Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-06 14:20:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

JWT: replace jwtauth/jwx with lightweight wrapper around go-jose

Browse Source 
We replaced the jwtauth and jwx libraries with a minimal custom wrapper
around go-jose because we don’t need the full feature set provided by jwx.
Implementing our own wrapper simplifies the codebase and improves
maintainability.

Moreover, go-jose depends only on the standard library, resulting in a
leaner dependency that still meets all our requirements.

This change also reduces the SFTPGo binary size by approximately 1MB

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2025-10-08 18:10:39 +02:00
parent 9ca35c3555
commit 0ae2354fed
31 changed files with 1222 additions and 967 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
internal/dataprovider/node.go
View File

@@ -28,11 +28,10 @@ import (
"strings"
"time"
"github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jwt"
"github.com/rs/xid"
"github.com/go-jose/go-jose/v4"
"github.com/drakkan/sftpgo/v2/internal/httpclient"
"github.com/drakkan/sftpgo/v2/internal/jwt"
"github.com/drakkan/sftpgo/v2/internal/kms"
"github.com/drakkan/sftpgo/v2/internal/logger"
"github.com/drakkan/sftpgo/v2/internal/util"
@@ -46,7 +45,8 @@ const (
const (
// NodeTokenHeader defines the header to use for the node auth token
NodeTokenHeader = "X-SFTPGO-Node"
NodeTokenHeader = "X-SFTPGO-Node"
nodeTokenAudience = "node"
)
var (
@@ -132,35 +132,26 @@ func (n *Node) validate() error {
return n.Data.validate()
}
func (n *Node) authenticate(token string) (string, string, []string, error) {
func (n *Node) authenticate(token string) (*jwt.Claims, error) {
if err := n.Data.Key.TryDecrypt(); err != nil {
providerLog(logger.LevelError, "unable to decrypt node key: %v", err)
return "", "", nil, err
return nil, err
}
if token == "" {
return "", "", nil, ErrInvalidCredentials
return nil, ErrInvalidCredentials
}
t, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())), jwt.WithValidate(true))
claims, err := jwt.VerifyTokenWithKey(token, []jose.SignatureAlgorithm{jose.HS256}, []byte(n.Data.Key.GetPayload()))
if err != nil {
return "", "", nil, fmt.Errorf("unable to parse and validate token: %v", err)
return nil, fmt.Errorf("unable to parse and validate token: %v", err)
}
var adminUsername, role string
if admin, ok := t.Get("admin"); ok {
if val, ok := admin.(string); ok && val != "" {
adminUsername = val
}
if claims.Username == "" {
return nil, errors.New("no admin username associated with node token")
}
if adminUsername == "" {
return "", "", nil, errors.New("no admin username associated with node token")
if !claims.Audience.Contains(nodeTokenAudience) {
return nil, errors.New("invalid node token audience")
}
if r, ok := t.Get("role"); ok {
if val, ok := r.(string); ok && val != "" {
role = val
}
}
perms := getPermsFromToken(t)
return adminUsername, role, perms, nil
return claims, nil
}
// getBaseURL returns the base URL for this node
@@ -181,22 +172,22 @@ func (n *Node) generateAuthToken(username, role string, permissions []string) (s
if err := n.Data.Key.TryDecrypt(); err != nil {
return "", fmt.Errorf("unable to decrypt node key: %w", err)
}
now := time.Now().UTC()
t := jwt.New()
t.Set("admin", username) //nolint:errcheck
t.Set("role", role) //nolint:errcheck
t.Set("perms", permissions) //nolint:errcheck
t.Set(jwt.IssuedAtKey, now) //nolint:errcheck
t.Set(jwt.JwtIDKey, xid.New().String()) //nolint:errcheck
t.Set(jwt.NotBeforeKey, now.Add(-30*time.Second)) //nolint:errcheck
t.Set(jwt.ExpirationKey, now.Add(1*time.Minute)) //nolint:errcheck
payload, err := jwt.Sign(t, jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())))
signer, err := jwt.NewSigner(jose.HS256, []byte(n.Data.Key.GetPayload()))
if err != nil {
return "", fmt.Errorf("unable to create signer: %w", err)
}
claims := &jwt.Claims{
Username: username,
Role: role,
Permissions: permissions,
}
claims.Audience = []string{nodeTokenAudience}
claims.SetExpiry(time.Now().Add(1 * time.Minute))
payload, err := signer.Sign(claims)
if err != nil {
return "", fmt.Errorf("unable to sign authentication token: %w", err)
}
return util.BytesToString(payload), nil
return payload, nil
}
func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL, method string,
@@ -273,9 +264,9 @@ func (n *Node) SendDeleteRequest(username, role, relativeURL string, permissions
}
// AuthenticateNodeToken check the validity of the provided token
func AuthenticateNodeToken(token string) (string, string, []string, error) {
func AuthenticateNodeToken(token string) (*jwt.Claims, error) {
if currentNode == nil {
return "", "", nil, errNoClusterNodes
return nil, errNoClusterNodes
}
return currentNode.authenticate(token)
}
@@ -287,21 +278,3 @@ func GetNodeName() string {
}
return currentNode.Name
}
func getPermsFromToken(t jwt.Token) []string {
var perms []string
if p, ok := t.Get("perms"); ok {
switch v := p.(type) {
case []any:
for _, elem := range v {
switch elemValue := elem.(type) {
case string:
perms = append(perms, elemValue)
}
}
case []string:
perms = v
}
}
return perms
}