From d3b21e5adc27cbb472e688b7c602e3bd721dec31 Mon Sep 17 00:00:00 2001 From: "kali kaneko (leap communications)" Date: Fri, 24 Jan 2020 22:24:26 -0600 Subject: protect certificate handler --- pkg/auth/middleware.go | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) (limited to 'pkg') diff --git a/pkg/auth/middleware.go b/pkg/auth/middleware.go index a3a955c..5fe0ab7 100644 --- a/pkg/auth/middleware.go +++ b/pkg/auth/middleware.go @@ -1,12 +1,42 @@ package auth -import () - import ( + "0xacab.org/leap/vpnweb/pkg/web" "github.com/auth0/go-jwt-middleware" jwt "github.com/dgrijalva/jwt-go" + "log" + "net/http" ) -func getProtectedHandler() { - jwtMiddleware.Handler(CertHandler) +const anonAuth string = "anon" +const sipAuth string = "sip" + +var jwtSecret = []byte("somethingverysecret") + +func getHandler(ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) { + return ch.CertResponder +} + +//func AuthMiddleware(auth string, ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) { +func AuthMiddleware(auth string, ch web.CertHandler) http.Handler { + + jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{ + ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) { + return jwtSecret, nil + }, + // When set, the middleware verifies that tokens are signed with the specific signing algorithm + // If the signing method is not constant the ValidationKeyGetter callback can be used to implement additional checks + // Important to avoid security issues described here: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ + SigningMethod: jwt.SigningMethodHS256, + }) + + switch auth { + case anonAuth: + return http.HandlerFunc(ch.CertResponder) + case sipAuth: + return jwtMiddleware.Handler(http.HandlerFunc(ch.CertResponder)) + default: + log.Fatal("Unknown auth module: '", auth, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".") + } + return nil } -- cgit v1.2.3