fix: merge tenant jwks with new jwks table content (#669)

Author: itslenny

src/http/routes/admin/tenants.ts

@@ -17,7 +17,7 @@ import {
   resetMigration,
   runMigrationsOnTenant,
 } from '@internal/database/migrations'
-import { getConfig } from '../../../config'
+import { getConfig, JwksConfigKey } from '../../../config'
 
 const patchSchema = {
   body: {
@@ -27,6 +27,7 @@ const patchSchema = {
       databaseUrl: { type: 'string' },
       databasePoolUrl: { type: 'string', nullable: true },
       maxConnections: { type: 'number' },
+      jwks: { type: 'object', nullable: true },
       fileSizeLimit: { type: 'number' },
       jwtSecret: { type: 'string' },
       serviceKey: { type: 'string' },
@@ -89,6 +90,7 @@ interface tenantDBInterface {
   database_pool_url?: string
   max_connections?: number
   jwt_secret: string
+  jwks: { keys?: JwksConfigKey[] } | null
   service_key: string
   file_size_limit?: number
   feature_s3_protocol?: boolean
@@ -113,6 +115,7 @@ export default async function routes(fastify: FastifyInstance) {
         max_connections,
         file_size_limit,
         jwt_secret,
+        jwks,
         service_key,
         feature_purge_cache,
         feature_image_transformation,
@@ -130,6 +133,7 @@ export default async function routes(fastify: FastifyInstance) {
         maxConnections: max_connections ? Number(max_connections) : undefined,
         fileSizeLimit: Number(file_size_limit),
         jwtSecret: decrypt(jwt_secret),
+        jwks,
         serviceKey: decrypt(service_key),
         migrationVersion: migrations_version,
         migrationStatus: migrations_status,
@@ -163,7 +167,7 @@ export default async function routes(fastify: FastifyInstance) {
       max_connections,
       file_size_limit,
       jwt_secret,
-
+      jwks,
       service_key,
       feature_purge_cache,
       feature_s3_protocol,
@@ -187,7 +191,7 @@ export default async function routes(fastify: FastifyInstance) {
       maxConnections: max_connections ? Number(max_connections) : undefined,
       fileSizeLimit: Number(file_size_limit),
       jwtSecret: decrypt(jwt_secret),
-
+      jwks,
       serviceKey: decrypt(service_key),
       features: {
         imageTransformation: {
@@ -215,6 +219,7 @@ export default async function routes(fastify: FastifyInstance) {
       databaseUrl,
       fileSizeLimit,
       jwtSecret,
+      jwks,
       serviceKey,
       features,
       databasePoolUrl,
@@ -231,6 +236,7 @@ export default async function routes(fastify: FastifyInstance) {
         max_connections: maxConnections ? Number(maxConnections) : undefined,
         file_size_limit: fileSizeLimit,
         jwt_secret: encrypt(jwtSecret),
+        jwks,
         service_key: encrypt(serviceKey),
         feature_image_transformation: features?.imageTransformation?.enabled ?? false,
         feature_purge_cache: features?.purgeCache?.enabled ?? false,
@@ -270,6 +276,7 @@ export default async function routes(fastify: FastifyInstance) {
         databaseUrl,
         fileSizeLimit,
         jwtSecret,
+        jwks,
         serviceKey,
         features,
         databasePoolUrl,
@@ -291,6 +298,7 @@ export default async function routes(fastify: FastifyInstance) {
           max_connections: maxConnections ? Number(maxConnections) : undefined,
           file_size_limit: fileSizeLimit,
           jwt_secret: jwtSecret !== undefined ? encrypt(jwtSecret) : undefined,
+          jwks,
           service_key: serviceKey !== undefined ? encrypt(serviceKey) : undefined,
           feature_image_transformation: features?.imageTransformation?.enabled,
           feature_purge_cache: features?.purgeCache?.enabled,
@@ -335,6 +343,7 @@ export default async function routes(fastify: FastifyInstance) {
       databaseUrl,
       fileSizeLimit,
       jwtSecret,
+      jwks,
       serviceKey,
       features,
       databasePoolUrl,
@@ -350,6 +359,7 @@ export default async function routes(fastify: FastifyInstance) {
       anon_key: encrypt(anonKey),
       database_url: encrypt(databaseUrl),
       jwt_secret: encrypt(jwtSecret),
+      jwks: jwks || null,
       service_key: encrypt(serviceKey),
     }
 

src/internal/database/tenant.ts

@@ -1,5 +1,5 @@
 import crypto from 'node:crypto'
-import { getConfig, JwksConfig, JwksConfigKeyOCT } from '../../config'
+import { getConfig, JwksConfig, JwksConfigKey, JwksConfigKeyOCT } from '../../config'
 import { decrypt, encrypt, verifyJWT } from '../auth'
 import { multitenantKnex } from './multitenant-db'
 import { JwtPayload } from 'jsonwebtoken'
@@ -20,6 +20,7 @@ interface TenantConfig {
   fileSizeLimit: number
   features: Features
   jwtSecret: string
+  jwks?: { keys: JwksConfigKey[] } | null
   serviceKey: string
   serviceKeyPayload: {
     role: string
@@ -215,10 +216,12 @@ export async function getJwtSecret(
   let jwks = jwtJWKS || { keys: [] }
 
   if (isMultitenant) {
-    const [config, tenantJwks] = await Promise.all([
-      getTenantConfig(tenantId),
-      jwksManager.getJwksTenantConfig(tenantId),
-    ])
+    const config = await getTenantConfig(tenantId)
+    const tenantJwks = await jwksManager.getJwksTenantConfig(tenantId)
+    if (config.jwks?.keys) {
+      // merge jwks from legacy jwks column if they exist
+      tenantJwks.keys = [...tenantJwks.keys, ...config.jwks.keys]
+    }
     secret = config.jwtSecret
     jwks = tenantJwks
   }

src/test/tenant-jwks.test.ts

@@ -178,6 +178,24 @@ describe('Tenant jwks configs', () => {
       }
     })
 
+    test(`Add ${type} jwk via tenant patch (legacy)`, async () => {
+      const patchResponse = await adminApp.inject({
+        method: 'PATCH',
+        url: `/tenants/${tenantId}`,
+        payload: {
+          jwks: { keys: [jwk] },
+        },
+        headers: {
+          apikey: process.env.ADMIN_API_KEYS,
+        },
+      })
+      expect(patchResponse.statusCode).toBe(204)
+
+      const { jwks } = await getJwtSecret(tenantId)
+      expect(jwks.keys.length).toBe(2)
+      expect(jwks.keys[1]).toEqual(jwk)
+    })
+
     test(`Add ${type} jwk with missing data`, async () => {
       const response = await adminApp.inject({
         method: 'POST',

src/test/tenant.test.ts

@@ -18,6 +18,7 @@ const payload = {
   fileSizeLimit: 1,
   jwtSecret: 'c',
   serviceKey: 'd',
+  jwks: { keys: [] },
   migrationStatus: 'COMPLETED',
   migrationVersion: 'optimise-existing-functions',
   tracingMode: 'basic',
@@ -44,6 +45,7 @@ const payload2 = {
   fileSizeLimit: 2,
   jwtSecret: 'g',
   serviceKey: 'h',
+  jwks: null,
   migrationStatus: 'COMPLETED',
   migrationVersion: 'optimise-existing-functions',
   tracingMode: 'basic',