From 95daba5c8a6c4dac09a1d3ef9335588c79b3e813 Mon Sep 17 00:00:00 2001
From: Gabriel Carneiro <gabriel.chaves.carneiro@gmail.com>
Date: Thu, 5 Oct 2023 12:07:31 -0300
Subject: [PATCH] use es256 for key

---
 .gitignore                            |  2 +-
 src/stream_auth/keys/generate_keys.sh |  7 +++++++
 src/stream_auth/middlewares/jwt.py    | 21 ++++++++++++++++++---
 src/stream_auth/routes/stream.py      |  9 +++++----
 src/stream_auth/settings.py           |  5 ++++-
 5 files changed, 35 insertions(+), 9 deletions(-)
 create mode 100755 src/stream_auth/keys/generate_keys.sh

diff --git a/.gitignore b/.gitignore
index 3d9bfe7..a2237dc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,7 @@ teste.py
 old
 link.sh
 *.key*
-dbs/*
+dbs/
 
 # Created by https://www.toptal.com/developers/gitignore/api/python,pycharm+all
 # Edit at https://www.toptal.com/developers/gitignore?templates=python,pycharm+all
diff --git a/src/stream_auth/keys/generate_keys.sh b/src/stream_auth/keys/generate_keys.sh
new file mode 100755
index 0000000..e138e64
--- /dev/null
+++ b/src/stream_auth/keys/generate_keys.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
+openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
+
+openssl ec -in streamkeyEC256.key -pubout -outform PEM -out streamkeyEC256.key.pub
+ssh-keygen -t ecdsa -b 256 -m PEM -f streamkeyEC256.key
diff --git a/src/stream_auth/middlewares/jwt.py b/src/stream_auth/middlewares/jwt.py
index 156d7d6..6e34207 100644
--- a/src/stream_auth/middlewares/jwt.py
+++ b/src/stream_auth/middlewares/jwt.py
@@ -11,11 +11,26 @@ def read_key(path):
 
 JWT_PRIV_KEY = read_key(settings.JWT_PRIV_PATH)
 JWT_PUB_KEY = read_key(settings.JWT_PUB_PATH)
+STREAM_KEY_PRIV_KEY = read_key(settings.STREAM_KEY_PRIV_PATH)
+STREAM_KEY_PUB_KEY = read_key(settings.STREAM_KEY_PRIV_PATH)
 
 
 def create_stream_key(username: str):
     payload = {'username': username}
-    return jwtlib.encode(payload, JWT_PRIV_KEY, algorithm="RS256")
+    return jwtlib.encode(payload, STREAM_KEY_PRIV_KEY, algorithm="ES256")
+
+
+def verify_stream_key(stream_key: str):
+    try:
+        jwtlib.decode(stream_key, STREAM_KEY_PUB_KEY, algorithms=["ES256"])
+    except (jwtlib.exceptions.ExpiredSignatureError, jwtlib.InvalidTokenError):
+        return False
+
+    return True
+
+
+def decode_stream_key(stream_key: str):
+    return jwtlib.decode(stream_key, STREAM_KEY_PUB_KEY, algorithms=["RS256"])
 
 
 def create_token(username: str, stream_key: str, exp: int = settings.JWT_EXP_TIME):
@@ -24,11 +39,11 @@ def create_token(username: str, stream_key: str, exp: int = settings.JWT_EXP_TIM
     return jwtlib.encode(payload, JWT_PRIV_KEY, algorithm="RS256")
 
 
-def verify(token: str):
+def verify_token(token: str):
     # return jwtlib.decode(token, JWT_PUB_KEY, algorithms=["RS256"])
     try:
         jwtlib.decode(token, JWT_PUB_KEY, algorithms=["RS256"])
-    except (jwtlib.exceptions.ExpiredSignatureError, jwt.InvalidTokenError):
+    except (jwtlib.exceptions.ExpiredSignatureError, jwtlib.InvalidTokenError):
         return False
 
     return True
diff --git a/src/stream_auth/routes/stream.py b/src/stream_auth/routes/stream.py
index 63ed2ae..e44b44c 100644
--- a/src/stream_auth/routes/stream.py
+++ b/src/stream_auth/routes/stream.py
@@ -22,18 +22,19 @@ def create_stream():
     StreamModel(username, title, description)
 
 
-@stream.route('/publish_check')
+@stream.route('/publish_check', methods=['POST'])
 def publish_check():
 
     # TODO: check if user created stream
 
     # get user
-    stream_key = request.args.get('stream_key')
+    stream_key = request.form.get('stream_key')
     username = request.form.get('name')
+    print(username, stream_key)
     try:
         stream_user = user.search_user(username)[0]
 
-        if username != stream_user['username'] or not jwt.verify(stream_key):
+        if username != stream_user['username'] or not jwt.verify_stream_key(stream_key):
             raise ValueError('Invalid Token')
 
     except (IndexError, ValueError):
@@ -46,7 +47,7 @@ def publish_check():
 def test():
 
     stream_key = request.args.get('stream_key')
-    if jwt.verify(stream_key):
+    if jwt.verify_token(stream_key):
         return Response('OK', 200)
 
     return Response('Invalid Stream Key', 401)
diff --git a/src/stream_auth/settings.py b/src/stream_auth/settings.py
index ffb2471..36bbf51 100644
--- a/src/stream_auth/settings.py
+++ b/src/stream_auth/settings.py
@@ -11,10 +11,13 @@ KEY_DIR = os.path.join(APP_DIR, 'keys')
 
 JWT_PRIV_PATH = os.path.join(KEY_DIR, 'jwtRS256.key')
 JWT_PUB_PATH = os.path.join(KEY_DIR, 'jwtRS256.key.pub')
+STREAM_KEY_PRIV_PATH = os.path.join(KEY_DIR, 'streamkeyEC256.key')
+STREAM_KEY_PUB_PATH = os.path.join(KEY_DIR, 'streamkeyEC256.key.pub')
 JWT_EXP_TIME = 2592000
+
 DBS_PATH = os.path.join(APP_DIR, 'dbs')
-os.path.join(DBS_PATH, 'x.json')
 USER_DATABASE = os.path.join(DBS_PATH, 'users.json')
 STREAM_DATABASE = os.path.join(DBS_PATH, 'streams.json')
 LIVE_STREAM_DATABASE = os.path.join(DBS_PATH, 'live_streams.json')
+
 STREAM_KEY_LENGTH = 32