From 399d8451bdf1e55d59516ce539ed7ffca33eb840 Mon Sep 17 00:00:00 2001 From: Eric Guan Date: Wed, 8 Nov 2023 11:30:43 -0800 Subject: [PATCH 1/3] feat: make jwt optional --- container/nginx/conf.d/shared.conf | 6 +++++- container/nginx/njs/auth.js | 12 +++++++++++- scripts/integration_tests.sh | 2 +- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/container/nginx/conf.d/shared.conf b/container/nginx/conf.d/shared.conf index 7c3cca08..1e39828c 100644 --- a/container/nginx/conf.d/shared.conf +++ b/container/nginx/conf.d/shared.conf @@ -10,7 +10,11 @@ location = / { } location / { - js_set $jwt auth.findJWT; + js_var $jwt; + js_content auth.routeRequest; +} + +location @auth_node_backend { js_content auth.isAllowedRequest; auth_jwt $jwt; diff --git a/container/nginx/njs/auth.js b/container/nginx/njs/auth.js index 58abf912..b00cd1ac 100644 --- a/container/nginx/njs/auth.js +++ b/container/nginx/njs/auth.js @@ -2,6 +2,16 @@ import crypto from "crypto"; const ipfsRegex = /^\/ipfs\/(\w+)(\/?.*)/; +function routeRequest(req) { + const jwt = findJWT(req); + if (jwt) { + req.variables.jwt = jwt; + return req.internalRedirect("@auth_node_backend"); + } else { + return req.internalRedirect("@node_backend"); + } +} + function isAllowedRequest(req) { const matches = req.uri.match(ipfsRegex); if (!matches) { @@ -75,4 +85,4 @@ function findJWT(req) { return jwtQuery || jwtHeader; } -export default { isAllowedRequest, findJWT }; +export default { routeRequest, isAllowedRequest, findJWT }; diff --git a/scripts/integration_tests.sh b/scripts/integration_tests.sh index 60f8ff07..cd9872e1 100644 --- a/scripts/integration_tests.sh +++ b/scripts/integration_tests.sh @@ -65,7 +65,7 @@ authorization_err=403 # jwt doesn't allow request origin cid="bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG" url="${base_url}/ipfs/${cid}?format=car" -# Requests fail without a jwt +# Requests succeed without a jwt code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")" test "$code" -eq "$authentication_err" || exit 1 From 8d8370710a7b3575445031df8c4afc901dbdce6d Mon Sep 17 00:00:00 2001 From: Eric Guan Date: Wed, 8 Nov 2023 11:36:51 -0800 Subject: [PATCH 2/3] tests: print test descriptions --- scripts/integration_tests.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/integration_tests.sh b/scripts/integration_tests.sh index cd9872e1..fecbbd40 100644 --- a/scripts/integration_tests.sh +++ b/scripts/integration_tests.sh @@ -65,30 +65,30 @@ authorization_err=403 # jwt doesn't allow request origin cid="bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG" url="${base_url}/ipfs/${cid}?format=car" -# Requests succeed without a jwt +echo Requests succeed without a jwt code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")" test "$code" -eq "$authentication_err" || exit 1 -# Requests fail with explicit allow_list but without an origin header +echo Requests fail with explicit allow_list but without an origin header code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq "$authorization_err" || exit 1 -# Requests fail with explicit allow_list but not allowed origin +echo Requests fail with explicit allow_list but not allowed origin code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq "$authorization_err" || exit 1 -# Requests succeed with a jwt query param +echo Requests succeed with a jwt query param code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowAll}")" test "$code" -eq 200 || exit 1 -# Requests succeed with a jwt auth header +echo Requests succeed with a jwt auth header code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" -H "Authorization: Bearer ${jwtAllowAll}" "${url}")" test "$code" -eq 200 || exit 1 -# Requests succeed with explicit allow_list and allowed origin +echo Requests succeed with explicit allow_list and allowed origin code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://google.com" "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq 200 || exit 1 -# Requests succeed with allow_list == [*] and without an origin header +echo Requests succeed with allow_list == [*] and without an origin header code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowAll}")" test "$code" -eq 200 || exit 1 From c352e3106b21687c1d292df0b6a9e087e584229b Mon Sep 17 00:00:00 2001 From: Eric Guan Date: Wed, 8 Nov 2023 11:37:13 -0800 Subject: [PATCH 3/3] tests: fix expected result --- scripts/integration_tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/integration_tests.sh b/scripts/integration_tests.sh index fecbbd40..83e1efa3 100644 --- a/scripts/integration_tests.sh +++ b/scripts/integration_tests.sh @@ -67,7 +67,7 @@ url="${base_url}/ipfs/${cid}?format=car" echo Requests succeed without a jwt code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")" -test "$code" -eq "$authentication_err" || exit 1 +test "$code" -eq 200 || exit 1 echo Requests fail with explicit allow_list but without an origin header code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowExplicit}")"