[PR #1088] [MERGED] feat!: drop support for storing JWK on the filesystem #1044

Closed
opened 2026-02-04 21:13:03 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/1088
Author: @stonith404
Created: 11/11/2025
Status: Merged
Merged: 11/14/2025
Merged by: @stonith404

Base: breaking/v2Head: feat/drop-fs-keys-support


📝 Commits (7)

  • 63432ae feat!: drop support for storing JWK on the filesystem
  • 410cfa3 add ENCRYPTION_KEY to .env
  • a82fd7e validate EncryptionKey
  • 7d13699 fix unit tests
  • 49fc824 add ENCRYPTION_KEY_FILE reference to .env.example
  • 9ff8233 Merge branch 'breaking/v2' into feat/drop-fs-keys-support
  • b205536 set encrpytion key on every test env

📊 Changes

13 files changed (+243 additions, -1315 deletions)

View changed files

📝 .env.example (+12 -0)
📝 backend/cmd/main.go (+7 -0)
📝 backend/internal/cmds/key_rotate_test.go (+1 -67)
📝 backend/internal/common/env_config.go (+6 -27)
📝 backend/internal/common/env_config_test.go (+39 -80)
📝 backend/internal/service/jwt_service.go (+2 -10)
📝 backend/internal/service/jwt_service_test.go (+171 -597)
📝 backend/internal/service/oidc_service_test.go (+1 -0)
📝 backend/internal/utils/jwk/key_provider.go (+2 -10)
backend/internal/utils/jwk/key_provider_file.go (+0 -202)
backend/internal/utils/jwk/key_provider_file_test.go (+0 -320)
📝 tests/setup/docker-compose-s3.yml (+0 -1)
📝 tests/setup/docker-compose.yml (+2 -1)

📄 Description

This PR drops the support for storing the JWK on the filesystem, the JWK private key will now be stored in the database. There isn't really an advantage of storing them on the disk and keeping it supported adds unnecessary complicated logic to the import/export feature in #998.

This change removes the KEYS_PATH and KEYS_STORAGE environment variables.

There are two breaking changes:

  • The ENCRYPTION_KEY environment variable is now mandatory and must be at least 16 bytes long.
  • The JWK private key stored on the disk will be lost and therefore all tokens will be invalidated. All users need to sign in again. Additionally, if another algorithm than RS256 was used, the key needs to be regenerated again with pocket-id key-rotate -a <algo>

Note: This PR gets merged into the breaking/v2 branch where all breaking changes will get collected.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/1088 **Author:** [@stonith404](https://github.com/stonith404) **Created:** 11/11/2025 **Status:** ✅ Merged **Merged:** 11/14/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `breaking/v2` ← **Head:** `feat/drop-fs-keys-support` --- ### 📝 Commits (7) - [`63432ae`](https://github.com/pocket-id/pocket-id/commit/63432ae40194470737896d723a3c9a011a3cbd87) feat!: drop support for storing JWK on the filesystem - [`410cfa3`](https://github.com/pocket-id/pocket-id/commit/410cfa32db1451f540af286b074b5e8e0c5b5052) add `ENCRYPTION_KEY` to `.env` - [`a82fd7e`](https://github.com/pocket-id/pocket-id/commit/a82fd7e15eebba27cc2eb5b1a1a159a89733cd1e) validate `EncryptionKey` - [`7d13699`](https://github.com/pocket-id/pocket-id/commit/7d13699e204adecef397d7a30371b36855a72ae0) fix unit tests - [`49fc824`](https://github.com/pocket-id/pocket-id/commit/49fc82458349dee21c5f60ec0a21cfbe9604cf7e) add `ENCRYPTION_KEY_FILE` reference to `.env.example` - [`9ff8233`](https://github.com/pocket-id/pocket-id/commit/9ff82332156ba2b68f281eec29fd0d6961bfe1f2) Merge branch 'breaking/v2' into feat/drop-fs-keys-support - [`b205536`](https://github.com/pocket-id/pocket-id/commit/b2055366e22de7d71c1ef1f101481243b3703a96) set encrpytion key on every test env ### 📊 Changes **13 files changed** (+243 additions, -1315 deletions) <details> <summary>View changed files</summary> 📝 `.env.example` (+12 -0) 📝 `backend/cmd/main.go` (+7 -0) 📝 `backend/internal/cmds/key_rotate_test.go` (+1 -67) 📝 `backend/internal/common/env_config.go` (+6 -27) 📝 `backend/internal/common/env_config_test.go` (+39 -80) 📝 `backend/internal/service/jwt_service.go` (+2 -10) 📝 `backend/internal/service/jwt_service_test.go` (+171 -597) 📝 `backend/internal/service/oidc_service_test.go` (+1 -0) 📝 `backend/internal/utils/jwk/key_provider.go` (+2 -10) ➖ `backend/internal/utils/jwk/key_provider_file.go` (+0 -202) ➖ `backend/internal/utils/jwk/key_provider_file_test.go` (+0 -320) 📝 `tests/setup/docker-compose-s3.yml` (+0 -1) 📝 `tests/setup/docker-compose.yml` (+2 -1) </details> ### 📄 Description This PR drops the support for storing the JWK on the filesystem, the JWK private key will now be stored in the database. There isn't really an advantage of storing them on the disk and keeping it supported adds unnecessary complicated logic to the import/export feature in #998. This change removes the `KEYS_PATH` and `KEYS_STORAGE` environment variables. There are two breaking changes: - The `ENCRYPTION_KEY` environment variable is now mandatory and must be at least 16 bytes long. - The JWK private key stored on the disk will be lost and therefore all tokens will be invalidated. All users need to sign in again. Additionally, if another algorithm than `RS256` was used, the key needs to be regenerated again with `pocket-id key-rotate -a <algo>` Note: This PR gets merged into the `breaking/v2` branch where all breaking changes will get collected. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-04 21:13:03 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#1044