🐛 Fix JWKS key length to meet RS512 requirements

[tcoatswo]

The RS512 algorithm specification requires an RSA key modulus length of 2048 bits or larger. The member token service generates its JWTs using RS512 but the fallback auto-generated keys (used for token signing and exposed at /members/.well-known/jwks.json) were using a 1024-bit key length.

This updates the dynamically generated RSA keys for members to 2048 bits to comply with the standard and resolve validation errors when external libraries try to parse the member token keys.

Fixes #24831

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 29a407f1-f537-4174-80f0-52c5f63df70e

📥 Commits

Reviewing files that changed from the base of the PR and between 2753f9a and 26e8173.

📒 Files selected for processing (2)

• ghost/core/core/server/models/settings.js
• ghost/core/core/server/services/members/members-config-provider.js

---

Walkthrough

This pull request upgrades RSA keypair generation from 1024-bit to 2048-bit keys across the member authentication system. The changes affect two locations: the lazy-initialized keypair generators for Members and Ghost keys in the settings model, and the fallback keypair generation in the Members configuration provider when API keys are missing. Both changes apply the same bit-size upgrade to ensure RSA keys meet the RS512 JWT specification requirement of 2048-bit minimum key length.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: updating JWKS key length from 1024 to 2048 bits to meet RS512 requirements.
Description check	✅ Passed	The description clearly explains the issue, the solution, and references the linked issue #24831, directly related to the changeset.
Linked Issues check	✅ Passed	The PR updates RSA key generation from 1024 bits to 2048 bits in both settings.js and members-config-provider.js, directly addressing issue #24831's requirement that JWKS keys be 2048 bits or larger for RS512 compliance.
Out of Scope Changes check	✅ Passed	All changes are limited to updating RSA key bit lengths from 1024 to 2048 in two files, directly addressing the linked issue's requirements without introducing unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}