Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: make jwt optional #513

Merged
merged 3 commits into from
Nov 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion container/nginx/conf.d/shared.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,11 @@ location = / {
}

location / {
js_set $jwt auth.findJWT;
js_var $jwt;
js_content auth.routeRequest;
}

location @auth_node_backend {
js_content auth.isAllowedRequest;

auth_jwt $jwt;
Expand Down
12 changes: 11 additions & 1 deletion container/nginx/njs/auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@ import crypto from "crypto";

const ipfsRegex = /^\/ipfs\/(\w+)(\/?.*)/;

function routeRequest(req) {
const jwt = findJWT(req);
if (jwt) {
req.variables.jwt = jwt;
return req.internalRedirect("@auth_node_backend");
} else {
return req.internalRedirect("@node_backend");
}
}

function isAllowedRequest(req) {
const matches = req.uri.match(ipfsRegex);
if (!matches) {
Expand Down Expand Up @@ -75,4 +85,4 @@ function findJWT(req) {
return jwtQuery || jwtHeader;
}

export default { isAllowedRequest, findJWT };
export default { routeRequest, isAllowedRequest, findJWT };
16 changes: 8 additions & 8 deletions scripts/integration_tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -65,30 +65,30 @@ authorization_err=403 # jwt doesn't allow request origin
cid="bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG"
url="${base_url}/ipfs/${cid}?format=car"

# Requests fail without a jwt
echo Requests succeed without a jwt
code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")"
test "$code" -eq "$authentication_err" || exit 1
test "$code" -eq 200 || exit 1

# Requests fail with explicit allow_list but without an origin header
echo Requests fail with explicit allow_list but without an origin header
code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowExplicit}")"
test "$code" -eq "$authorization_err" || exit 1

# Requests fail with explicit allow_list but not allowed origin
echo Requests fail with explicit allow_list but not allowed origin
code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowExplicit}")"
test "$code" -eq "$authorization_err" || exit 1

# Requests succeed with a jwt query param
echo Requests succeed with a jwt query param
code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowAll}")"
test "$code" -eq 200 || exit 1

# Requests succeed with a jwt auth header
echo Requests succeed with a jwt auth header
code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" -H "Authorization: Bearer ${jwtAllowAll}" "${url}")"
test "$code" -eq 200 || exit 1

# Requests succeed with explicit allow_list and allowed origin
echo Requests succeed with explicit allow_list and allowed origin
code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://google.com" "${url}&jwt=${jwtAllowExplicit}")"
test "$code" -eq 200 || exit 1

# Requests succeed with allow_list == [*] and without an origin header
echo Requests succeed with allow_list == [*] and without an origin header
code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowAll}")"
test "$code" -eq 200 || exit 1
Loading