Skip to content

feat: add configurable JWT signature algorithm support #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jordane wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add configurable JWT signature algorithm support #36

jordane wants to merge 2 commits into from
+148 −10

Conversation

@jordane
Copy link
Member

@jordane jordane commented Dec 16, 2025

Add support for JWT_SIGNATURE_ALGORITHM environment variable to allow operators to configure the JWT signature algorithm for token validation.

Fixes: LFXV2-914

Changes:

  • Add parseSignatureAlgorithm() function to validate and map algorithm strings
  • Extend JWTAuthConfig struct with SignatureAlgorithm field
  • Update NewJWTAuth() to use configured algorithm with logging for non-defaults
  • Support 9 algorithms: PS256/384/512, RS256/384/512, ES256/384/512
  • Add comprehensive test coverage (18 test cases) for algorithm validation
  • Update Helm chart (v0.5.3 -> v0.5.4) with jwtSignatureAlgorithm configuration
  • Add JWT_SIGNATURE_ALGORITHM to deployment template
  • Update documentation (CLAUDE.md, .env.example)

Default behavior:

  • PS256 remains the default algorithm when env var is not set
  • Backward compatible with existing deployments
  • Case-sensitive algorithm names (uppercase required)
  • Fails fast at startup for invalid algorithm configuration

🤖 Generated with Claude Code

@jordane @claude
feat: add configurable JWT signature algorithm support
027573c 
Add support for JWT_SIGNATURE_ALGORITHM environment variable to allow
operators to configure the JWT signature algorithm for token validation.

Fixes: LFXV2-914

Changes:
- Add parseSignatureAlgorithm() function to validate and map algorithm strings
- Extend JWTAuthConfig struct with SignatureAlgorithm field
- Update NewJWTAuth() to use configured algorithm with logging for non-defaults
- Support 9 algorithms: PS256/384/512, RS256/384/512, ES256/384/512
- Add comprehensive test coverage (18 test cases) for algorithm validation
- Update Helm chart (v0.5.3 -> v0.5.4) with jwtSignatureAlgorithm configuration
- Add JWT_SIGNATURE_ALGORITHM to deployment template
- Update documentation (CLAUDE.md, .env.example)

Default behavior:
- PS256 remains the default algorithm when env var is not set
- Backward compatible with existing deployments
- Case-sensitive algorithm names (uppercase required)
- Fails fast at startup for invalid algorithm configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Jordan Evans <[email protected]>
Copilot AI review requested due to automatic review settings December 16, 2025 23:11
@jordane jordane requested a review from a team as a code owner December 16, 2025 23:11
@coderabbitai
Copy link

coderabbitai bot commented Dec 16, 2025
edited
Loading

Walkthrough

Adds configurable JWT signature algorithm support: a new JWT_SIGNATURE_ALGORITHM env var (default PS256) is introduced, wired through Helm values and deployment, passed into application bootstrap, and parsed/validated in the JWT auth implementation with tests updated.

Changes

Cohort / File(s) Summary
Environment examples & docs
\.env\.example, CLAUDE.md		 Added JWT_SIGNATURE_ALGORITHM environment variable with default PS256 and documented supported algorithms.
Helm chart and deployment
charts/lfx-v2-project-service/Chart.yaml, charts/lfx-v2-project-service/values.yaml, charts/lfx-v2-project-service/templates/deployment.yaml		 Bumped chart version to 0.5.4; added app.jwtSignatureAlgorithm value (default PS256) and exposed it as JWT_SIGNATURE_ALGORITHM in the deployment env list.
Application bootstrap
cmd/project-api/main.go		 Populates JWTAuthConfig.SignatureAlgorithm from JWT_SIGNATURE_ALGORITHM when constructing JWT auth config.
JWT auth implementation
internal/infrastructure/auth/jwt.go		 Added parseSignatureAlgorithm(algoString string) (validator.SignatureAlgorithm, error); introduced JWTAuthConfig.SignatureAlgorithm field; validate/parse configured algorithm during NewJWTAuth; renamed default constant to defaultSignatureAlgorithm.
Auth tests
internal/infrastructure/auth/jwt_test.go		 Updated references to defaultSignatureAlgorithm; added tests for parseSignatureAlgorithm and expanded configuration handling tests (ES/RS acceptance, invalid inputs, case-sensitivity).
Build tooling
Makefile, go.mod		 Pinned goa CLI install to v3.22.6 in Makefile; go.mod listed in manifest (no functional code changes reported).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review parseSignatureAlgorithm() mapping and error messages for completeness and consistency.
  • Verify NewJWTAuth correctly applies parsed algorithm to the validator and logs/returns errors on invalid values.
  • Confirm Helm values, Chart version bump, and deployment env wiring align and that defaults match code (PS256).
  • Check updated tests for adequate coverage and case-sensitivity behavior.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
Out of Scope Changes check ❓ Inconclusive The only tangential change is pinning the GOA CLI version in the Makefile, which is a minor maintenance improvement but unrelated to the JWT algorithm configuration objective. Consider clarifying whether the GOA CLI version pin (Makefile change) is intentional or should be reverted to keep the PR focused on JWT algorithm support.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely summarizes the main change: adding configurable JWT signature algorithm support through an environment variable.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, detailing all major changes including new functions, struct extensions, algorithm support, test coverage, and Helm chart updates.
Linked Issues check ✅ Passed The PR fully addresses LFXV2-914 by implementing JWT signature algorithm configuration via environment variable, enabling operators to change algorithms without code modifications.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch jme/LFXV2-914

