From c669b47b570d222a9a902705adeff8fb26c989c4 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Fri, 25 Apr 2025 15:02:55 -0400 Subject: fix(lib): make Anubis less paranoid (#365) Previously Anubis would aggressively make sure that the client cookie matched exactly what it should. This has turned out to be too paranoid in practice and has caused problems with Happy Eyeballs et. al. This is a potential fix to #303 and #289. --- lib/anubis.go | 43 +------------------------------------------ 1 file changed, 1 insertion(+), 42 deletions(-) (limited to 'lib/anubis.go') diff --git a/lib/anubis.go b/lib/anubis.go index 70eb37e..026783e 100644 --- a/lib/anubis.go +++ b/lib/anubis.go @@ -353,48 +353,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS return } - if randomJitter() { - r.Header.Add("X-Anubis-Status", "PASS-BRIEF") - lg.Debug("cookie is not enrolled into secondary screening") - s.ServeHTTPNext(w, r) - return - } - - claims, ok := token.Claims.(jwt.MapClaims) - if !ok { - lg.Debug("invalid token claims type", "path", r.URL.Path) - s.ClearCookie(w) - s.RenderIndex(w, r, rule, httpStatusOnly) - return - } - challenge := s.challengeFor(r, rule.Challenge.Difficulty) - - if claims["challenge"] != challenge { - lg.Debug("invalid challenge", "path", r.URL.Path) - s.ClearCookie(w) - s.RenderIndex(w, r, rule, httpStatusOnly) - return - } - - var nonce int - - if v, ok := claims["nonce"].(float64); ok { - nonce = int(v) - } - - calcString := fmt.Sprintf("%s%d", challenge, nonce) - calculated := internal.SHA256sum(calcString) - - if subtle.ConstantTimeCompare([]byte(claims["response"].(string)), []byte(calculated)) != 1 { - lg.Debug("invalid response", "path", r.URL.Path) - failedValidations.Inc() - s.ClearCookie(w) - s.RenderIndex(w, r, rule, httpStatusOnly) - return - } - - slog.Debug("all checks passed") - r.Header.Add("X-Anubis-Status", "PASS-FULL") + r.Header.Add("X-Anubis-Status", "PASS") s.ServeHTTPNext(w, r) } -- cgit v1.2.3