Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-08 07:10:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

JWT: add token audience

Browse Source 
a token released for API audience cannot be used for web pages and
vice-versa
This commit is contained in:
Nicola Murino
2021-02-02 09:14:10 +01:00
parent 78bf808322
commit 4f609cfa30
6 changed files with 299 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
httpd/middleware.go
View File

@@ -8,6 +8,7 @@ import (
"github.com/lestrrat-go/jwx/jwt"
"github.com/drakkan/sftpgo/logger"
"github.com/drakkan/sftpgo/utils"
)
type ctxKeyConnAddr int
@@ -37,6 +38,11 @@ func jwtAuthenticator(next http.Handler) http.Handler {
sendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return
}
if !utils.IsStringInSlice(tokenAudienceAPI, token.Audience()) {
logger.Debug(logSender, "", "the token audience is not valid")
sendAPIResponse(w, r, nil, "Your token audience is not valid", http.StatusUnauthorized)
return
}
if isTokenInvalidated(r) {
logger.Debug(logSender, "", "the token has been invalidated")
sendAPIResponse(w, r, nil, "Your token is no longer valid", http.StatusUnauthorized)
@@ -64,6 +70,11 @@ func jwtAuthenticatorWeb(next http.Handler) http.Handler {
http.Redirect(w, r, webLoginPath, http.StatusFound)
return
}
if !utils.IsStringInSlice(tokenAudienceWeb, token.Audience()) {
logger.Debug(logSender, "", "the token audience is not valid")
http.Redirect(w, r, webLoginPath, http.StatusFound)
return
}
if isTokenInvalidated(r) {
logger.Debug(logSender, "", "the token has been invalidated")
http.Redirect(w, r, webLoginPath, http.StatusFound)