mirror of
https://github.com/1f349/lotus.git
synced 2024-12-22 16:14:07 +00:00
Why bother checking the audience claim
This commit is contained in:
parent
0fdb91d224
commit
906f693ea3
22
api/auth.go
22
api/auth.go
@ -10,10 +10,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var ErrInvalidToken = errors.New("invalid token")
|
||||||
ErrInvalidToken = errors.New("invalid token")
|
|
||||||
ErrInvalidAudClaim = errors.New("invalid audience claim")
|
|
||||||
)
|
|
||||||
|
|
||||||
type AuthClaims mjwt.BaseTypeClaims[auth.AccessTokenClaims]
|
type AuthClaims mjwt.BaseTypeClaims[auth.AccessTokenClaims]
|
||||||
|
|
||||||
@ -41,9 +38,6 @@ func (a *AuthChecker) Middleware(cb AuthCallback) httprouter.Handle {
|
|||||||
case errors.Is(err, ErrInvalidToken):
|
case errors.Is(err, ErrInvalidToken):
|
||||||
apiError(rw, http.StatusForbidden, "Invalid token")
|
apiError(rw, http.StatusForbidden, "Invalid token")
|
||||||
return
|
return
|
||||||
case errors.Is(err, ErrInvalidAudClaim):
|
|
||||||
apiError(rw, http.StatusForbidden, "Invalid audience claim")
|
|
||||||
return
|
|
||||||
case err != nil:
|
case err != nil:
|
||||||
apiError(rw, http.StatusForbidden, "Unknown error")
|
apiError(rw, http.StatusForbidden, "Unknown error")
|
||||||
return
|
return
|
||||||
@ -53,8 +47,7 @@ func (a *AuthChecker) Middleware(cb AuthCallback) httprouter.Handle {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check takes a token and validates whether it is verified and contains the
|
// Check takes a token and validates whether it is verified
|
||||||
// correct audience claim
|
|
||||||
func (a *AuthChecker) Check(token string) (AuthClaims, error) {
|
func (a *AuthChecker) Check(token string) (AuthClaims, error) {
|
||||||
// Read claims from mjwt
|
// Read claims from mjwt
|
||||||
_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](a.Verify, token)
|
_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](a.Verify, token)
|
||||||
@ -62,16 +55,5 @@ func (a *AuthChecker) Check(token string) (AuthClaims, error) {
|
|||||||
return AuthClaims{}, ErrInvalidToken
|
return AuthClaims{}, ErrInvalidToken
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check aud value
|
|
||||||
var validAud bool
|
|
||||||
for _, i := range b.Audience {
|
|
||||||
if subtle.ConstantTimeCompare([]byte(i), []byte(a.Aud)) == 1 {
|
|
||||||
validAud = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if !validAud {
|
|
||||||
return AuthClaims{}, ErrInvalidAudClaim
|
|
||||||
}
|
|
||||||
|
|
||||||
return AuthClaims(b), nil
|
return AuthClaims(b), nil
|
||||||
}
|
}
|
||||||
|
@ -7,7 +7,6 @@ import (
|
|||||||
|
|
||||||
type Conf struct {
|
type Conf struct {
|
||||||
Listen string `yaml:"listen"`
|
Listen string `yaml:"listen"`
|
||||||
Audience string `yaml:"audience"`
|
|
||||||
SendMail sendmail.SendMail `yaml:"sendmail"`
|
SendMail sendmail.SendMail `yaml:"sendmail"`
|
||||||
Imap imap.Imap `yaml:"imap"`
|
Imap imap.Imap `yaml:"imap"`
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user