Document encryption key

Makefile

@@ -7,6 +7,7 @@ IMGFLOAT_DB_PATH ?= ./imgfloat.db
 IMGFLOAT_GITHUB_CLIENT_OWNER ?= imgfloat
 IMGFLOAT_GITHUB_CLIENT_REPO ?= client
 IMGFLOAT_GITHUB_CLIENT_VERSION ?= 1.0.0
+IMGFLOAT_TOKEN_ENCRYPTION_KEY ?= x5A8tS8Lk4q2qY0xRkz8r9bq2bx0R4A9a0m0k5Y8mCk=
 IMGFLOAT_ASSETS_PATH ?= ./assets
 IMGFLOAT_PREVIEWS_PATH ?= ./previews
 IMGFLOAT_COMMIT_URL_PREFIX ?= https://github.com/imgfloat/server/commit/
@@ -21,7 +22,8 @@ RUNTIME_ENV = IMGFLOAT_ASSETS_PATH=$(IMGFLOAT_ASSETS_PATH) \
 			  IMGFLOAT_COMMIT_URL_PREFIX=$(IMGFLOAT_COMMIT_URL_PREFIX) \
 			  IMGFLOAT_DB_PATH=$(IMGFLOAT_DB_PATH) \
 			  SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE=$(SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE) \
-			  SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE=$(SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE)
+			  SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE=$(SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE) \
+			  IMGFLOAT_TOKEN_ENCRYPTION_KEY=$(IMGFLOAT_TOKEN_ENCRYPTION_KEY)
 
 .PHONY: build
 build:

README.md

@@ -17,7 +17,7 @@ Define the following required environment variables:
 | `IMGFLOAT_GITHUB_CLIENT_OWNER` | GitHub user or org which has the client repository | imgfloat |
 | `IMGFLOAT_GITHUB_CLIENT_REPO` | Client repository name | client |
 | `IMGFLOAT_GITHUB_CLIENT_VERSION` | Client release version used for download links | 1.2.3 |
-| `IMGFLOAT_TOKEN_ENCRYPTION_KEY` | Base64-encoded 256-bit (32 byte) key used to encrypt OAuth tokens at rest (store in a secret manager or KMS) | x5A8tS8Lk4q2qY0xRkz8r9bq2bx0R4A9a0m0k5Y8mCk= |
+| `IMGFLOAT_TOKEN_ENCRYPTION_KEY` | Base64/Base64URL-encoded 256-bit (32 byte) key used to encrypt OAuth tokens at rest (store in a secret manager or KMS) | x5A8tS8Lk4q2qY0xRkz8r9bq2bx0R4A9a0m0k5Y8mCk= |
 | `SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE` | Maximum upload file size | 10MB |
 | `SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE` | Maximum upload request size | 10MB |
 | `TWITCH_CLIENT_ID` | Oauth2 client id | i1bjnh4whieht5kzn307nvu3rn5pqi |

src/main/java/dev/kruhlmann/imgfloat/config/OAuthTokenCipher.java

@@ -126,7 +126,7 @@ public class OAuthTokenCipher {
     }
 
     private static SecretKey decodeKey(String base64Key, String source) {
-        byte[] decoded = Base64.getDecoder().decode(base64Key);
+        byte[] decoded = decodeBase64(base64Key, source);
         if (decoded.length != 32) {
             throw new IllegalArgumentException(
                 source + " must be a base64-encoded 256-bit (32 byte) key"
@@ -134,4 +134,20 @@ public class OAuthTokenCipher {
         }
         return new SecretKeySpec(decoded, "AES");
     }
+
+    private static byte[] decodeBase64(String base64Key, String source) {
+        try {
+            return Base64.getDecoder().decode(base64Key);
+        } catch (IllegalArgumentException ex) {
+            try {
+                return Base64.getUrlDecoder().decode(base64Key);
+            } catch (IllegalArgumentException urlEx) {
+                ex.addSuppressed(urlEx);
+                throw new IllegalArgumentException(
+                    source + " must be a base64-encoded 256-bit (32 byte) key",
+                    ex
+                );
+            }
+        }
+    }
 }