Remove remaining usage of "pub", render roles on sync

src/Cli/Cli.csproj

@@ -1,23 +1,27 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <AssemblyName>sl</AssemblyName>
+    <AssemblyName>sponsorlink</AssemblyName>
     <OutputType>Exe</OutputType>
     <TargetFramework>net8.0</TargetFramework>
-    <PackageId>dotnet-sl</PackageId>
-    <ToolCommandName>sl</ToolCommandName>
+    <PackageId>dotnet-sponsorlink</PackageId>
+    <ToolCommandName>sponsorlink</ToolCommandName>
+    <RollForward>Major</RollForward>
     <PackAsTool>true</PackAsTool>
+    <PackContent>false</PackContent>
     <Description>SponsorLink CLI</Description>
+    <PackageTags>dotnet dotnet-tool tools</PackageTags>
   </PropertyGroup>
 
   <ItemGroup>
     <PackageReference Include="NuGetizer" Version="1.2.1" PrivateAssets="all"/>
     <PackageReference Include="Spectre.Console.Cli" Version="0.49.1" />
+    <PackageReference Include="Devlooped.JQ" Version="1.7.1.1" />
   </ItemGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\Commands\Commands.csproj" />
-    <ProjectReference Include="..\Core\Core.csproj" />
+    <ProjectReference Include="..\Commands\Commands.csproj" Pack="false" />
+    <ProjectReference Include="..\Core\Core.csproj" Pack="false" />
   </ItemGroup>
 
 </Project>

src/Commands/Properties/Resources.resx

@@ -225,7 +225,7 @@ Code for the backend and this app are [link=https://www.devlooped.com/SponsorLin
     <value>Requesting manifest signing ...</value>
   </data>
   <data name="Sync_Thanks" xml:space="preserve">
-    <value>:check_mark_button: [lime]{sponsorable}[/]: thanks for sponsoring 💟</value>
+    <value>:check_mark_button: [lime]{sponsorable}[/]: thanks for sponsoring 💟 [dim](roles: {roles})[/]</value>
   </data>
   <data name="Sync_AutoSync" xml:space="preserve">
     <value>[lime]?[/] Do you want to enable [link=https://www.devlooped.com/SponsorLink/github.html#auto-sync][blue]auto sync[/][/] of expired manifests?</value>
@@ -263,6 +263,9 @@ Code for the backend and this app are [link=https://www.devlooped.com/SponsorLin
   <data name="Validate_InvalidExpired" xml:space="preserve">
     <value>:cross_mark: [lime]{sponsorable}[/]: manifest expired {date}. Run [yellow]gh sponsors sync[/] to generate a new one.</value>
   </data>
+  <data name="Validate_InvalidPublicKey" xml:space="preserve">
+    <value>:cross_mark: [lime]{sponsorable}[/]: invalid public key (JWK) provided by issuer</value>
+  </data>
   <data name="Validate_InvalidSignature" xml:space="preserve">
     <value>:cross_mark: [lime]{sponsorable}[/]: manifest signature is invalid. Run [yellow]gh sponsors sync[/] to generate a new one</value>
   </data>

src/Commands/SyncCommand.cs

@@ -1,5 +1,6 @@
 using System.ComponentModel;
 using System.Diagnostics;
+using System.IdentityModel.Tokens.Jwt;
 using System.Text;
 using DotNetConfig;
 using Spectre.Console;
@@ -195,7 +196,12 @@ await Status().StartAsync(Sync.FetchingManifests(sponsorables.Count), async ctx
             if (status == SponsorManifest.Status.Success)
             {
                 File.WriteAllText(Path.Combine(ghDir, manifest.Sponsorable + ".jwt"), jwt, Encoding.UTF8);
-                MarkupLine(Sync.Thanks(manifest.Sponsorable.PadRight(maxlength)));
+                var roles = new JwtSecurityTokenHandler()
+                {
+                    MapInboundClaims = false
+                }.ReadJwtToken(jwt).Claims.Where(c => c.Type == "roles").Select(c => c.Value).ToHashSet();
+
+                MarkupLine(Sync.Thanks(manifest.Sponsorable.PadRight(maxlength), string.Join(", ", roles)));
             }
             else
             {
@@ -229,7 +235,12 @@ await Status().StartAsync(Sync.Synchronizing(manifest.Sponsorable), async ctx =>
                     else if (status == SponsorManifest.Status.Success)
                     {
                         File.WriteAllText(Path.Combine(ghDir, manifest.Sponsorable + ".jwt"), jwt);
-                        MarkupLine(Sync.Thanks(manifest.Sponsorable.PadRight(maxlength)));
+                        var roles = new JwtSecurityTokenHandler()
+                        {
+                            MapInboundClaims = false
+                        }.ReadJwtToken(jwt).Claims.Where(c => c.Type == "roles").Select(c => c.Value).ToHashSet();
+
+                        MarkupLine(Sync.Thanks(manifest.Sponsorable.PadRight(maxlength), string.Join(", ", roles)));
                     }
                     else
                     {

