Skip to content

Commit

Permalink
fix(nginx): token validation in managers region
Browse files Browse the repository at this point in the history 
Enhance document and IF directives performance
  • Loading branch information
@alimd
alimd committed Jan 12, 2024
1 parent 7c3ece8 commit f5f54fb
Showing 1 changed file with 38 additions and 26 deletions.
64 changes: 38 additions & 26 deletions packages/nginx/etc/nginx/templates/location.d/91-json.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,30 +26,30 @@
# Define main routes
# ------------------

# Store file location that can be accessed by anyone.
# Public region: Store file location that can be accessed by anyone.
location ~ ^$storeApiPrefix/$storeRegionPublic/(?<storePath>.*)$ {
try_files /$storeRegionPublic/$storePath =404;
}

# Store file location that can be accessed by authenticated users.
# Authenticated region: Store file location that can be accessed by authenticated users.
location ~ ^$storeApiPrefix/$storeRegionAuthenticated/(?<storePath>.*)$ {
if ($user_id_location = "") {
if ($user_id_location = '') {
return 401;
}

if ($http_user_token = "") {
if ($http_user_token = '') {
return 401;
}

if ($http_user_id ~ "/") {
if ($http_user_id ~ '/') {
return 400;
}

if ($http_user_token ~ "/") {
if ($http_user_token ~ '/') {
return 400;
}

if (!-f $document_root/$user_id_location/$http_user_token.asn) {
if (!-f $document_root/$user_id_location/.token/$http_user_token.asn) {
return 403;
}

Expand All @@ -62,87 +62,99 @@ location ~ ^$storeApiPrefix/$storeRegionManagers/(?<storePath>.*)$ {
return 401;
}

if ($http_user_token = "") {
if ($http_user_token = '') {
return 401;
}

if ($http_user_id ~ "/") {
if ($http_user_id ~ '/') {
return 400;
}

if ($http_user_token ~ "/") {
if ($http_user_token ~ '/') {
return 400;
}

if (!-f $document_root/$user_id_location/is-super-admin.asn) {
if (!-f $document_root/$user_id_location/.token/$http_user_token.asn) {
return 403;
}

if (!-f $document_root/$user_id_location/.auth/manager.asn) {
return 403;
}

try_files /$storeRegionManagers/$storePath =404;
}

# Store file location specific to each user id. Can be accessed using the user token.
# PerUser region: Store file location specific to each user id. Can be accessed using the user token.
location ~ ^$storeApiPrefix/$storeRegionPerUser/(?<storePath>.*)$ {
if ($user_id_location = "") {
if ($user_id_location = '') {
return 401;
}

if ($http_user_token = "") {
if ($http_user_token = '') {
return 401;
}

if ($http_user_id ~ "/") {
if ($http_user_id ~ '/') {
return 400;
}

if ($http_user_token ~ "/") {
if ($http_user_token ~ '/') {
return 400;
}

if (!-f $document_root/$user_id_location/$http_user_token.asn) {
if (!-f $document_root/$user_id_location/.token/$http_user_token.asn) {
return 403;
}

try_files /$user_id_location/$storePath =404;
}

# Store file location specific to each token.
# PerToken region: Store file location specific to each token.
location ~ ^$storeApiPrefix/$storeRegionPerToken/(?<storePath>.*)$ {
if ($user_token_location = "") {
if ($user_token_location = '') {
return 401;
}

if ($http_user_token ~ "/") {
if ($http_user_token ~ '/') {
return 400;
}

if (!-f /$user_token_location/token-info.doc.asj) {
return 403;
}

try_files /$user_token_location/$storePath =404;
}

# Store file location specific to each device id.
# PerDevice region: Store file location specific to each device id.
location ~ ^$storeApiPrefix/$storeRegionPerDevice/(?<storePath>.*)$ {
if ($device_id_location = "") {
if ($device_id_location = '') {
return 400;
}

if ($http_device_id ~ "/") {
if ($http_device_id ~ '/') {
return 400;
}

if (!-f /$user_token_location/device-info.doc.asj) {
return 403;
}

try_files /$device_id_location/$storePath =404;
}

# Deny secret locations
# Secret region: Deny secret locations
location ~ ^/$storeRegionSecret/ {
return 403;
}
location ~ ^$storeApiPrefix/$storeRegionSecret/ {
return 403;
}

location = /debug-info-007 {
location = /debug-info-110 {
default_type application/json;
return 200 '{"storeApiPrefix": "$storeApiPrefix", "storeRegionPublic": "$storeRegionPublic", "storeRegionSecret": "$storeRegionSecret", "storeRegionAuthenticated": "$storeRegionAuthenticated", "storeRegionSuperAdmin": "$storeRegionSuperAdmin", "storeRegionPerUser": "$storeRegionPerUser", "storeRegionPerDevice": "$storeRegionPerDevice", "storeRegionPerToken": "$storeRegionPerToken", "user_id_location": "$user_id_location", "user_token_location": "$user_token_location", "device_id_location": "$device_id_location", "http_user_id": "$http_user_id", "http_user_token": "$http_user_token", "http_device_id": "$http_device_id", "document_root": "$document_root", "uri": "$uri", "request_uri": "$request_uri", "request_method": "$request_method", "args": "$args", "query_string": "$query_string", "request_body": "$request_body", "remote_addr": "$remote_addr", "remote_port": "$remote_port", "remote_user": "$remote_user", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "http_x_forwarded_for": "$http_x_forwarded_for"}';
return 200 '{"storeApiPrefix": "$storeApiPrefix", "storeRegionPublic": "$storeRegionPublic", "storeRegionSecret": "$storeRegionSecret", "storeRegionAuthenticated": "$storeRegionAuthenticated", "storeRegionManagers": "$storeRegionManagers", "storeRegionPerUser": "$storeRegionPerUser", "storeRegionPerDevice": "$storeRegionPerDevice", "storeRegionPerToken": "$storeRegionPerToken", "user_id_location": "$user_id_location", "user_token_location": "$user_token_location", "device_id_location": "$device_id_location", "http_user_id": "$http_user_id", "http_user_token": "$http_user_token", "http_device_id": "$http_device_id", "document_root": "$document_root", "uri": "$uri", "request_uri": "$request_uri", "request_method": "$request_method", "args": "$args", "query_string": "$query_string", "request_body": "$request_body", "remote_addr": "$remote_addr", "remote_port": "$remote_port", "remote_user": "$remote_user", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "http_x_forwarded_for": "$http_x_forwarded_for"}';
}

# Deny all unknown location
Expand Down

0 comments on commit f5f54fb

Please sign in to comment.