Validate issuer & allow unlogged routes

2025-05-24 02:02:36 -04:00 · 2025-03-27 12:03:58 +01:00 · 2025-03-27 12:03:58 +01:00 · 65a7f62fd1
commit 65a7f62fd1
parent d0d12cc5f6
4 changed files with 12 additions and 8 deletions
--- a/api/.env.example
+++ b/api/.env.example
@ -3,9 +3,12 @@

 KYOO_PREFIX=/api

+
 # either an hard-coded secret to decode jwts or empty to use keibi's public secret.
 # this should only be used in tests
 JWT_SECRET=
+# used to verify who's making the jwt
+JWT_ISSUER=$PUBLIC_URL
 # keibi's server to retrieve the public jwt secret
 AUHT_SERVER=http://auth:4568

--- a/api/src/auth.ts
+++ b/api/src/auth.ts
@ -34,10 +34,13 @@ export const auth = new Elysia({ name: "auth" })
 		permissions(perms: string[]) {
 			return {
 				resolve: async ({ headers: { authorization }, error }) => {
+					console.log(process.env.JWT_ISSUER);
 					const bearer = authorization?.slice(7);
 					if (!bearer) return { jwt: false };
 					// @ts-expect-error ts can't understand that there's two overload idk why
-					const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks);
+					const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks, {
+						issuer: process.env.JWT_ISSUER,
+					});
 					// TODO: use perms
 					return { jwt: validator.Decode<typeof Jwt>(payload) };
 				},
--- a/auth/jwt.go
+++ b/auth/jwt.go
@ -15,7 +15,7 @@ import (

 type Jwt struct {
 	// The jwt token you can use for all authorized call to either keibi or other services.
-	Token string `json:"token"`
+	Token *string `json:"token"`
 }

 // @Summary      Get JWT
@ -30,7 +30,7 @@ type Jwt struct {
 func (h *Handler) CreateJwt(c echo.Context) error {
 	auth := c.Request().Header.Get("Authorization")
 	if !strings.HasPrefix(auth, "Bearer ") {
-		return echo.NewHTTPError(http.StatusUnauthorized, "Missing session token")
+		return c.JSON(http.StatusOK, Jwt{Token: nil})
 	}
 	token := auth[len("Bearer "):]

@ -65,7 +65,7 @@ func (h *Handler) CreateJwt(c echo.Context) error {
 	}
 	c.Response().Header().Add("Authorization", fmt.Sprintf("Bearer %s", t))
 	return c.JSON(http.StatusOK, Jwt{
-		Token: t,
+		Token: &t,
 	})
 }

--- a/docker-compose.dev-v5.yml
+++ b/docker-compose.dev-v5.yml
@ -77,18 +77,16 @@ services:
      - "3567:3567"
    environment:
      - KYOO_PREFIX=/api
+      - JWT_ISSUER=${PUBLIC_URL}
    env_file:
      - ./.env
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.api.rule=PathPrefix(`/api/`)"
+      - "traefik.http.routers.api.rule=PathPrefix(`/api/`) || PathPrefix(`/swagger`)"
      - "traefik.http.routers.api.middlewares=phantom-token"
      - "traefik.http.middlewares.phantom-token.forwardauth.address=http://auth:4568/auth/jwt"
      - "traefik.http.middlewares.phantom-token.forwardauth.authRequestHeaders=Authorization,X-Api-Key"
      - "traefik.http.middlewares.phantom-token.forwardauth.authResponseHeaders=Authorization"
-      - "traefik.http.routers.swagger.rule=PathPrefix(`/swagger`)"
-      - "traefik.http.routers.swagger.service=api"
-      - "traefik.http.services.api.loadbalancer.server.port=3567"

  # scanner:
  #   build: ./scanner