From 90831bb607b2b92b1c10cff75da2ac9a31b83467 Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Mon, 29 Jul 2024 14:05:50 -0700
Subject: [PATCH] fix: maintain backward compatibility for asymmetric JWTs
 (#1690)

## What kind of change does this PR introduce?
* Use the original value of `GOTRUE_JWT_SECRET` - no need to check for
base64 decoding.
* Don't include the kid claim if the kid is an empty string

## What is the current behavior?

Please link any relevant issues here.

## What is the new behavior?

Feel free to include screenshots if it includes visual changes.

## Additional context

Add any other context or screenshots.
---
 internal/api/token.go          | 5 +++--
 internal/conf/configuration.go | 6 +-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/internal/api/token.go b/internal/api/token.go
index 0cee6c277..f65ec9a67 100644
--- a/internal/api/token.go
+++ b/internal/api/token.go
@@ -379,8 +379,9 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 	}
 
 	if _, ok := token.Header["kid"]; !ok {
-		kid := signingJwk.KeyID()
-		token.Header["kid"] = kid
+		if kid := signingJwk.KeyID(); kid != "" {
+			token.Header["kid"] = kid
+		}
 	}
 
 	// this serializes the aud claim to a string
diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go
index 2b50606ac..9ead9b37c 100644
--- a/internal/conf/configuration.go
+++ b/internal/conf/configuration.go
@@ -743,11 +743,7 @@ func (config *GlobalConfiguration) ApplyDefaults() error {
 
 	if config.JWT.Keys == nil || len(config.JWT.Keys) == 0 {
 		// transform the secret into a JWK for consistency
-		bytes, err := base64.StdEncoding.DecodeString(config.JWT.Secret)
-		if err != nil {
-			bytes = []byte(config.JWT.Secret)
-		}
-		privKey, err := jwk.FromRaw(bytes)
+		privKey, err := jwk.FromRaw([]byte(config.JWT.Secret))
 		if err != nil {
 			return err
 		}