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds configurable JWT signature algorithm support to the project service, allowing operators to specify which JWT signature algorithm to use for token validation via the JWT_SIGNATURE_ALGORITHM environment variable. The implementation maintains backward compatibility by defaulting to PS256 when the variable is not set.

Key changes:

  • Adds parseSignatureAlgorithm() function with validation for 9 supported algorithms (PS256/384/512, RS256/384/512, ES256/384/512)
  • Extends JWT authentication configuration and initialization to use the selected algorithm
  • Includes comprehensive test coverage with 18 test cases covering valid algorithms, edge cases, and error conditions

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
internal/infrastructure/auth/jwt.go Core implementation: adds parseSignatureAlgorithm() function, extends JWTAuthConfig struct with SignatureAlgorithm field, updates NewJWTAuth() to parse and use configured algorithm
internal/infrastructure/auth/jwt_test.go Test coverage: updates constant test to use renamed defaultSignatureAlgorithm, adds 4 test cases to TestJWTAuth_ConfigurationHandling, adds new TestParseSignatureAlgorithm with 18 test cases
cmd/project-api/main.go Integration: adds JWT_SIGNATURE_ALGORITHM environment variable to JWTAuthConfig initialization
charts/lfx-v2-project-service/values.yaml Helm configuration: adds jwtSignatureAlgorithm with default value "PS256" and documentation of supported algorithms
charts/lfx-v2-project-service/templates/deployment.yaml Deployment template: passes jwtSignatureAlgorithm value as JWT_SIGNATURE_ALGORITHM environment variable
charts/lfx-v2-project-service/Chart.yaml Version bump: increments chart version from 0.5.3 to 0.5.4
CLAUDE.md Documentation: adds JWT_SIGNATURE_ALGORITHM to environment variables table with PS256 default
.env.example Example configuration: adds JWT_SIGNATURE_ALGORITHM with list of supported algorithms

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

coderabbitai[bot]
coderabbitai bot reviewed Dec 16, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
internal/infrastructure/auth/jwt.go (1)

99-111: LGTM! Fail-fast validation implemented correctly.

The upfront parsing and validation of the signature algorithm ensures the service fails fast at startup if misconfigured, meeting the PR objectives. The logging appropriately notifies operators when a non-default algorithm is selected.

Optional: Consider a constant for the default algorithm string.

The hardcoded "PS256" string at line 107 could be extracted to a constant like defaultSignatureAlgorithmString = "PS256" for consistency, though the current implementation is clear and maintainable.

const (
    defaultSignatureAlgorithmString = "PS256"
    defaultSignatureAlgorithm = validator.PS256
    // ...
)

// Later in NewJWTAuth:
if config.SignatureAlgorithm != "" && config.SignatureAlgorithm != defaultSignatureAlgorithmString {
    // ...
}
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d652452 and 027573c.

📒 Files selected for processing (8)
  • .env.example (1 hunks)
  • CLAUDE.md (1 hunks)
  • charts/lfx-v2-project-service/Chart.yaml (1 hunks)
  • charts/lfx-v2-project-service/templates/deployment.yaml (1 hunks)
  • charts/lfx-v2-project-service/values.yaml (1 hunks)
  • cmd/project-api/main.go (1 hunks)
  • internal/infrastructure/auth/jwt.go (4 hunks)
  • internal/infrastructure/auth/jwt_test.go (3 hunks)
🧰 Additional context used
📓 Path-based instructions (3)
CLAUDE.md

📄 CodeRabbit inference engine (CLAUDE.md)

Maintain CLAUDE.md for AI assistant instructions and technical details

Files:

  • CLAUDE.md
**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Ensure code formatting and linting pass (make fmt, make lint, make check)

Files:

