Change JWT encryption from HMAC to RSA with rotating keys (#37)

* Enhance Docker and JWT handling: update Dockerfile to install OpenSSL, modify jwt_helper to use RSA keys, and add entrypoint script for key generation

* Implement JWT key rotation: add endpoint to rotate keys, update key management in jwt_helper, and modify .gitignore for key files

* Refactor JWT key handling: remove hardcoded key loading, utilize dynamic key retrieval in token generation

* Add timestamp logging for key creation in JWT rotation

* Change route to be more RESTful

* Remove JWT_SECRET_KEY from config and add script for cleaning up expired JWT keys

* Refactor JWT tests to use public key for encoding/decoding and enhance sample token generation

* Remove redundant sample_person_id fixture from test_refresh.py

* Refactor key cleanup script to use dynamic expiry days from JWT configuration

* Refactor JWT handling by moving related functions and classes to a new jwtoken module, removing deprecated admin routes and cleanup scripts.

* Refactor JWT key handling by consolidating functions into common module and removing deprecated keys_id module

* Refactor JWT test suite by removing obsolete test files and consolidating test fixtures into a new structure

* Clarify entrypoint script comment to specify starting the API

* Optimize payload generation

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add key management functionality and refactor key paths

- Introduced key rotation logic to ensure keys directory and active_kid.txt file exist.
- Updated key paths in the rotate_keys function to use constants from the new config file.
- Created a new config file for JWT key management constants.
- Refactored keys_cleanup.py to use the new CREATED_AT_FILE constant.

* Refactor Dockerfile to remove entrypoint script and directly run key rotation before starting the app; update keys_rotation.py for improved key management and error handling.

* Add OpenSSL installation steps for Linux, macOS, and Windows in Pytest CI workflow

* Fix variable name inconsistency for key directory in jwtoken and keys_rotation modules

* Refactor Dockerfile to use entrypoint script for key rotation and app startup; add entrypoint.sh for improved process management.

* Reorganize Dockerfile to copy entrypoint script before exposing Flask port; ensure proper permissions are set for execution.

* Remove entrypoint script copy command from Dockerfile; streamline application setup.

* Update ENTRYPOINT in Dockerfile to use entrypoint.sh for improved process management

* Update ENTRYPOINT in Dockerfile to use entrypoint.sh for improved process management

* Refactor app.py to use ACTIVE_KID_FILE constant for key existence check; improve code readability.

* Remove OpenSSL installation step for macOS in Pytest CI workflow; clarify that it's pre-installed.

* Refactor datetime usage in token generation and logging setup; improve consistency and readability.

* Remove entrypoint.sh and update ENTRYPOINT in Dockerfile to directly run app.py; streamline container startup process.

* Add curl to fix healthcheck and remove cached libraries to save up space

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: Vianpyro

.devcontainer/Dockerfile

@@ -2,7 +2,7 @@ FROM alpine:latest
 
 # Install common tools
 RUN apk add --no-cache bash git \
-    python3 py3-pip
+    python3 py3-pip openssl
 
 # Setup default user
 ARG USERNAME=vscode

.github/workflows/pytest.yml

@@ -33,6 +33,16 @@ jobs:
           python-version: ${{ matrix.python-version }}
           cache: "pip"
 
+      - name: Install OpenSSL (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libssl-dev
+
+      # MacOS does not require OpenSSL installation as it is pre-installed
+
+      - name: Install OpenSSL (Windows)
+        if: runner.os == 'Windows'
+        run: choco install openssl.light --no-progress
+
       - name: Install dependencies
         run: |
           pip install -r requirements.txt

.gitignore

@@ -2,7 +2,8 @@
 logs/
 *.log
 
-# Ignore all pem files
+# Ignore JWT keys
+keys/
 *.pem
 
 # Upload folder

Dockerfile

@@ -4,23 +4,26 @@ FROM python:3.13-slim
 # Set a specific working directory in the container
 WORKDIR /app
 
-# Install dependencies separately for better caching
+# Install dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends curl openssl \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install required Python packages
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
 # Copy the rest of the application files
 COPY . .
 
-# Expose the Flask port
-EXPOSE 5000
-
 # Create a non-root user and set permissions for the /app directory
 RUN adduser --disabled-password --gecos '' apiuser && chown -R apiuser /app
 USER apiuser
 
+# Expose the Flask port
+EXPOSE 5000
+
 # Add health check for the container
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
     CMD curl --fail http://localhost:5000/ || exit 1
 
-# Command to run the app
-CMD ["python", "app.py"]
+ENTRYPOINT ["python3", "app.py"]

app.py

@@ -1,15 +1,18 @@
 import argparse
+import os
 import traceback
 
 from flask import Flask, jsonify, request
 from flask_cors import CORS
 from werkzeug.exceptions import HTTPException
 
+from config.jwtoken import ACTIVE_KID_FILE
 from config.logging import setup_logging
 from config.ratelimit import limiter
 from config.settings import Config
 from routes import register_routes
 from utility.database import extract_error_message
+from utility.jwtoken.keys_rotation import rotate_keys
 
 app = Flask(__name__)
 app.config.from_object(Config)
@@ -26,6 +29,10 @@
 if app.config["TESTING"]:
     limiter.enabled = False
 
+# Ensure the keys directory and active_kid.txt file exist
+if not os.path.exists(ACTIVE_KID_FILE):
+    rotate_keys()
+
 
 @app.route("/")
 def home():

config/jwtoken.py

@@ -0,0 +1,8 @@
+from pathlib import Path
+
+KEYS_DIR = Path("keys")
+
+ACTIVE_KID_FILE = KEYS_DIR / "active_kid.txt"
+CREATED_AT_FILE = "created_at.txt"
+PRIVATE_KEY_FILE = "private.pem"
+PUBLIC_KEY_FILE = "public.pem"

config/logging.py

@@ -12,12 +12,12 @@ def setup_logging():
     logger.setLevel(logging.DEBUG)
 
     # Create a file handler that rotates logs daily
-    timestamp = datetime.datetime.now().strftime("%Y-%m-%d")
+    current_time = datetime.datetime.now().strftime("%Y-%m-%d")
 
     # Create a directory for logs if it doesn't exist
     if not os.path.exists(LOGS_DIRECTORY):
         os.makedirs(LOGS_DIRECTORY)
-    log_filename = f"{LOGS_DIRECTORY}/{timestamp}.log"
+    log_filename = f"{LOGS_DIRECTORY}/{current_time}.log"
 
     # Set up timed rotating file handler
     file_handler = TimedRotatingFileHandler(

config/settings.py

@@ -20,7 +20,6 @@ class Config:
     MYSQL_CURSORCLASS = "DictCursor"
 
     # JWT configuration
-    JWT_SECRET_KEY = os.getenv("JWT_SECRET_KEY")
     JWT_ACCESS_TOKEN_EXPIRY = timedelta(hours=1)
     JWT_REFRESH_TOKEN_EXPIRY = timedelta(days=30)