Skip to content

Add JWT token validation with user context extraction for file uploads#29

Draft
Copilot wants to merge 3 commits intomasterfrom
copilot/add-jwt-token-validation
Draft

Add JWT token validation with user context extraction for file uploads#29
Copilot wants to merge 3 commits intomasterfrom
copilot/add-jwt-token-validation

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 15, 2026
edited
Loading

External services need to authenticate and track user context (user ID, space ID, file type) when uploading files. Previously only service tokens were supported, which lacked user attribution.

Changes

Authentication

  • Added JWTAuthMiddleware validating sub (GUID), type (string), and optional spaceId (GUID) claims
  • Implemented CombinedAuthMiddleware accepting either x-api-token or Authorization: Bearer headers
  • Updated upload endpoint to use combined authentication

Data Model

  • Extended File model with nullable UserSub, SpaceId, FileType fields
  • Updated Postgres and Scylla repositories to persist/retrieve JWT claims
  • Modified UpdateFile, GetFileByID, GetFileByName, ListFiles queries

Migrations

  • Postgres: Added user_sub, space_id, file_type columns
  • Scylla: Separated into three migrations due to single-column ALTER restriction

Configuration

  • Added jwt_secret parameter (flag/env/config file)

Usage

// External service generates JWT
claims := JWTClaims{
    Sub:     "550e8400-e29b-41d4-a716-446655440000",
    SpaceId: &"660e8400-e29b-41d4-a716-446655440001", // optional
    Type:    "avatar",
}

// Upload with JWT
req.Header.Set("Authorization", "Bearer " + signedToken)
// File record now includes user_sub, space_id, file_type

Service token authentication remains unchanged for backward compatibility.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dario.cat
    • Triggering command: /update-job-proxy /update-job-proxy io.containerd.rushow =1 ux_amd64/vet --ro�� 6_add_file_type.down.sql --log ux_amd64/vet (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy ACCEPT --alternate-refs/home/dependabot/go/pkg/mod/cache/vcs/7d314923ef34c8dcc5ae2aed0a0aa313627e4cf88db142be752f8f42a2dd7b17/shallow.lock git -c f225814414e9ca2d--stdin log /home/dependabot--alternate-refs -n1 --format=format:-c refs/tags/v0.7.6log.showsignature=false git conf�� =2 e/git /bin/git ock om/aws/aws-sdk-g--wait 0:refs/tags/v0.5-t /usr/bin/git (dns block)
  • dl.min.io
    • Triggering command: /usr/bin/minio minio server /data ux_amd64/vet -I o-v2@v1.41.1/int-errorsas WnDucx-vv ux_amd64/vet --gdwarf-5 /singleflight -o ux_amd64/vet ortc�� /semver/semver.go x64/src/debug/dwarf/attr_string.-ifaceassert ux_amd64/vet 0183971/b187/ ernal/sdk (dns block)
    • Triggering command: /usr/bin/minio minio server /data (dns block)
    • Triggering command: /usr/bin/minio minio server /data /run/containerd/io.containerd.runtime.v2.task/moby/2bf87787a1e9d38ccdfa39f0eb297ed679c9ed661677ae594dea1fbfb9284bfe --pid-file /run/containerd/io.containerd.runtime.v2.task/moby/2bf87787a1e9d38ccdfa39f0eb297ed679c9ed661677ae594dea1fbfb9284bfe/init.pid 2bf87787a1e9d38ccdfa39f0eb297ed679c9ed661677ae594dea1fbfb9284bfe g_ctl ntime.v2.task/mobash ntime.v2.task/mo--norc 093b291bfd3e5d18--noprofile 8c6/log.json list�� y --no-legend ntime.v2.task/mo--dport g_.a ntime.v2.task/mo/usr/bin/runc 093b291bfd3e5d18--root /usr/bin/docker-/var/run/docker/runtime-runc/moby (dns block)
  • go.googlesource.com
    • Triggering command: /update-job-proxy /update-job-proxy io.containerd.rushow =1 ux_amd64/vet --ro�� 6_add_file_type.down.sql --log ux_amd64/vet (dns block)
  • go.opentelemetry.io
    • Triggering command: /update-job-proxy /update-job-proxy io.containerd.rushow =1 ux_amd64/vet --ro�� 6_add_file_type.down.sql --log ux_amd64/vet (dns block)
  • go.uber.org
    • Triggering command: /update-job-proxy /update-job-proxy io.containerd.rushow =1 ux_amd64/vet --ro�� 6_add_file_type.down.sql --log ux_amd64/vet (dns block)
  • go.yaml.in
    • Triggering command: /update-job-proxy /update-job-proxy io.containerd.rushow =1 ux_amd64/vet --ro�� 6_add_file_type.down.sql --log ux_amd64/vet (dns block)
  • google.golang.org
    • Triggering command: /update-job-proxy /update-job-proxy io.containerd.rushow =1 ux_amd64/vet --ro�� 6_add_file_type.down.sql --log ux_amd64/vet (dns block)
  • gopkg.in
    • Triggering command: /update-job-proxy /update-job-proxy io.containerd.rushow =1 ux_amd64/vet --ro�� 6_add_file_type.down.sql --log ux_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

The service has user tokens, you need to add an additional functionality for ability external services to generate JWT tokens to replace user tokens and service KineticaFS to ability validate thier token, so that it would be possible to log and store information about users in KineticaFS, the fields that need to be extracted from the JWT token are sub (GUID), spaceId (GUID nullable, i.e. optional) and type (string) it's just a "scope" in which type of uploaded file, avatar, profileHeader, stickers, etc.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@0xF6
Add JWT token validation with user information extraction
01aced7 
- Added golang-jwt/jwt library dependency
- Created JWT middleware with validation for sub, spaceId, and type claims
- Extended File model with UserSub, SpaceId, and FileType fields
- Created database migrations for new File columns (Scylla and Postgres)
- Updated file upload handler to extract and store JWT claims
- Implemented CombinedAuthMiddleware to support both service tokens and JWT
- Added JWT configuration support (jwt_secret)
- Created test suite for JWT functionality
- Fixed test helper to create actual S3 buckets in MinIO

WIP: Debugging JWT claims storage in file records

Co-authored-by: 0xF6 <13326808+0xF6@users.noreply.github.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jan 15, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@0xF6
Fix JWT claims storage in file repositories
3a3f2ec 
- Updated PostgreSQL repository to read/write new JWT fields (user_sub, space_id, file_type)
- Updated Scylla repository to read/write new JWT fields
- Fixed GetFileByID, GetFileByName, UpdateFile, and ListFiles functions
- All JWT tests now passing successfully

Co-authored-by: 0xF6 <13326808+0xF6@users.noreply.github.com>
Copilot AI changed the title [WIP] Add functionality for external services to generate JWT tokens Add JWT token validation with user context extraction for file uploads Jan 15, 2026
Copilot AI requested a review from 0xF6 January 15, 2026 05:36
@0xF6 0xF6 requested a review from urumo January 15, 2026 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xF6 0xF6 Awaiting requested review from 0xF6

@urumo urumo Awaiting requested review from urumo

Assignees

@0xF6 0xF6

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0xF6