Do not set mongoose_config when ejabberd_auth is started

This was used only by ejabberd_auth_jwt to store the secret.
This secret can be stored in a persistent term as it remains constant
for the whole runtime.

Also: do not convert the algorithm from binary to list and back

src/auth/ejabberd_auth.erl

@@ -29,7 +29,6 @@
 -export([start/0,
          start/1,
          stop/1,
-         set_opts/2,
          get_opt/3,
          get_opt/2,
          authorize/1,
@@ -121,16 +120,6 @@ hooks(HostType) ->
      {remove_domain, HostType, ?MODULE, remove_domain, 10}
     ].
 
--spec set_opts(HostType :: mongooseim:host_type(),
-               KVs :: [tuple()]) -> ok.
-set_opts(HostType, KVs) ->
-    OldOpts = mongoose_config:get_opt({auth_opts, HostType}),
-    AccFunc = fun({K, V}, Acc) ->
-                  lists:keystore(K, 1, Acc, {K, V})
-              end,
-    NewOpts = lists:foldl(AccFunc, OldOpts, KVs),
-    mongoose_config:set_opt({auth_opts, HostType}, NewOpts).
-
 -spec get_opt(HostType :: mongooseim:host_type(),
               Opt :: atom(),
               Default :: ejabberd:value()) -> undefined | ejabberd:value().

src/auth/ejabberd_auth_jwt.erl

@@ -48,18 +48,13 @@
 
 -spec start(HostType :: mongooseim:host_type()) -> ok.
 start(HostType) ->
-    UsernameKey = ejabberd_auth:get_opt(HostType, jwt_username_key),
-    true = is_atom(UsernameKey) andalso UsernameKey /= undefined,
-
     JWTSecret = get_jwt_secret(HostType),
-    JWTAlgorithm = ejabberd_auth:get_opt(HostType, jwt_algorithm),
-    ejabberd_auth:set_opts(HostType,
-                           [{jwt_secret, JWTSecret},
-                            {jwt_algorithm, list_to_binary(JWTAlgorithm)}]),
+    persistent_term:put({?MODULE, HostType, jwt_secret}, JWTSecret),
     ok.
 
 -spec stop(HostType :: mongooseim:host_type()) -> ok.
 stop(_HostType) ->
+    persistent_term:erase(jwt_secret),
     ok.
 
 -spec supports_sasl_module(binary(), cyrsasl:sasl_module()) -> boolean().
@@ -75,7 +70,7 @@ authorize(Creds) ->
                      LServer :: jid:lserver(),
                      Password :: binary()) -> boolean().
 check_password(HostType, LUser, LServer, Password) ->
-    Key = case ejabberd_auth:get_opt(HostType, jwt_secret) of
+    Key = case persistent_term:get({?MODULE, HostType, jwt_secret}) of
               Key1 when is_binary(Key1) -> Key1;
               {env, Var} -> list_to_binary(os:getenv(Var))
           end,

src/config/mongoose_config_spec.erl

@@ -540,10 +540,11 @@ auth_http() ->
 auth_jwt() ->
     #section{
        items = #{<<"secret">> => auth_jwt_secret(),
-                 <<"algorithm">> => #option{type = string,
-                                            validate = {enum, ["HS256", "RS256", "ES256",
-                                                               "HS386", "RS386", "ES386",
-                                                               "HS512", "RS512", "ES512"]},
+                 <<"algorithm">> => #option{type = binary,
+                                            validate = {enum,
+                                                        [<<"HS256">>, <<"RS256">>, <<"ES256">>,
+                                                         <<"HS386">>, <<"RS386">>, <<"ES386">>,
+                                                         <<"HS512">>, <<"RS512">>, <<"ES512">>]},
                                             format = {kv, jwt_algorithm}},
                  <<"username_key">> => #option{type = atom,
                                                validate = non_empty,

test/config_parser_SUITE.erl

@@ -993,18 +993,18 @@ auth_jwt(_Config) ->
              <<"algorithm">> => <<"HS512">>,
              <<"username_key">> => <<"user">>}, % tested together as all options are required
     eq_host_config([#local_config{key = {auth_opts, ?HOST},
-                                  value = [{jwt_algorithm, "HS512"},
+                                  value = [{jwt_algorithm, <<"HS512">>},
                                            {jwt_secret, "secret123"},
                                            {jwt_username_key, user}]}],
                    auth_config(<<"jwt">>, Opts)),
     FileOpts = Opts#{<<"secret">> := #{<<"file">> => <<"/home/user/jwt_secret">>}},
     eq_host_config([#local_config{key = {auth_opts, ?HOST},
-                                  value = [{jwt_algorithm, "HS512"},
+                                  value = [{jwt_algorithm, <<"HS512">>},
                                            {jwt_secret_source, "/home/user/jwt_secret"},
                                            {jwt_username_key, user}]}],
                    auth_config(<<"jwt">>, FileOpts)),
     eq_host_config([#local_config{key = {auth_opts, ?HOST},
-                                  value = [{jwt_algorithm, "HS512"},
+                                  value = [{jwt_algorithm, <<"HS512">>},
                                            {jwt_secret_source, {env, "SECRET"}},
                                            {jwt_username_key, user}]}],
                    auth_config(<<"jwt">>, Opts#{<<"secret">> := #{<<"env">> => <<"SECRET">>}})),

test/config_parser_SUITE_data/miscellaneous.options

@@ -31,7 +31,7 @@
 {local_config,{auth_opts,<<"anonymous.localhost">>},
               [{extauth_program,"/usr/bin/authenticator"},
                {basic_auth,"admin:admin"},
-               {jwt_algorithm,"RS256"},
+               {jwt_algorithm,<<"RS256">>},
                {jwt_secret,"secret123"},
                {jwt_username_key,user},
                {ldap_base,"ou=Users,dc=esl,dc=com"},
@@ -47,7 +47,7 @@
 {local_config,{auth_opts,<<"localhost">>},
               [{extauth_program,"/usr/bin/authenticator"},
                {basic_auth,"admin:admin"},
-               {jwt_algorithm,"RS256"},
+               {jwt_algorithm,<<"RS256">>},
                {jwt_secret,"secret123"},
                {jwt_username_key,user},
                {ldap_base,"ou=Users,dc=esl,dc=com"},