Why bother checking the audience claim

This commit is contained in:
Melon 2023-11-20 07:37:25 +00:00
parent 0fdb91d224
commit 906f693ea3
Signed by: melon
GPG Key ID: 6C9D970C50D26A25
2 changed files with 2 additions and 21 deletions

View File

@ -10,10 +10,7 @@ import (
"net/http" "net/http"
) )
var ( var ErrInvalidToken = errors.New("invalid token")
ErrInvalidToken = errors.New("invalid token")
ErrInvalidAudClaim = errors.New("invalid audience claim")
)
type AuthClaims mjwt.BaseTypeClaims[auth.AccessTokenClaims] type AuthClaims mjwt.BaseTypeClaims[auth.AccessTokenClaims]
@ -41,9 +38,6 @@ func (a *AuthChecker) Middleware(cb AuthCallback) httprouter.Handle {
case errors.Is(err, ErrInvalidToken): case errors.Is(err, ErrInvalidToken):
apiError(rw, http.StatusForbidden, "Invalid token") apiError(rw, http.StatusForbidden, "Invalid token")
return return
case errors.Is(err, ErrInvalidAudClaim):
apiError(rw, http.StatusForbidden, "Invalid audience claim")
return
case err != nil: case err != nil:
apiError(rw, http.StatusForbidden, "Unknown error") apiError(rw, http.StatusForbidden, "Unknown error")
return return
@ -53,8 +47,7 @@ func (a *AuthChecker) Middleware(cb AuthCallback) httprouter.Handle {
} }
} }
// Check takes a token and validates whether it is verified and contains the // Check takes a token and validates whether it is verified
// correct audience claim
func (a *AuthChecker) Check(token string) (AuthClaims, error) { func (a *AuthChecker) Check(token string) (AuthClaims, error) {
// Read claims from mjwt // Read claims from mjwt
_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](a.Verify, token) _, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](a.Verify, token)
@ -62,16 +55,5 @@ func (a *AuthChecker) Check(token string) (AuthClaims, error) {
return AuthClaims{}, ErrInvalidToken return AuthClaims{}, ErrInvalidToken
} }
// Check aud value
var validAud bool
for _, i := range b.Audience {
if subtle.ConstantTimeCompare([]byte(i), []byte(a.Aud)) == 1 {
validAud = true
}
}
if !validAud {
return AuthClaims{}, ErrInvalidAudClaim
}
return AuthClaims(b), nil return AuthClaims(b), nil
} }

View File

@ -7,7 +7,6 @@ import (
type Conf struct { type Conf struct {
Listen string `yaml:"listen"` Listen string `yaml:"listen"`
Audience string `yaml:"audience"`
SendMail sendmail.SendMail `yaml:"sendmail"` SendMail sendmail.SendMail `yaml:"sendmail"`
Imap imap.Imap `yaml:"imap"` Imap imap.Imap `yaml:"imap"`
} }