Update the JWT signing algo when the signing key is changed in the config
This commit is contained in:
parent
d3a3d4dbf5
commit
3bd48bbac1
|
@ -3,6 +3,7 @@ package config
|
|||
import (
|
||||
"fmt"
|
||||
"github.com/creasty/defaults"
|
||||
"github.com/gbrlsnchs/jwt/v3"
|
||||
"go.uber.org/zap"
|
||||
"gopkg.in/yaml.v2"
|
||||
"io/ioutil"
|
||||
|
@ -231,7 +232,9 @@ func ReadConfiguration(path string) (*Configuration, error) {
|
|||
}
|
||||
|
||||
var Mutex sync.RWMutex
|
||||
|
||||
var _config *Configuration
|
||||
var _jwtAlgo *jwt.HMACSHA
|
||||
var _debugViaFlag bool
|
||||
|
||||
// Set the global configuration instance. This is a blocking operation such that
|
||||
|
@ -239,6 +242,11 @@ var _debugViaFlag bool
|
|||
// will be paused until it is complete.
|
||||
func Set(c *Configuration) {
|
||||
Mutex.Lock()
|
||||
|
||||
if _config == nil || _config.AuthenticationToken != c.AuthenticationToken {
|
||||
_jwtAlgo = jwt.NewHS256([]byte(c.AuthenticationToken))
|
||||
}
|
||||
|
||||
_config = c
|
||||
Mutex.Unlock()
|
||||
}
|
||||
|
@ -256,6 +264,14 @@ func Get() *Configuration {
|
|||
return _config
|
||||
}
|
||||
|
||||
// Returns the in-memory JWT algorithm.
|
||||
func GetJwtAlgorithm() *jwt.HMACSHA {
|
||||
Mutex.RLock()
|
||||
defer Mutex.RUnlock()
|
||||
|
||||
return _jwtAlgo
|
||||
}
|
||||
|
||||
// Ensures that the Pterodactyl core user exists on the system. This user will be the
|
||||
// owner of all data in the root data directory and is used as the user within containers.
|
||||
//
|
||||
|
|
|
@ -6,8 +6,6 @@ import (
|
|||
"time"
|
||||
)
|
||||
|
||||
var alg *jwt.HMACSHA
|
||||
|
||||
type TokenData interface {
|
||||
GetPayload() *jwt.Payload
|
||||
}
|
||||
|
@ -18,16 +16,12 @@ type TokenData interface {
|
|||
//
|
||||
// This simply returns a parsed token.
|
||||
func ParseToken(token []byte, data TokenData) error {
|
||||
if alg == nil {
|
||||
alg = jwt.NewHS256([]byte(config.Get().AuthenticationToken))
|
||||
}
|
||||
|
||||
verifyOptions := jwt.ValidatePayload(
|
||||
data.GetPayload(),
|
||||
jwt.ExpirationTimeValidator(time.Now()),
|
||||
)
|
||||
|
||||
_, err := jwt.Verify(token, alg, &data, verifyOptions)
|
||||
_, err := jwt.Verify(token, config.GetJwtAlgorithm(), &data, verifyOptions)
|
||||
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -7,8 +7,8 @@ import (
|
|||
)
|
||||
|
||||
type TokenStore struct {
|
||||
sync.Mutex
|
||||
cache *cache.Cache
|
||||
mutex *sync.Mutex
|
||||
}
|
||||
|
||||
var _tokens *TokenStore
|
||||
|
@ -20,16 +20,16 @@ func getTokenStore() *TokenStore {
|
|||
if _tokens == nil {
|
||||
_tokens = &TokenStore{
|
||||
cache: cache.New(time.Minute*60, time.Minute*5),
|
||||
mutex: &sync.Mutex{},
|
||||
}
|
||||
}
|
||||
|
||||
return _tokens
|
||||
}
|
||||
|
||||
// Checks if a token is valid or not.
|
||||
func (t *TokenStore) IsValidToken(token string) bool {
|
||||
t.mutex.Lock()
|
||||
defer t.mutex.Unlock()
|
||||
t.Lock()
|
||||
defer t.Unlock()
|
||||
|
||||
_, exists := t.cache.Get(token)
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user