gtsteffaniak · gtsteffaniak · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. For commit guidelines, please refer to [Standard Version](https://github.com/conventional-changelog/standard-version).
 
+## v1.3.6
+
+ **BugFixes**:
+ - file watcher not working for files (#2314)
+ - "source" type link shows up multiple times when adding sidebar links if user has multiple sources.
+ - JWT ES256 results in error (#2188)
+
 ## v1.3.5
 
  **Notes**:

diff --git a/backend/auth/jwt.go b/backend/auth/jwt.go
@@ -1,7 +1,12 @@
 package auth
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"net/http"
 
@@ -47,14 +52,12 @@ func VerifyExternalJWT(tokenString string, secret string, algorithm string, user
 		if expectedMethod == nil {
 			return nil, fmt.Errorf("unsupported signing algorithm: %s", algorithm)
 		}
-		
+
 		if token.Method.Alg() != expectedMethod.Alg() {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
-
-		// Return the secret key for HMAC algorithms
-		// For RSA/ECDSA, this would need to be a public key
-		return []byte(secret), nil
+
+		return jwtVerificationKey(secret, token.Method, algorithm)
 	})
 
 	if err != nil {
@@ -100,10 +103,102 @@ func VerifyExternalJWT(tokenString string, secret string, algorithm string, user
 	return username, claimsMap, nil
 }
 
+func jwtVerificationKey(secret string, method jwt.SigningMethod, algorithm string) (interface{}, error) {
+	switch method.(type) {
+	case *jwt.SigningMethodHMAC:
+		return []byte(secret), nil
+	case *jwt.SigningMethodRSA:
+		key, err := parsePublicKeyFromPEM(secret)
+		if err != nil {
+			return nil, err
+		}
+		rsaKey, ok := key.(*rsa.PublicKey)
+		if !ok {
+			return nil, fmt.Errorf("JWT secret must contain an RSA public key in PEM format for algorithm %s", algorithm)
+		}
+		return rsaKey, nil
+	case *jwt.SigningMethodECDSA:
+		key, err := parsePublicKeyFromPEM(secret)
+		if err != nil {
+			return nil, err
+		}
+		ecKey, ok := key.(*ecdsa.PublicKey)
+		if !ok {
+			return nil, fmt.Errorf("JWT secret must contain an ECDSA public key in PEM format for algorithm %s", algorithm)
+		}
+		if err := ecdsaCurveMatchesAlgorithm(algorithm, ecKey); err != nil {
+			return nil, err
+		}
+		return ecKey, nil
+	default:
+		return nil, fmt.Errorf("unsupported JWT signing method: %s", method.Alg())
+	}
+}
+
+func ecdsaCurveMatchesAlgorithm(algorithm string, pub *ecdsa.PublicKey) error {
+	var want elliptic.Curve
+	switch algorithm {
+	case "ES256":
+		want = elliptic.P256()
+	case "ES384":
+		want = elliptic.P384()
+	case "ES512":
+		want = elliptic.P521()
+	default:
+		return nil
+	}
+	if pub.Curve != want {
+		return fmt.Errorf("ECDSA public key curve does not match algorithm %s", algorithm)
+	}
+	return nil
+}
+
+func parsePublicKeyFromPEM(pemData string) (interface{}, error) {
+	rest := []byte(pemData)
+	var lastErr error
+	for len(rest) > 0 {
+		block, rem := pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		rest = rem
+
+		var key interface{}
+		var err error
+		switch block.Type {
+		case "CERTIFICATE":
+			var cert *x509.Certificate
+			cert, err = x509.ParseCertificate(block.Bytes)
+			if err == nil {
+				key = cert.PublicKey
+			}
+		case "PUBLIC KEY":
+			key, err = x509.ParsePKIXPublicKey(block.Bytes)
+		case "RSA PUBLIC KEY":
+			key, err = x509.ParsePKCS1PublicKey(block.Bytes)
+		case "EC PUBLIC KEY":
+			key, err = x509.ParsePKIXPublicKey(block.Bytes)
+		default:
+			continue
+		}
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		if key != nil {
+			return key, nil
+		}
+	}
+	if lastErr != nil {
+		return nil, fmt.Errorf("failed to parse JWT public key from PEM: %w", lastErr)
+	}
+	return nil, fmt.Errorf("no public key found in JWT secret (expected PEM: CERTIFICATE, PUBLIC KEY, RSA PUBLIC KEY, or EC PUBLIC KEY)")
+}
+
 // ExtractGroupsFromClaims extracts groups from JWT claims based on the configured groups claim field
 func ExtractGroupsFromClaims(claims map[string]interface{}, groupsClaimField string) []string {
 	var groups []string
-	
+
 	if groupsVal, ok := claims[groupsClaimField]; ok {
 		switch v := groupsVal.(type) {
 		case []interface{}:
@@ -129,6 +224,6 @@ func ExtractGroupsFromClaims(claims map[string]interface{}, groupsClaimField str
 			}
 		}
 	}
-	
+
 	return groups
 }
diff --git a/backend/auth/jwt_test.go b/backend/auth/jwt_test.go
@@ -1,6 +1,14 @@
 package auth_test
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
 	"testing"
 	"time"
 
