Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jwt: Handle obfuscated JSON Web tokens #1189

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

jwt: Handle obfuscated JSON Web tokens #1189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions jwt/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,11 @@ type Config struct {
// - "cookie:<name>"
TokenLookup string

// TokenDeobfuscatorFunc defines a function to deobfuscate the founded token with [TokenLookup].
// This help to implement a Token obfuscation algoritm to prevent information disclosure.
// Optional. Default: nil
TokenDeobfuscatorFunc func(obfuscatedToken string) (string, error)
Comment on lines +63 to +66
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Implement Handling and Validation for TokenDeobfuscatorFunc in makeCfg

The makeCfg function does not currently handle or validate the TokenDeobfuscatorFunc field. To ensure proper integration and avoid potential runtime issues:

  1. Update makeCfg to Handle TokenDeobfuscatorFunc:

    • Add validation to check if TokenDeobfuscatorFunc is provided and is not nil if required.
    • Set default behavior if no deobfuscation function is supplied.

  2. Integrate TokenDeobfuscatorFunc in Middleware Logic:

    • Ensure that the middleware utilizes the TokenDeobfuscatorFunc appropriately during JWT verification.

  3. Add Documentation and Examples:

    • Provide usage examples in the package documentation to guide developers on implementing and using the TokenDeobfuscatorFunc.
🔗 Analysis chain

Update makeCfg function and clarify usage of TokenDeobfuscatorFunc

While the addition of TokenDeobfuscatorFunc is valuable, there are a few points to consider for its integration:

  1. The makeCfg function should be updated to handle the new field. Consider adding a basic validation check to ensure that if a deobfuscation function is provided, it's not nil.

  2. It's unclear from this file where and how the deobfuscation function will be used in the middleware logic. Please provide information on how this function will be integrated into the JWT verification process.

  3. Consider adding a usage example in the package documentation to guide developers on how to properly implement and use the deobfuscation function.

To verify the integration of the new field, please run the following script:

This script will help identify where the TokenDeobfuscatorFunc is being used and if the middleware implementation has been updated accordingly.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for the usage of TokenDeobfuscatorFunc in the middleware logic

# Test: Search for TokenDeobfuscatorFunc usage
rg --type go 'TokenDeobfuscatorFunc' .

# Test: Check for updates in middleware implementation
rg --type go 'func New' .

Length of output: 1736

Script:

#!/bin/bash
# Description: Verify that makeCfg handles TokenDeobfuscatorFunc correctly

# Check if makeCfg function exists in jwt/config.go
rg -A 5 'func makeCfg' ./jwt/config.go

# Within makeCfg, verify handling of TokenDeobfuscatorFunc
rg -A 10 'TokenDeobfuscatorFunc' ./jwt/config.go

Length of output: 1046


// AuthScheme to be used in the Authorization header.
// Optional. Default: "Bearer".
AuthScheme string
Expand Down
8 changes: 8 additions & 0 deletions jwt/jwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,14 @@ func New(config ...Config) fiber.Handler {
if err != nil {
return cfg.ErrorHandler(c, err)
}

if cfg.TokenDeobfuscatorFunc != nil {
auth, err = cfg.TokenDeobfuscatorFunc(auth)
if err != nil {
return cfg.ErrorHandler(c, err)
}
}

var token *jwt.Token

if _, ok := cfg.Claims.(jwt.MapClaims); ok {
Expand Down
42 changes: 42 additions & 0 deletions jwt/jwt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package jwtware_test

import (
"encoding/hex"
"fmt"
"net/http"
"net/http/httptest"
Expand Down Expand Up @@ -104,6 +105,47 @@ const (
`
)

func TestJwtDeobfuscation(t *testing.T) {
t.Parallel()

defer func() {
// Assert
if err := recover(); err != nil {
t.Fatalf("Middleware should not panic")
}
}()

for _, test := range hamac {
// Arrange
app := fiber.New()

app.Use(jwtware.New(jwtware.Config{
SigningKey: jwtware.SigningKey{
JWTAlg: test.SigningMethod,
Key: []byte(defaultSigningKey),
},
TokenDeobfuscatorFunc: func(obfuscatedToken string) (string, error) {
token, err := hex.DecodeString(obfuscatedToken)
return string(token), err
},
}))

app.Get("/ok", func(c *fiber.Ctx) error {
return c.SendString("OK")
})

req := httptest.NewRequest("GET", "/ok", nil)
req.Header.Add("Authorization", "Bearer "+hex.EncodeToString([]byte(test.Token)))

// Act
resp, err := app.Test(req)

// Assert
utils.AssertEqual(t, nil, err)
utils.AssertEqual(t, 200, resp.StatusCode)
}
}

func TestJwtFromHeader(t *testing.T) {
t.Parallel()

Expand Down
Loading