all repos — litestore @ 5b14818a5d2033a2269744a8b2478848a80279b9

A minimalist nosql document store.

Fixed JWT validation.
Cevasco, Fabio fabio.cevasco@siemens.com
Tue, 12 Nov 2019 14:46:52 +0100
commit

5b14818a5d2033a2269744a8b2478848a80279b9

parent

f31358f6ed48439386341b117e7756009837ded3

1 files changed, 15 insertions(+), 1 deletions(-)

jump to
M src/litestorepkg/lib/server.nimsrc/litestorepkg/lib/server.nim

@@ -9,6 +9,7 @@ cgi,

os, json, tables, + base64, jwt import types,

@@ -21,6 +22,16 @@

export api_v4 + +proc decodeUrlSafeAsString*(s: string): string = + var s = s.replace('-', '+').replace('_', '/') + while s.len mod 4 > 0: + s &= "=" + base64.decode(s) + +proc decodeUrlSafe*(s: string): seq[byte] = + cast[seq[byte]](decodeUrlSafeAsString(s)) + proc getReqInfo(req: LSRequest): string = var url = req.url.path if req.url.anchor != "":

@@ -44,8 +55,9 @@ let token = req.headers["Authorization"].replace(peg"^ 'Bearer '", "")

# Validate token try: let jwt = token.toJwt() + let parts = token.split(".") var sig = LS.auth["signature"].getStr - discard verify(jwt, sig) + discard verifySignature(parts[0] & "." & parts[1], decodeUrlSafe(parts[2]), sig) verifyTimeClaims(jwt) let scopes = cfg[reqMethod] # Validate scope

@@ -62,6 +74,8 @@ if authorized == "":

return resError(Http403, "Forbidden - You are not permitted to access this resource") LOG.debug("Authorization successful: " & authorized) except: + echo getCurrentExceptionMsg() + writeStackTrace() return resError(Http401, "Unauthorized - Invalid token") proc processApiUrl(req: LSRequest, LS: LiteStore, info: ResourceInfo): LSResponse =