  • internal/infrastructure/auth/jwt.go
  • cmd/project-api/main.go
  • internal/infrastructure/auth/jwt_test.go
**/*_test.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*_test.go: Place unit tests alongside implementation with the same filename and *_test.go suffix
Each production function must have exactly one corresponding TestFunction test (table with multiple cases allowed)
Use table-driven tests for coverage (subtests over a single TestFunction)
Mock all external dependencies (e.g., repositories, message builders) in unit tests
Focus unit tests on exported package functions

Files:

  • internal/infrastructure/auth/jwt_test.go
🧬 Code graph analysis (1)
internal/infrastructure/auth/jwt_test.go (1)
internal/infrastructure/auth/jwt.go (1)
  • JWTAuthConfig (56-65)
🪛 GitHub Actions: Project API Build
cmd/project-api/main.go

[error] 84-84: ./main.go:84:50: too many arguments in call to generator.Generate

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: CodeQL analysis (go)
  • GitHub Check: Agent
  • GitHub Check: MegaLinter
🔇 Additional comments (13)
CLAUDE.md (1)

219-219: LGTM! Environment variable documented correctly.

The addition of JWT_SIGNATURE_ALGORITHM to the environment variables table is clear and consistent with the other entries.

charts/lfx-v2-project-service/Chart.yaml (1)

8-8: LGTM! Appropriate version bump.

The patch version increment from 0.5.3 to 0.5.4 correctly reflects the addition of new configuration options.

.env.example (1)

22-24: LGTM! Clear documentation of supported algorithms.

The comment comprehensively lists all supported JWT signature algorithms, making it easy for operators to configure the appropriate value.

charts/lfx-v2-project-service/templates/deployment.yaml (1)

40-41: LGTM! Environment variable properly configured.

The JWT_SIGNATURE_ALGORITHM environment variable is correctly wired to the Helm values and follows the established pattern for other environment variables.

charts/lfx-v2-project-service/values.yaml (1)

50-53: LGTM! Comprehensive configuration documentation.

The jwtSignatureAlgorithm configuration is well-documented, including the list of supported algorithms and the important note about case sensitivity.

internal/infrastructure/auth/jwt_test.go (3)

219-219: LGTM! Constant reference updated correctly.

The test correctly references the renamed constant defaultSignatureAlgorithm.

310-342: LGTM! Comprehensive algorithm validation test coverage.

The new test cases effectively validate:

  • Multiple algorithm families (ES256, RS256)
  • Invalid algorithm rejection
  • Case sensitivity enforcement (uppercase required)

This ensures the configuration handling properly rejects misconfigured algorithms at startup as intended by the fail-fast design.

362-412: Excellent! Thorough test coverage for algorithm parsing.

The TestParseSignatureAlgorithm function provides comprehensive coverage:

  • All 9 supported algorithms across PS/RS/ES families
  • Default behavior for empty string
  • Case sensitivity validation
  • Rejection of unsupported algorithms (HMAC family, unknown values)

This follows the coding guideline of having one test function per production function with table-driven test cases.

internal/infrastructure/auth/jwt.go (4)

21-26: LGTM! Constants properly renamed and documented.

The rename from signatureAlgorithm to defaultSignatureAlgorithm better conveys its purpose, and the constants are well-documented.

28-53: LGTM! Well-implemented algorithm parser.

The parseSignatureAlgorithm function is well-designed:

  • Sensible default (PS256) for empty input
  • Map-based lookup is maintainable and efficient
  • Comprehensive error message listing all supported algorithms
  • Case-sensitive validation enforced as documented

63-64: LGTM! Configuration field properly added.

The SignatureAlgorithm field addition to JWTAuthConfig is correctly placed and documented.

141-141: LGTM! Correctly uses the parsed algorithm.

The JWT validator now uses the dynamically parsed algorithm instead of the hardcoded constant, enabling the configurable behavior.

cmd/project-api/main.go (1)

54-54: LGTM! Configuration field properly populated.

The SignatureAlgorithm field is correctly populated from the JWT_SIGNATURE_ALGORITHM environment variable, following the same pattern as other configuration fields (JWKSURL, Audience, MockLocalPrincipal).

Note on pipeline failure: The reported pipeline error at line 84 (too many arguments in call to generator.Generate) does not appear to be related to the changes in this file. Line 84 contains <-done, which is a channel receive operation, and there are no generator.Generate calls anywhere in the codebase. This appears to be a stale error or from a different context.

coderabbitai[bot]
coderabbitai bot reviewed Dec 18, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 027573c and 88dcf5e.

📒 Files selected for processing (1)
  • Makefile (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: MegaLinter
  • GitHub Check: Build and Test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@mauriciozanettisalomao mauriciozanettisalomao mauriciozanettisalomao approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jordane @mauriciozanettisalomao