core/auth/config.py at master

aly.codes / atbbs

fork atom

Retro Bulletin Board Systems on atproto. Web app and TUI. atbbs.xyz

python tui atproto bbs

fork atom

atbbs / core / auth / config.py

at master 35 lines 973 B view raw

wrap content

Aly Raffauf core/auth: lock down secrets 2d ago

6b2d1aaf

 1"""Client key generation and persistence."""
 2
 3import json
 4import os
 5import time
 6from pathlib import Path
 7
 8from authlib.jose import JsonWebKey
 9
10
11def _generate_secret_key() -> str:
12    return os.urandom(32).hex()
13
14
15def _generate_client_jwk() -> str:
16    key = JsonWebKey.generate_key("EC", "P-256", is_private=True)
17    key_dict = json.loads(key.as_json(is_private=True))
18    key_dict["kid"] = f"atbbs-{int(time.time())}"
19    return json.dumps(key_dict)
20
21
22def load_secrets(data_dir: str = ".") -> dict:
23    """Load or generate secrets. Returns dict with secret_key and client_secret_jwk."""
24    secrets_path = Path(data_dir) / "secrets.json"
25
26    if secrets_path.exists():
27        return json.loads(secrets_path.read_text())
28
29    secrets = {
30        "secret_key": _generate_secret_key(),
31        "client_secret_jwk": _generate_client_jwk(),
32    }
33    secrets_path.touch(mode=0o600, exist_ok=True)
34    secrets_path.write_text(json.dumps(secrets, indent=2))
35    return secrets