libsql/libsql-server/scripts/gen_jwt.py

#!/usr/bin/env python3
"""utility that generates Ed25519 key and a JWT for testing

the public key is stored in jwt_key.pem (in PEM format) and jwt_key.base64 (raw
base64 format) and the JWT is printed to stdout
"""
import base64
import datetime
import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey

privkey = Ed25519PrivateKey.generate()
pubkey = privkey.public_key()

pubkey_pem = pubkey.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo,
)

pubkey_base64 = base64.b64encode(
    pubkey.public_bytes(
        encoding=serialization.Encoding.Raw,
        format=serialization.PublicFormat.Raw,
    ),
    altchars=b"-_",
)
while pubkey_base64[-1] == ord("="):
    pubkey_base64 = pubkey_base64[:-1]

privkey_pem = privkey.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption(),
)

exp = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=3)
claims = {
    "exp": int(exp.timestamp()),
}
token = jwt.encode(claims, privkey_pem, "EdDSA")

claims["a"] = "ro"
ro_token = jwt.encode(claims, privkey_pem, "EdDSA")

open("jwt_key.pem", "wb").write(pubkey_pem)
open("jwt_key.base64", "wb").write(pubkey_base64)
print(f"Full access: {token}")
print(f"Read-only:   {ro_token}")
Implement JWT authentication for Hrana server 2023-02-17 17:06:51 +01:00			`#!/usr/bin/env python3`
			`"""utility that generates Ed25519 key and a JWT for testing`

			`the public key is stored in jwt_key.pem (in PEM format) and jwt_key.base64 (raw`
			`base64 format) and the JWT is printed to stdout`
			`"""`
			`import base64`
			`import datetime`
			`import jwt`
			`from cryptography.hazmat.primitives import serialization`
			`from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey`

			`privkey = Ed25519PrivateKey.generate()`
			`pubkey = privkey.public_key()`

			`pubkey_pem = pubkey.public_bytes(`
			`encoding=serialization.Encoding.PEM,`
			`format=serialization.PublicFormat.SubjectPublicKeyInfo,`
			`)`

Improve the ergonomy of passing JWT key for Hrana 2023-02-22 09:46:43 +01:00			`pubkey_base64 = base64.b64encode(`
			`pubkey.public_bytes(`
			`encoding=serialization.Encoding.Raw,`
			`format=serialization.PublicFormat.Raw,`
			`),`
			`altchars=b"-_",`
			`)`
Implement JWT authentication for Hrana server 2023-02-17 17:06:51 +01:00			`while pubkey_base64[-1] == ord("="):`
			`pubkey_base64 = pubkey_base64[:-1]`

			`privkey_pem = privkey.private_bytes(`
			`encoding=serialization.Encoding.PEM,`
			`format=serialization.PrivateFormat.PKCS8,`
			`encryption_algorithm=serialization.NoEncryption(),`
			`)`

			`exp = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=3)`
			`claims = {`
			`"exp": int(exp.timestamp()),`
			`}`
			`token = jwt.encode(claims, privkey_pem, "EdDSA")`

auth: rename "access" claim to "a" It's shorter. Also, "read-only" value is shortened to "ro". 2023-04-12 09:19:02 +02:00			`claims["a"] = "ro"`
scripts: generate a read-only token in gen_jwt.py The second token has one more claim: {"access": "read-only"}. 2023-03-28 13:27:07 +02:00			`ro_token = jwt.encode(claims, privkey_pem, "EdDSA")`

Implement JWT authentication for Hrana server 2023-02-17 17:06:51 +01:00			`open("jwt_key.pem", "wb").write(pubkey_pem)`
			`open("jwt_key.base64", "wb").write(pubkey_base64)`
scripts: generate a read-only token in gen_jwt.py The second token has one more claim: {"access": "read-only"}. 2023-03-28 13:27:07 +02:00			`print(f"Full access: {token}")`
			`print(f"Read-only: {ro_token}")`