package/generators/kratos.js

@@ -336,7 +336,14 @@ func NewGRPCServer(conf *config.Config, repo *repository.Repository) *grpc.Serve
 		grpc.Middleware(
 			recovery.Recovery(),
 			kjwt.Server(func(token *jwt.Token) (interface{}, error) {
-				return []byte(conf.GoDuck.Security.KeycloakAppClientSecret), nil
+				if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+					return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+				}
+				kid, ok := token.Header["kid"].(string)
+				if !ok {
+					return nil, fmt.Errorf("missing kid header")
+				}
+				return my_middleware.GetPublicKeyByKid(kid, conf)
 			}, kjwt.WithClaims(func() jwt.Claims { return &jwt.MapClaims{} })),
 			TenantServerInterceptor(conf, repo.DB),
 		),

package/generators/security.js

@@ -10,15 +10,134 @@ export const generateSecurityMiddleware = async (config, outputDir) => {
 package middleware
 
 import (
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"math/big"
 	"net/http"
 	"strings"
+	"sync"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v4"
 	"{{app_name}}/config"
 )
 
+type JWK struct {
+	Kid string   \`json:"kid"\`
+	Kty string   \`json:"kty"\`
+	Alg string   \`json:"alg"\`
+	Use string   \`json:"use"\`
+	N   string   \`json:"n"\`
+	E   string   \`json:"e"\`
+	X5c []string \`json:"x5c"\`
+}
+
+type JWKKeySet struct {
+	Keys []JWK \`json:"keys"\`
+}
+
+var (
+	jwkCache   = make(map[string]*rsa.PublicKey)
+	cacheMu    sync.RWMutex
+	lastFetch  time.Time
+)
+
+func GetPublicKeyByKid(kid string, cfg *config.Config) (interface{}, error) {
+	cacheMu.RLock()
+	pubKey, exists := jwkCache[kid]
+	cacheMu.RUnlock()
+
+	if exists {
+		return pubKey, nil
+	}
+
+	// Rate limit fetching to once every 10 seconds to prevent resource exhaustion
+	cacheMu.Lock()
+	defer cacheMu.Unlock()
+
+	// Double check cache
+	if pubKey, exists = jwkCache[kid]; exists {
+		return pubKey, nil
+	}
+
+	if time.Since(lastFetch) < 10*time.Second && len(jwkCache) > 0 {
+		return nil, fmt.Errorf("public key not found in cache and fetch rate limited")
+	}
+
+	// Fetch from Keycloak JWKS endpoint
+	keycloakHost := cfg.GoDuck.Security.KeycloakHost
+	realm := cfg.GoDuck.Security.KeycloakRealm
+	if keycloakHost == "" || realm == "" {
+		return nil, fmt.Errorf("keycloak-host or keycloak-realm not configured")
+	}
+
+	jwksURL := fmt.Sprintf("%s/realms/%s/protocol/openid-connect/certs", strings.TrimSuffix(keycloakHost, "/"), realm)
+
+	client := &http.Client{Timeout: 5 * time.Second}
+	resp, err := client.Get(jwksURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch JWKS from Keycloak: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unexpected status from JWKS: %d", resp.StatusCode)
+	}
+
+	var jwks JWKKeySet
+	if err := json.NewDecoder(resp.Body).Decode(&jwks); err != nil {
+		return nil, fmt.Errorf("failed to decode JWKS JSON: %w", err)
+	}
+
+	// Update cache
+	newCache := make(map[string]*rsa.PublicKey)
+	for _, jwk := range jwks.Keys {
+		if jwk.Kty != "RSA" || jwk.N == "" || jwk.E == "" {
+			continue
+		}
+
+		// Decode modulus (n)
+		nBytes, err := base64.RawURLEncoding.DecodeString(jwk.N)
+		if err != nil {
+			continue
+		}
+
+		// Decode exponent (e)
+		eBytes, err := base64.RawURLEncoding.DecodeString(jwk.E)
+		if err != nil {
+			continue
+		}
+
+		var eVal int
+		for _, b := range eBytes {
+			eVal = (eVal << 8) | int(b)
+		}
+
+		pub := &rsa.PublicKey{
+			N: new(big.Int).SetBytes(nBytes),
+			E: eVal,
+		}
+
+		newCache[jwk.Kid] = pub
+	}
+
+	// Replace old cache
+	for k, v := range newCache {
+		jwkCache[k] = v
+	}
+	lastFetch = time.Now()
+
+	pubKey, exists = jwkCache[kid]
+	if !exists {
+		return nil, fmt.Errorf("key id %s not found in JWKS", kid)
+	}
+
+	return pubKey, nil
+}
+
 // JWTMiddleware validates Keycloak JWTs
 func JWTMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
@@ -37,10 +156,14 @@ func JWTMiddleware() gin.HandlerFunc {
 		tokenString := parts[1]
 		
 		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
 				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 			}
-			return []byte(config.GetConfig().GoDuck.Security.KeycloakAppClientSecret), nil
+			kid, ok := token.Header["kid"].(string)
+			if !ok {
+				return nil, fmt.Errorf("missing kid header")
+			}
+			return GetPublicKeyByKid(kid, config.GetConfig())
 		})
 
 		if err != nil || !token.Valid {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "go-duck-cli",
-  "version": "1.1.16",
+  "version": "1.1.18",
   "description": "The Ultimate Evolutionary Go Microservice Scaffolder.",
   "main": "index.js",
   "type": "module",