src/Commands/ViewCommand.cs

@@ -57,7 +57,7 @@ await Status().StartAsync(Strings.Validate.Validating, async ctx =>
                 }
 
                 var sponsorable = new JwtSecurityTokenHandler().ReadJwtToken(await response.Content.ReadAsStringAsync());
-                var pub = sponsorable.Claims.FirstOrDefault(x => x.Type == "pub")?.Value;
+                var pub = sponsorable.Claims.FirstOrDefault(x => x.Type == "sub_jwk")?.Value;
 
                 if (pub is null)
                 {
@@ -66,16 +66,24 @@ await Status().StartAsync(Strings.Validate.Validating, async ctx =>
                 }
 
                 var aud = sponsorable.Claims.Where(x => x.Type == "aud").Select(x => x.Value.TrimEnd('/')).ToArray();
+                SecurityKey key;
 
-                var key = RSA.Create();
-                key.ImportRSAPublicKey(Convert.FromBase64String(pub), out _);
+                try
+                {
+                    key = JsonWebKey.Create(pub);
+                }
+                catch (ArgumentException)
+                {
+                    MarkupLine(Strings.Validate.InvalidPublicKey(account));
+                    continue;
+                }
 
                 var validation = new TokenValidationParameters
                 {
                     RequireExpirationTime = true,
                     AudienceValidator = (audiences, token, parameters) => audiences.All(audience => aud.Any(uri => uri == audience.TrimEnd('/'))),
                     ValidIssuer = sponsorable.Issuer,
-                    IssuerSigningKey = new RsaSecurityKey(key),
+                    IssuerSigningKey = key,
                     RoleClaimType = "roles",
                     NameClaimType = "sub",
                 };

src/Commands/WelcomeCommand.cs

@@ -6,7 +6,7 @@
 namespace Devlooped.Sponsors;
 
 [Description("Executes the first-run experience")]
-public class WelcomeCommand(ICommandApp app, Config config) : Command<WelcomeCommand.WelcomeSettings>
+public class WelcomeCommand(Config config) : Command<WelcomeCommand.WelcomeSettings>
 {
     public class WelcomeSettings : ToSSettings
     {

src/Tests/Signing.cs

@@ -128,7 +128,6 @@ public void JwtSponsorableManifest()
             new("iss", "https://sponsorlink.devlooped.com/"),
             new("aud", "https://github.com/devlooped"),
             new("client_id", "a82350fb2bae407b3021"),
-            new("pub", File.ReadAllText(@"../../../signing.txt", Encoding.UTF8)),
             new("sub_jwk", JsonSerializer.Serialize(pubJwk, JsonOptions.JsonWebKey), JsonClaimValueTypes.Json),
         };
 

src/Tests/Tests.csproj

@@ -12,7 +12,7 @@
 
   <ItemGroup>
     <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.3.1" />
-    <PackageReference Include="Azure.Identity" Version="1.11.3" />
+    <PackageReference Include="Azure.Identity" Version="1.11.4" />
     <PackageReference Include="chromium" Version="2024.4.16" />
     <PackageReference Include="chromium.linux-x64" Version="2024.4.16" />
     <PackageReference Include="CliWrap" Version="3.6.6" />

src/Web/Web.csproj

@@ -7,7 +7,7 @@
   </PropertyGroup>
   <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
-    <PackageReference Include="Azure.Identity" Version="1.11.3" />
+    <PackageReference Include="Azure.Identity" Version="1.11.4" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.22.0" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.2.0" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="1.3.0" />