annika/jwtauth
1
0
Fork 0
mirror of https://forgejo.merr.is/annika/jwtauth.git synced 2025-12-11 16:02:16 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #6 from sogko/sogko/master

Browse source 
Fixed panic error when `token.Method != ja.signer`
This commit is contained in:
Peter Kieltyka 2016-02-03 12:55:49 -05:00
commit cf1ac5a102
2 changed files with 43 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
jwtauth.go
View file

@ -106,7 +106,7 @@ func (ja *JwtAuth) Verify(paramAliases ...string) func(chi.Handler) chi.Handler
// Verify the token
token, err := ja.Decode(tokenStr)
if err != nil || !token.Valid || token.Method != ja.signer {
if err != nil {
switch err.Error() {
case "token is expired":
err = ErrExpired
@ -117,6 +117,13 @@ func (ja *JwtAuth) Verify(paramAliases ...string) func(chi.Handler) chi.Handler
return
}
if token == nil || !token.Valid || token.Method != ja.signer {
err = ErrUnauthorized
ctx = ja.SetContext(ctx, token, err)
next.ServeHTTPC(ctx, w, r)
return
}
// Check expiry via "exp" claim
if ja.IsExpired(token) {
err = ErrExpired

35
jwtauth_test.go
View file

@ -54,6 +54,16 @@ func TestSimple(t *testing.T) {
if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 && resp != "Unauthorized\n" {
t.Fatalf(resp)
}
// wrong token secret and wrong alg
h.Set("Authorization", "BEARER "+newJwt512Token([]byte("wrong"), map[string]interface{}{}))
if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 && resp != "Unauthorized\n" {
t.Fatalf(resp)
}
// correct token secret but wrong alg
h.Set("Authorization", "BEARER "+newJwt512Token(TokenSecret, map[string]interface{}{}))
if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 && resp != "Unauthorized\n" {
t.Fatalf(resp)
}
// sending authorized requests
if status, resp := testRequest(t, ts, "GET", "/", newAuthHeader(), nil); status != 200 && resp != "welcome" {
@ -127,6 +137,16 @@ func TestMore(t *testing.T) {
if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 401 && resp != "Unauthorized\n" {
t.Fatalf(resp)
}
// wrong token secret and wrong alg
h.Set("Authorization", "BEARER "+newJwt512Token([]byte("wrong"), map[string]interface{}{}))
if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 401 && resp != "Unauthorized\n" {
t.Fatalf(resp)
}
// correct token secret but wrong alg
h.Set("Authorization", "BEARER "+newJwt512Token(TokenSecret, map[string]interface{}{}))
if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 401 && resp != "Unauthorized\n" {
t.Fatalf(resp)
}
h = newAuthHeader((jwtauth.Claims{}).Set("exp", jwtauth.EpochNow()-1000))
if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 401 && resp != "expired\n" {
@ -191,6 +211,21 @@ func newJwtToken(secret []byte, claims ...jwtauth.Claims) string {
return tokenStr
}
func newJwt512Token(secret []byte, claims ...jwtauth.Claims) string {
// use-case: when token is signed with a different alg than expected
token := jwt.New(jwt.GetSigningMethod("HS512"))
if len(claims) > 0 {
for k, v := range claims[0] {
token.Claims[k] = v
}
}
tokenStr, err := token.SignedString(secret)
if err != nil {
log.Fatal(err)
}
return tokenStr
}
func newAuthHeader(claims ...jwtauth.Claims) http.Header {
h := http.Header{}
h.Set("Authorization", "BEARER "+newJwtToken(TokenSecret, claims...))