backend.ai/src/ai/backend/common/jwt/config.py at e2fca20c136144a067991aec18a6006bb91fe995 · lablup/backend.ai · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
"""JWT authentication configuration for GraphQL Federation."""

from __future__ import annotations

from datetime import timedelta

from pydantic import Field

from ai.backend.common.config import BaseConfigSchema


class JWTConfig(BaseConfigSchema):
    """
    Configuration for JWT-based authentication in GraphQL Federation.

    This configuration must be consistent between webserver (which generates tokens)
    and manager (which validates tokens). The secret_key must be kept secure and
    should be the same on both sides.

    Attributes:
        enabled: Whether JWT authentication is enabled
        secret_key: Secret key for HS256 signing and verification
        algorithm: JWT signing algorithm (must be HS256)
        token_expiration_seconds: Token validity duration in seconds
        issuer: JWT issuer claim value for validation
        header_name: HTTP header name for JWT token transmission
    """

    enabled: bool = Field(
        default=True,
        description="Enable JWT authentication for GraphQL Federation requests",
    )

    secret_key: str = Field(
        description="Secret key for HS256 signing and verification. "
        "MUST be the same between webserver and manager. "
        "Should be at least 32 bytes of random data.",
    )

    algorithm: str = Field(
        default="HS256",
        description="JWT signing algorithm (only HS256 is supported)",
    )

    token_expiration_seconds: int = Field(
        default=900,  # 15 minutes
        description="JWT token expiration time in seconds (default: 900 = 15 minutes)",
    )

    issuer: str = Field(
        default="backend.ai-webserver",
        description="JWT issuer claim value for GraphQL Federation tokens",
    )

    header_name: str = Field(
        default="X-BackendAI-Token",
        description="Custom HTTP header name for JWT token transmission",
    )

    @property
    def token_expiration(self) -> timedelta:
        """
        Get token expiration as a timedelta object.

        Returns:
            Token expiration duration as timedelta
        """
        return timedelta(seconds=self.token_expiration_seconds)