From 2d57e4cfe844c641eb08ce535c55acf04cd1c05f Mon Sep 17 00:00:00 2001 From: Lou Knauer Date: Mon, 25 Jul 2022 09:03:48 +0200 Subject: [PATCH] Change to HS256 as login token alg --- internal/auth/auth_test.go | 1 + internal/auth/jwt.go | 25 +++++++++++++++---------- 2 files changed, 16 insertions(+), 10 deletions(-) create mode 100644 internal/auth/auth_test.go diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go new file mode 100644 index 0000000..8832b06 --- /dev/null +++ b/internal/auth/auth_test.go @@ -0,0 +1 @@ +package auth diff --git a/internal/auth/jwt.go b/internal/auth/jwt.go index 5fab54b..b37de42 100644 --- a/internal/auth/jwt.go +++ b/internal/auth/jwt.go @@ -4,6 +4,7 @@ import ( "crypto/ed25519" "encoding/base64" "errors" + "fmt" "net/http" "os" "strings" @@ -20,10 +21,12 @@ type JWTAuthConfig struct { } type JWTAuthenticator struct { - auth *Authentication - publicKey ed25519.PublicKey - loginPublicKey ed25519.PublicKey - privateKey ed25519.PrivateKey + auth *Authentication + + publicKey ed25519.PublicKey + privateKey ed25519.PrivateKey + + loginTokenKey []byte // HS256 key config *JWTAuthConfig } @@ -43,7 +46,6 @@ func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error { return err } ja.publicKey = ed25519.PublicKey(bytes) - ja.loginPublicKey = ja.publicKey bytes, err = base64.StdEncoding.DecodeString(privKey) if err != nil { return err @@ -51,12 +53,12 @@ func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error { ja.privateKey = ed25519.PrivateKey(bytes) } - if pubKey = os.Getenv("CROSS_LOGIN_JWT_PUBLIC_KEY"); pubKey != "" { + if pubKey = os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" { bytes, err := base64.StdEncoding.DecodeString(pubKey) if err != nil { return err } - ja.loginPublicKey = bytes + ja.loginTokenKey = bytes } return nil @@ -74,10 +76,13 @@ func (ja *JWTAuthenticator) Login(user *User, rw http.ResponseWriter, r *http.Re } token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) { - if t.Method != jwt.SigningMethodEdDSA { - return nil, errors.New("only Ed25519/EdDSA supported") + if t.Method == jwt.SigningMethodEdDSA { + return ja.publicKey, nil } - return ja.publicKey, nil + if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 { + return ja.loginTokenKey, nil + } + return nil, fmt.Errorf("unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg()) }) if err != nil { return nil, err