diff options
| author | Chris Lu <chris.lu@gmail.com> | 2019-02-14 00:08:20 -0800 |
|---|---|---|
| committer | Chris Lu <chris.lu@gmail.com> | 2019-02-14 00:08:20 -0800 |
| commit | 215cd27b37d504aca255a54283e77c8cff6692ab (patch) | |
| tree | d6f0cdd10d75d1881fad924c94ef7ed3ed947241 /weed/security/jwt.go | |
| parent | 4ff4a147b258bb7787e492a74254f3993bb69d1a (diff) | |
| download | seaweedfs-215cd27b37d504aca255a54283e77c8cff6692ab.tar.xz seaweedfs-215cd27b37d504aca255a54283e77c8cff6692ab.zip | |
add authorizing fileId write access
need to secure upload/update/delete for benchmark/filer/mount
need to add secure grpc
Diffstat (limited to 'weed/security/jwt.go')
| -rw-r--r-- | weed/security/jwt.go | 46 |
1 files changed, 19 insertions, 27 deletions
diff --git a/weed/security/jwt.go b/weed/security/jwt.go index 844ffb77b..ba394c3bf 100644 --- a/weed/security/jwt.go +++ b/weed/security/jwt.go @@ -1,6 +1,7 @@ package security import ( + "fmt" "net/http" "strings" @@ -11,21 +12,28 @@ import ( ) type EncodedJwt string -type SigningKey string +type SigningKey []byte + +type SeaweedFileIdClaims struct { + Fid string `json:"fid"` + jwt.StandardClaims +} func GenJwt(signingKey SigningKey, fileId string) EncodedJwt { - if signingKey == "" { + if len(signingKey) == 0 { return "" } - t := jwt.New(jwt.GetSigningMethod("HS256")) - t.Claims = &jwt.StandardClaims{ - ExpiresAt: time.Now().Add(time.Second * 10).Unix(), - Subject: fileId, + claims := SeaweedFileIdClaims{ + fileId, + jwt.StandardClaims{ + ExpiresAt: time.Now().Add(time.Second * 10).Unix(), + }, } - encoded, e := t.SignedString(signingKey) + t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) + encoded, e := t.SignedString([]byte(signingKey)) if e != nil { - glog.V(0).Infof("Failed to sign claims: %v", t.Claims) + glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e) return "" } return EncodedJwt(encoded) @@ -44,31 +52,15 @@ func GetJwt(r *http.Request) EncodedJwt { } } - // Get token from cookie - if tokenStr == "" { - cookie, err := r.Cookie("jwt") - if err == nil { - tokenStr = cookie.Value - } - } - return EncodedJwt(tokenStr) } -func EncodeJwt(signingKey SigningKey, claims *jwt.StandardClaims) (EncodedJwt, error) { - if signingKey == "" { - return "", nil - } - - t := jwt.New(jwt.GetSigningMethod("HS256")) - t.Claims = claims - encoded, e := t.SignedString(signingKey) - return EncodedJwt(encoded), e -} - func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt) (token *jwt.Token, err error) { // check exp, nbf return jwt.Parse(string(tokenString), func(token *jwt.Token) (interface{}, error) { + if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, fmt.Errorf("unknown token method") + } return signingKey, nil }) } |