RSA Public/Private keys

[Alexays]

What kind of change does this PR introduce?

Feature

What is the current behavior?

Using JWT secret only

What is the new behavior?

Can use JWT secret or RSA pub/priv keys

Additional context

I wanted to know if I was going in the right direction to implement this feature before continuing.
Fixes #171

[kangmingtay]

Hey @Alexays, thanks for taking the initiative to help out with this! Just wanted to let you know that we are not planning to add this for the time being. We definitely plan to support both HS256 (symmetric) and RS256 (asymmetric) encryptions of JWT sometime in the future. It's a good start but the current changes you've made will need some work because we need to ensure that any updates made are backward compatible for the rest of the community using gotrue.

In the meantime, I can share with you some thoughts I have at the top of my head regarding how this should be designed / refactored:

1. Existing functions that make use of the JWT secret should instead check the alg claim to see what kind of encryption the JWT is using.
2. Based on the alg in (1), using the corresponding encryption / decryption method on the JWT
3. This feature would also be useful for improving gotrue's capabilities as an idP. We will need to expose the public keys via an endpoint (e.g. localhost:9999/.well-known/openid-configuration)

We leave this PR open and discuss any design considerations / security implications to take note of.

[Alexays]

Hey @kangmingtay thanks for your response!
As I need this feature, I will implement it and push the changes in this PR, we will see later for the design, but in any case there will be no breaking changes.
I made some changes to make the code simpler with just a notion of signing key and validate key.

[Alexays]

Just a little message to say that it works perfectly, let me know when you want to implement it on master @kangmingtay
I'll have to write some tests too

[kangmingtay]

Hey @Alexays, this looks awesome! Could you do me a favor and update your branch with the latest version on master? We just fixed the test suite and it should help in checking if there are any breaking changes.

[Alexays]

Done @kangmingtay! :)

[Alexays]

Any news @kangmingtay ?

[kangmingtay]

Hey @Alexays, I haven't had the time to test this out yet and play around with it. I've been pretty busy with increasing our test coverage & refactoring parts of gotrue. Will plan to look into this around mid - end October!

[hf]

Hey this PR has been outdated for a long while now. I'll close it, but if you still wish to contribute please re-open it or submit a new one!

On asymmetric JWTs, we are unable to support an implementation at this time as Supabase's platform relies heavily on symmetric JWTs. We have been discussing some changes to this, but they will be significant and we'll introduce proper support then.