Fixed JWT validation.
h3rald h3rald@h3rald.com
Tue, 12 Nov 2019 14:46:52 +0100
1 files changed,
15 insertions(+),
1 deletions(-)
jump to
M
src/litestorepkg/lib/server.nim
→
src/litestorepkg/lib/server.nim
@@ -9,6 +9,7 @@ cgi,
os, json, tables, + base64, jwt import types,@@ -21,6 +22,16 @@
export api_v4 + +proc decodeUrlSafeAsString*(s: string): string = + var s = s.replace('-', '+').replace('_', '/') + while s.len mod 4 > 0: + s &= "=" + base64.decode(s) + +proc decodeUrlSafe*(s: string): seq[byte] = + cast[seq[byte]](decodeUrlSafeAsString(s)) + proc getReqInfo(req: LSRequest): string = var url = req.url.path if req.url.anchor != "":@@ -44,8 +55,9 @@ let token = req.headers["Authorization"].replace(peg"^ 'Bearer '", "")
# Validate token try: let jwt = token.toJwt() + let parts = token.split(".") var sig = LS.auth["signature"].getStr - discard verify(jwt, sig) + discard verifySignature(parts[0] & "." & parts[1], decodeUrlSafe(parts[2]), sig) verifyTimeClaims(jwt) let scopes = cfg[reqMethod] # Validate scope@@ -62,6 +74,8 @@ if authorized == "":
return resError(Http403, "Forbidden - You are not permitted to access this resource") LOG.debug("Authorization successful: " & authorized) except: + echo getCurrentExceptionMsg() + writeStackTrace() return resError(Http401, "Unauthorized - Invalid token") proc processApiUrl(req: LSRequest, LS: LiteStore, info: ResourceInfo): LSResponse =