feat(rocie-server/cli): Make the secret key for identity handling persist-able

1 files changed, 22 insertions, 0 deletions

diff --git a/crates/rocie-server/src/cli.rs b/crates/rocie-server/src/cli.rs
index 01c4199..b198510 100644
--- a/crates/rocie-server/src/cli.rs
+++ b/crates/rocie-server/src/cli.rs
@@ -18,6 +18,24 @@ pub(crate) enum Command {
         #[arg(short, long)]
         port: Option<u16>,
 
+        /// File containing the secret key,
+        /// used to sign the JWT cookies handed out to clients (as hex).
+        ///
+        /// Leave empty to generate a random one.
+        /// Note that every client will be signed out, when this value changes (because the
+        /// rocie-server will not be able to verify the signatures made with the previous key
+        /// anymore).
+        ///
+        /// As there are some requirements that this key needs to fulfill, you can use the
+        /// `generate-key` sub-command to generate a compliant key.
+        /// E.g.
+        /// ```sh
+        /// rocie-server generate-key > ./key.hex
+        /// rocie-server serve --secret-key-file ./key.hex ..
+        /// ```
+        #[arg(short, long, verbatim_doc_comment)]
+        secret_key_file: Option<PathBuf>,
+
         /// Print the used port as single u16 to stdout when started.
         ///
         /// This can be used to determine the used port, when the `port` was left at `None`.
@@ -35,4 +53,8 @@ pub(crate) enum Command {
 
     /// Print the `OpenAPI` API documentation to stdout.
     OpenApi,
+
+    /// Generate (and print to stdout) a compliant secret key for use in the `serve --secret-key`
+    /// argument.
+    GenerateKey,
 }