@@ -144,6 +152,140 @@ func TestVerifyExternalJWT_CustomUserIdentifier(t *testing.T) {
 	}
 }
 
+func TestVerifyExternalJWT_ES256_PublicKeyPEM(t *testing.T) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	pubDER, err := x509.MarshalPKIXPublicKey(&priv.PublicKey)
+	if err != nil {
+		t.Fatalf("MarshalPKIXPublicKey: %v", err)
+	}
+	pubPEM := string(pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: pubDER}))
+
+	username := "ec-user"
+	claims := jwt.MapClaims{
+		"sub": username,
+		"exp": time.Now().Add(time.Hour).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)
+	tokenString, err := token.SignedString(priv)
+	if err != nil {
+		t.Fatalf("SignedString: %v", err)
+	}
+
+	got, _, err := auth.VerifyExternalJWT(tokenString, pubPEM, "ES256", "sub")
+	if err != nil {
+		t.Fatalf("VerifyExternalJWT: %v", err)
+	}
+	if got != username {
+		t.Errorf("username: got %q want %q", got, username)
+	}
+}
+
+func TestVerifyExternalJWT_RS256_PublicKeyPEM(t *testing.T) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	pubDER, err := x509.MarshalPKIXPublicKey(&priv.PublicKey)
+	if err != nil {
+		t.Fatalf("MarshalPKIXPublicKey: %v", err)
+	}
+	pubPEM := string(pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: pubDER}))
+
+	username := "rsa-user"
+	claims := jwt.MapClaims{
+		"sub": username,
+		"exp": time.Now().Add(time.Hour).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	tokenString, err := token.SignedString(priv)
+	if err != nil {
+		t.Fatalf("SignedString: %v", err)
+	}
+
+	got, _, err := auth.VerifyExternalJWT(tokenString, pubPEM, "RS256", "sub")
+	if err != nil {
+		t.Fatalf("VerifyExternalJWT: %v", err)
+	}
+	if got != username {
+		t.Errorf("username: got %q want %q", got, username)
+	}
+}
+
+func TestVerifyExternalJWT_ES256_WrongCurveRejected(t *testing.T) {
+	p256Priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	p384Priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	verifyDER, err := x509.MarshalPKIXPublicKey(&p384Priv.PublicKey)
+	if err != nil {
+		t.Fatalf("MarshalPKIXPublicKey: %v", err)
+	}
+	verifyPEM := string(pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: verifyDER}))
+
+	claims := jwt.MapClaims{
+		"sub": "u",
+		"exp": time.Now().Add(time.Hour).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)
+	tokenString, err := token.SignedString(p256Priv)
+	if err != nil {
+		t.Fatalf("SignedString: %v", err)
+	}
+
+	_, _, err = auth.VerifyExternalJWT(tokenString, verifyPEM, "ES256", "sub")
+	if err == nil {
+		t.Fatal("expected error when PEM public key curve does not match algorithm")
+	}
+}
+
+func TestVerifyExternalJWT_CertificatePEM(t *testing.T) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	tpl := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "jwt-test"},
+		NotBefore:    time.Now().Add(-time.Hour),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, tpl, tpl, &priv.PublicKey, priv)
+	if err != nil {
+		t.Fatalf("CreateCertificate: %v", err)
+	}
+	certPEM := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
+
+	username := "cert-user"
+	claims := jwt.MapClaims{
+		"sub": username,
+		"exp": time.Now().Add(time.Hour).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)
+	tokenString, err := token.SignedString(priv)
+	if err != nil {
+		t.Fatalf("SignedString: %v", err)
+	}
+
+	got, _, err := auth.VerifyExternalJWT(tokenString, certPEM, "ES256", "sub")
+	if err != nil {
+		t.Fatalf("VerifyExternalJWT: %v", err)
+	}
+	if got != username {
+		t.Errorf("username: got %q want %q", got, username)
+	}
+}
+
 func TestExtractGroupsFromClaims_ArrayOfStrings(t *testing.T) {
 	claims := map[string]interface{}{
 		"groups": []string{"admin", "users"},

diff --git a/backend/common/settings/auth.go b/backend/common/settings/auth.go
@@ -106,12 +106,12 @@ type LdapConfig struct {
 }
 
