Validate issuer & allow unlogged routes

api/.env.example

@@ -3,9 +3,12 @@
 
 KYOO_PREFIX=/api
 
+
 # either an hard-coded secret to decode jwts or empty to use keibi's public secret.
 # this should only be used in tests
 JWT_SECRET=
+# used to verify who's making the jwt
+JWT_ISSUER=$PUBLIC_URL
 # keibi's server to retrieve the public jwt secret
 AUHT_SERVER=http://auth:4568
 

api/src/auth.ts

@@ -34,10 +34,13 @@ export const auth = new Elysia({ name: "auth" })
 		permissions(perms: string[]) {
 			return {
 				resolve: async ({ headers: { authorization }, error }) => {
+					console.log(process.env.JWT_ISSUER);
 					const bearer = authorization?.slice(7);
 					if (!bearer) return { jwt: false };
 					// @ts-expect-error ts can't understand that there's two overload idk why
-					const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks);
+					const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks, {
+						issuer: process.env.JWT_ISSUER,
+					});
 					// TODO: use perms
 					return { jwt: validator.Decode<typeof Jwt>(payload) };
 				},

auth/jwt.go

@@ -15,7 +15,7 @@ import (
 
 type Jwt struct {
 	// The jwt token you can use for all authorized call to either keibi or other services.
-	Token string `json:"token"`
+	Token *string `json:"token"`
 }
 
 // @Summary      Get JWT
@@ -30,7 +30,7 @@ type Jwt struct {
 func (h *Handler) CreateJwt(c echo.Context) error {
 	auth := c.Request().Header.Get("Authorization")
 	if !strings.HasPrefix(auth, "Bearer ") {
-		return echo.NewHTTPError(http.StatusUnauthorized, "Missing session token")
+		return c.JSON(http.StatusOK, Jwt{Token: nil})
 	}
 	token := auth[len("Bearer "):]
 
@@ -65,7 +65,7 @@ func (h *Handler) CreateJwt(c echo.Context) error {
 	}
 	c.Response().Header().Add("Authorization", fmt.Sprintf("Bearer %s", t))
 	return c.JSON(http.StatusOK, Jwt{
-		Token: t,
+		Token: &t,
 	})
 }
 

docker-compose.dev-v5.yml

@@ -77,18 +77,16 @@ services:
       - "3567:3567"
     environment:
       - KYOO_PREFIX=/api
+      - JWT_ISSUER=${PUBLIC_URL}
     env_file:
       - ./.env
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.api.rule=PathPrefix(`/api/`)"
+      - "traefik.http.routers.api.rule=PathPrefix(`/api/`) || PathPrefix(`/swagger`)"
       - "traefik.http.routers.api.middlewares=phantom-token"
       - "traefik.http.middlewares.phantom-token.forwardauth.address=http://auth:4568/auth/jwt"
       - "traefik.http.middlewares.phantom-token.forwardauth.authRequestHeaders=Authorization,X-Api-Key"
       - "traefik.http.middlewares.phantom-token.forwardauth.authResponseHeaders=Authorization"
-      - "traefik.http.routers.swagger.rule=PathPrefix(`/swagger`)"
-      - "traefik.http.routers.swagger.service=api"
-      - "traefik.http.services.api.loadbalancer.server.port=3567"
 
   # scanner:
   #   build: ./scanner