[CVAT][Exchange Oracle] Changed JWT algo from HS256 to ES256 (#2617)

* fix: changed JWT algo from HS256 to ES256

* Update tests and config to use ES256 algorithm

* Add comment clarifying source of jwt_public_key

---------

Co-authored-by: Arseny Boykov <[email protected]>

Author: Dzeranov

packages/examples/cvat/exchange-oracle/src/core/config.py

@@ -244,7 +244,12 @@ class CoreConfig:
 
 
 class HumanAppConfig:
-    jwt_key = os.environ.get("HUMAN_APP_JWT_KEY", "sample")
+    # jwt_public_key is obtained from the Human App.
+    # To generate a key pair for testing purposes:
+    # openssl ecparam -name prime256v1 -genkey -noout -out ec_private.pem
+    # openssl ec -in ec_private.pem -pubout -out ec_public.pem
+    # HUMAN_APP_JWT_KEY=$(cat ec_public.pem)
+    jwt_public_key = os.environ.get("HUMAN_APP_JWT_KEY")
 
 
 class ApiConfig:

packages/examples/cvat/exchange-oracle/src/endpoints/authentication.py

@@ -68,7 +68,7 @@ async def authenticate_token(
 
         try:
             payload = jwt.decode(
-                token.credentials, Config.human_app_config.jwt_key, algorithms=["HS256"]
+                token.credentials, Config.human_app_config.jwt_public_key, algorithms=["ES256"]
             )
             return self._auth_data_class.model_validate(payload)
         except (jwt.PyJWTError, pydantic.ValidationError) as e:

packages/examples/cvat/exchange-oracle/tests/api/test_exchange_api.py

@@ -6,6 +6,8 @@
 from unittest.mock import patch
 
 import jwt
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ec
 from fastapi.responses import Response
 from fastapi.testclient import TestClient
 from sqlalchemy.orm import Session
@@ -31,6 +33,25 @@
 cvat_email = "[email protected]"
 
 
+def generate_ecdsa_keys() -> tuple[str, str]:
+    private_key = ec.generate_private_key(ec.SECP256R1())
+    pem_private = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    pem_public = private_key.public_key().public_bytes(
+        encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo
+    )
+    return pem_private.decode(), pem_public.decode()
+
+
+PRIVATE_KEY, PUBLIC_KEY = generate_ecdsa_keys()
+
+# Exchange Oracle doesn't have access to the private key
+Config.human_app_config.jwt_public_key = PUBLIC_KEY
+
+
 def generate_jwt_token(
     *,
     wallet_address: str | None = user_address,
@@ -41,7 +62,8 @@ def generate_jwt_token(
             **({"wallet_address": wallet_address} if wallet_address else {"role": "HUMAN_APP"}),
             "email": email,
         },
-        Config.human_app_config.jwt_key,
+        PRIVATE_KEY,
+        algorithm="ES256",
     )