 // JwtAuthConfig configures external JWT token authentication
-// Similar to Grafana's JWT auth: accepts external JWT tokens signed with a shared secret
+// Similar to Grafana's JWT auth: verifies HS* tokens with a shared secret, or RS*/ES* with a PEM public key (or certificate)
 // The query parameter is hardcoded to "jwt" (e.g. ?jwt=<token>)
 type JwtAuthConfig struct {
 	AuthCommon `json:",inline"`
 	Header     string `json:"header"`    // HTTP header to look for JWT token (e.g. X-JWT-Assertion). Default is "X-JWT-Assertion"
-	Secret     string `json:"secret"`    // secret: shared secret key for verifying JWT token signatures (required)
+	Secret     string `json:"secret"`    // Shared secret key/bytes for verifying JWT token signatures (required, eg PUBLIC KEY, RSA PUBLIC KEY, EC PUBLIC KEY, or CERTIFICATE)
 	Algorithm  string `json:"algorithm"` // JWT signing algorithm (HS256, HS384, HS512, RS256, ES256). Default is "HS256"
 }
 

diff --git a/backend/http/fileWatcher.go b/backend/http/fileWatcher.go
@@ -219,6 +219,7 @@ func fileWatchHandler(w http.ResponseWriter, r *http.Request, d *requestContext)
 			return http.StatusInternalServerError, fmt.Errorf("error checking file type: %v", err)
 		}
 		if isText {
+			response.IsText = true
 			// Read the last N lines for text files only
 			content, err := readLastNLines(realPath, lines)
 			if err != nil {

diff --git a/backend/swagger/docs/docs.go b/backend/swagger/docs/docs.go
@@ -5252,7 +5252,7 @@ const docTemplate = `{
                     "type": "string"
                 },
                 "secret": {
-                    "description": "secret: shared secret key for verifying JWT token signatures (required)",
+                    "description": "Shared secret key/bytes for verifying JWT token signatures (required, eg PUBLIC KEY, RSA PUBLIC KEY, EC PUBLIC KEY, or CERTIFICATE)",
                     "type": "string"
                 },
                 "userGroups": {

diff --git a/backend/swagger/docs/swagger.json b/backend/swagger/docs/swagger.json
@@ -5241,7 +5241,7 @@
                     "type": "string"
                 },
                 "secret": {
-                    "description": "secret: shared secret key for verifying JWT token signatures (required)",
+                    "description": "Shared secret key/bytes for verifying JWT token signatures (required, eg PUBLIC KEY, RSA PUBLIC KEY, EC PUBLIC KEY, or CERTIFICATE)",
                     "type": "string"
                 },
                 "userGroups": {

diff --git a/backend/swagger/docs/swagger.yaml b/backend/swagger/docs/swagger.yaml
@@ -801,8 +801,8 @@ definitions:
           to logout url. Custom logout query params are respected.
         type: string
       secret:
-        description: 'secret: shared secret key for verifying JWT token signatures
-          (required)'
+        description: Shared secret key/bytes for verifying JWT token signatures (required,
+          eg PUBLIC KEY, RSA PUBLIC KEY, EC PUBLIC KEY, or CERTIFICATE)
         type: string
       userGroups:
         description: if set, only users in these groups are allowed to log in. Blocks

diff --git a/frontend/public/config.generated.yaml b/frontend/public/config.generated.yaml
@@ -115,7 +115,7 @@ auth:
       disableVerifyTLS: false             # disable TLS verification (insecure, for testing only)
       logoutRedirectUrl: ""               # if provider logout url is provided, filebrowser will also redirect to logout url. Custom logout query params are respected.
       header: ""                          # HTTP header to look for JWT token (e.g. X-JWT-Assertion). Default is "X-JWT-Assertion"
-      secret: ""                          # secret: shared secret key for verifying JWT token signatures (required)
+      secret: ""                          # Shared secret key/bytes for verifying JWT token signatures (required, eg PUBLIC KEY, RSA PUBLIC KEY, EC PUBLIC KEY, or CERTIFICATE)
       algorithm: ""                       # JWT signing algorithm (HS256, HS384, HS512, RS256, ES256). Default is "HS256"
   key: ""                                 # secret: the key used to sign the JWT tokens. If not set, a random key will be generated.
   adminUsername: "admin"                  # secret: the username of the admin user. If not set, the default is "admin".