0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

feat(cli): trim keys

This commit is contained in:
Gao Sun 2022-11-07 19:26:56 +08:00
parent 3ff2e90cd3
commit 3585a77de9
No known key found for this signature in database
GPG key ID: 13EBE123E4773688
2 changed files with 66 additions and 3 deletions

View file

@ -6,8 +6,18 @@
### Rotate your private or secret key ### Rotate your private or secret key
Add a new command `db config rotate <key>` to support key rotation via CLI. We add a new command `db config rotate <key>` to support key rotation via CLI.
When rotating, the CLI will generate a new key and prepend to the corresponding key array. Thus the old key is still valid and the serivce will use the new key for signing. When rotating, the CLI will generate a new key and prepend to the corresponding key array. Thus the old key is still valid and the service will use the new key for signing.
Run `logto db config rotate help` for detailed usage. Run `logto db config rotate help` for detailed usage.
### Trim the private or secret key you don't need
If you want to trim one or more out-dated private or secret key(s) from the config, use the command `db config trim <key>`. It will remove the last item (private or secret key) in the array.
You may remove the old key after a certain period (such as half a year) to allow most of your users have time to touch the new key.
If you want to remove multiple keys at once, just append a number to the command. E.g. `logto db config trim oidc.cookieKeys 3`.
Run `logto db config trim help` for detailed usage.

View file

@ -154,11 +154,64 @@ const rotateConfig: CommandModule<unknown, { key: string }> = {
}, },
}; };
const trimConfig: CommandModule<unknown, { key: string; length: number }> = {
command: 'trim <key> [length]',
describe: 'Remove the last [length] number of private or secret keys for the given config key',
builder: (yargs) =>
yargs
.positional('key', {
describe: `The config key to trim, one of ${chalk.green(validRotateKeys.join(', '))}`,
type: 'string',
demandOption: true,
})
.positional('length', {
describe: 'Number of private or secret keys to trim',
type: 'number',
default: 1,
demandOption: true,
}),
handler: async ({ key, length }) => {
validateRotateKey(key);
if (length < 1) {
log.error('Invalid length provided');
}
const pool = await createPoolFromConfig();
const { rows } = await getRowsByKeys(pool, [key]);
if (!rows[0]) {
log.warn('No key found, create a new one');
}
const getValue = async () => {
const value = logtoConfigGuards[key].parse(rows[0]?.value);
if (value.length - length < 1) {
await pool.end();
log.error(`You should keep at least one key in the array, current length=${value.length}`);
}
return value.slice(0, -length);
};
const trimmed = await getValue();
await updateValueByKey(pool, key, trimmed);
await pool.end();
log.info(`Trim ${chalk.green(key)} succeeded, now it has ${trimmed.length} keys`);
},
};
const config: CommandModule = { const config: CommandModule = {
command: ['config', 'configs'], command: ['config', 'configs'],
describe: 'Commands for Logto database config', describe: 'Commands for Logto database config',
builder: (yargs) => builder: (yargs) =>
yargs.command(getConfig).command(setConfig).command(rotateConfig).demandCommand(1), yargs
.command(getConfig)
.command(setConfig)
.command(rotateConfig)
.command(trimConfig)
.demandCommand(1),
handler: noop, handler: noop,
}; };