From 65a7f62fd105c1d0e5a00b22e5a7f910232c925a Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 27 Mar 2025 12:03:58 +0100 Subject: [PATCH] Validate issuer & allow unlogged routes --- api/.env.example | 3 +++ api/src/auth.ts | 5 ++++- auth/jwt.go | 6 +++--- docker-compose.dev-v5.yml | 6 ++---- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/api/.env.example b/api/.env.example index f7bf9c67..3f5257dc 100644 --- a/api/.env.example +++ b/api/.env.example @@ -3,9 +3,12 @@ KYOO_PREFIX=/api + # either an hard-coded secret to decode jwts or empty to use keibi's public secret. # this should only be used in tests JWT_SECRET= +# used to verify who's making the jwt +JWT_ISSUER=$PUBLIC_URL # keibi's server to retrieve the public jwt secret AUHT_SERVER=http://auth:4568 diff --git a/api/src/auth.ts b/api/src/auth.ts index 398fd1f9..abae1100 100644 --- a/api/src/auth.ts +++ b/api/src/auth.ts @@ -34,10 +34,13 @@ export const auth = new Elysia({ name: "auth" }) permissions(perms: string[]) { return { resolve: async ({ headers: { authorization }, error }) => { + console.log(process.env.JWT_ISSUER); const bearer = authorization?.slice(7); if (!bearer) return { jwt: false }; // @ts-expect-error ts can't understand that there's two overload idk why - const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks); + const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks, { + issuer: process.env.JWT_ISSUER, + }); // TODO: use perms return { jwt: validator.Decode(payload) }; }, diff --git a/auth/jwt.go b/auth/jwt.go index 21edaa63..00dc2211 100644 --- a/auth/jwt.go +++ b/auth/jwt.go @@ -15,7 +15,7 @@ import ( type Jwt struct { // The jwt token you can use for all authorized call to either keibi or other services. - Token string `json:"token"` + Token *string `json:"token"` } // @Summary Get JWT @@ -30,7 +30,7 @@ type Jwt struct { func (h *Handler) CreateJwt(c echo.Context) error { auth := c.Request().Header.Get("Authorization") if !strings.HasPrefix(auth, "Bearer ") { - return echo.NewHTTPError(http.StatusUnauthorized, "Missing session token") + return c.JSON(http.StatusOK, Jwt{Token: nil}) } token := auth[len("Bearer "):] @@ -65,7 +65,7 @@ func (h *Handler) CreateJwt(c echo.Context) error { } c.Response().Header().Add("Authorization", fmt.Sprintf("Bearer %s", t)) return c.JSON(http.StatusOK, Jwt{ - Token: t, + Token: &t, }) } diff --git a/docker-compose.dev-v5.yml b/docker-compose.dev-v5.yml index 9a84a21f..f1d8a1eb 100644 --- a/docker-compose.dev-v5.yml +++ b/docker-compose.dev-v5.yml @@ -77,18 +77,16 @@ services: - "3567:3567" environment: - KYOO_PREFIX=/api + - JWT_ISSUER=${PUBLIC_URL} env_file: - ./.env labels: - "traefik.enable=true" - - "traefik.http.routers.api.rule=PathPrefix(`/api/`)" + - "traefik.http.routers.api.rule=PathPrefix(`/api/`) || PathPrefix(`/swagger`)" - "traefik.http.routers.api.middlewares=phantom-token" - "traefik.http.middlewares.phantom-token.forwardauth.address=http://auth:4568/auth/jwt" - "traefik.http.middlewares.phantom-token.forwardauth.authRequestHeaders=Authorization,X-Api-Key" - "traefik.http.middlewares.phantom-token.forwardauth.authResponseHeaders=Authorization" - - "traefik.http.routers.swagger.rule=PathPrefix(`/swagger`)" - - "traefik.http.routers.swagger.service=api" - - "traefik.http.services.api.loadbalancer.server.port=3567" # scanner: # build: ./scanner