diff options
| author | Alexander Yastrebov <yastrebov.alex@gmail.com> | 2025-03-21 20:47:22 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-21 15:47:22 -0400 |
| commit | ad432897caf468e3c2c76ffbc5b8942db1b78a21 (patch) | |
| tree | 1b14cb95258adf13e3f425b94607293e34200971 /cmd/anubis | |
| parent | 194e55088bfd90130f3044c4e3fb5b0f0b8ec2ed (diff) | |
| download | anubis-ad432897caf468e3c2c76ffbc5b8942db1b78a21.tar.xz anubis-ad432897caf468e3c2c76ffbc5b8942db1b78a21.zip | |
cmd/anubis: use golang-jwt to check expiry date (#56)
* cmd/anubis: use golang-jwt to check expiry date
Also:
* check parse error
* require strict base64 decoding
* ignore always nil sha256sum error to simplify codeflow
Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
* cmd/anubis: handle unlikely case when token claims aren't the right go type
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Diffstat (limited to 'cmd/anubis')
| -rw-r--r-- | cmd/anubis/main.go | 30 |
1 files changed, 10 insertions, 20 deletions
diff --git a/cmd/anubis/main.go b/cmd/anubis/main.go index 8c0327b..75d3038 100644 --- a/cmd/anubis/main.go +++ b/cmd/anubis/main.go @@ -469,39 +469,29 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request) { token, err := jwt.ParseWithClaims(ckie.Value, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) { return s.pub, nil - }) + }, jwt.WithExpirationRequired(), jwt.WithStrictDecoding()) - if !token.Valid { - lg.Debug("invalid token", "path", r.URL.Path) + if err != nil || !token.Valid { + lg.Debug("invalid token", "path", r.URL.Path, "err", err) clearCookie(w) s.renderIndex(w, r) return } - claims := token.Claims.(jwt.MapClaims) - - exp, ok := claims["exp"].(float64) - if !ok { - lg.Debug("exp is not int64", "ok", ok, "typeof(exp)", fmt.Sprintf("%T", exp)) - clearCookie(w) - s.renderIndex(w, r) + if randomJitter() { + r.Header.Add("X-Anubis-Status", "PASS-BRIEF") + lg.Debug("cookie is not enrolled into secondary screening") + s.rp.ServeHTTP(w, r) return } - if exp := time.Unix(int64(exp), 0); time.Now().After(exp) { - lg.Debug("token has expired", "exp", exp.Format(time.RFC3339)) + claims, ok := token.Claims.(jwt.MapClaims) + if !ok { + lg.Debug("invalid token claims type", "path", r.URL.Path) clearCookie(w) s.renderIndex(w, r) return } - - if token.Valid && randomJitter() { - r.Header.Add("X-Anubis-Status", "PASS-BRIEF") - lg.Debug("cookie is not enrolled into secondary screening") - s.rp.ServeHTTP(w, r) - return - } - challenge := s.challengeFor(r, rule.Challenge.Difficulty) if claims["challenge"] != challenge { |