From f6f75f9a1c970b2c39bc48cb82aa6563375a1078 Mon Sep 17 00:00:00 2001 From: Marius van der Wijden Date: Wed, 27 Jul 2022 10:49:37 +0200 Subject: [PATCH 1/2] node: set JWT expiry to 60 seconds --- node/jwt_handler.go | 6 ++++-- node/rpcstack_test.go | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/node/jwt_handler.go b/node/jwt_handler.go index 28d5b87c60bc..be932f1feb7c 100644 --- a/node/jwt_handler.go +++ b/node/jwt_handler.go @@ -24,6 +24,8 @@ import ( "github.com/golang-jwt/jwt/v4" ) +const expiryTime = 60 * time.Second + type jwtHandler struct { keyFunc func(token *jwt.Token) (interface{}, error) next http.Handler @@ -68,9 +70,9 @@ func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) { http.Error(out, "token is expired", http.StatusForbidden) case claims.IssuedAt == nil: http.Error(out, "missing issued-at", http.StatusForbidden) - case time.Since(claims.IssuedAt.Time) > 5*time.Second: + case time.Since(claims.IssuedAt.Time) > expiryTime: http.Error(out, "stale token", http.StatusForbidden) - case time.Until(claims.IssuedAt.Time) > 5*time.Second: + case time.Until(claims.IssuedAt.Time) > expiryTime: http.Error(out, "future token", http.StatusForbidden) default: handler.next.ServeHTTP(out, r) diff --git a/node/rpcstack_test.go b/node/rpcstack_test.go index 58a02234025a..750e087f7ecc 100644 --- a/node/rpcstack_test.go +++ b/node/rpcstack_test.go @@ -356,11 +356,11 @@ func TestJWT(t *testing.T) { expFail := []func() string{ // future func() string { - return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() + 6})) + return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() + int64(expiryTime.Seconds()) + 1})) }, // stale func() string { - return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() - 6})) + return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() - int64(expiryTime.Seconds()) - 1})) }, // wrong algo func() string { From ddfba47a50c6bc1dc467237f83547e4816b20d17 Mon Sep 17 00:00:00 2001 From: Marius van der Wijden Date: Wed, 27 Jul 2022 10:52:48 +0200 Subject: [PATCH 2/2] node: rename var --- node/jwt_handler.go | 6 +++--- node/rpcstack_test.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/node/jwt_handler.go b/node/jwt_handler.go index be932f1feb7c..363f6b3aad47 100644 --- a/node/jwt_handler.go +++ b/node/jwt_handler.go @@ -24,7 +24,7 @@ import ( "github.com/golang-jwt/jwt/v4" ) -const expiryTime = 60 * time.Second +const jwtExpiryTimeout = 60 * time.Second type jwtHandler struct { keyFunc func(token *jwt.Token) (interface{}, error) @@ -70,9 +70,9 @@ func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) { http.Error(out, "token is expired", http.StatusForbidden) case claims.IssuedAt == nil: http.Error(out, "missing issued-at", http.StatusForbidden) - case time.Since(claims.IssuedAt.Time) > expiryTime: + case time.Since(claims.IssuedAt.Time) > jwtExpiryTimeout: http.Error(out, "stale token", http.StatusForbidden) - case time.Until(claims.IssuedAt.Time) > expiryTime: + case time.Until(claims.IssuedAt.Time) > jwtExpiryTimeout: http.Error(out, "future token", http.StatusForbidden) default: handler.next.ServeHTTP(out, r) diff --git a/node/rpcstack_test.go b/node/rpcstack_test.go index 750e087f7ecc..6fb16c504a9e 100644 --- a/node/rpcstack_test.go +++ b/node/rpcstack_test.go @@ -356,11 +356,11 @@ func TestJWT(t *testing.T) { expFail := []func() string{ // future func() string { - return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() + int64(expiryTime.Seconds()) + 1})) + return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() + int64(jwtExpiryTimeout.Seconds()) + 1})) }, // stale func() string { - return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() - int64(expiryTime.Seconds()) - 1})) + return fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() - int64(jwtExpiryTimeout.Seconds()) - 1})) }, // wrong algo func() string {