#!/bin/bash

# 生成 JWKS JSON 文件的脚本
# 用于 Envoy JWT 验证

set -e

# 参数
JWT_SECRET_KEY="${1:-your-secret-key-change-this-in-production}"
OUTPUT_FILE="${2:-jwks.json}"
KEY_ID="${3:-default-key-id}"

echo "生成 JWKS JSON..."
echo "- Secret Key: ${JWT_SECRET_KEY:0:10}..."
echo "- Key ID: $KEY_ID"
echo "- Output: $OUTPUT_FILE"

# 对密钥进行 base64 编码（URL-safe 无填充）
ENCODED_KEY=$(echo -n "$JWT_SECRET_KEY" | base64 | tr '+/' '-_' | sed 's/=//g')

# 生成 JWKS JSON
cat > "$OUTPUT_FILE" <<EOF
{
  "keys": [
    {
      "kty": "oct",
      "use": "sig",
      "kid": "$KEY_ID",
      "k": "$ENCODED_KEY",
      "alg": "HS256"
    }
  ]
}
EOF

echo "✓ JWKS 文件已生成: $OUTPUT_FILE"
echo ""
echo "内容预览:"
cat "$OUTPUT_FILE"
echo ""
echo ""
echo "配置说明:"
echo "1. 在 user-rpc 的 .well-known/jwks.json 端点暴露此文件"
echo "2. 在 Envoy 中配置远程 JWKS URI:"
echo "   remote_jwks:"
echo "     http_uri:"
echo "       uri: http://user-rpc-svc:9001/.well-known/jwks.json"
echo ""