mirror of
https://github.com/LBRYFoundation/tracker.git
synced 2025-09-03 02:35:18 +00:00
middleware/jwt: add debug logs for JWT failures
This commit is contained in:
Jimmy Zelinskie
parent
dab03f52dc
commit
0d9a2309fc
1 changed files with 33 additions and 1 deletions
|
|
@ -155,28 +155,58 @@ func validateJWT(ih bittorrent.InfoHash, jwtBytes []byte, cfgIss, cfgAud string,
|
||||||
|
|
||||||
claims := parsedJWT.Claims()
|
claims := parsedJWT.Claims()
|
||||||
if iss, ok := claims.Issuer(); !ok || iss != cfgIss {
|
if iss, ok := claims.Issuer(); !ok || iss != cfgIss {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"exists": ok,
|
||||||
|
"claim": iss,
|
||||||
|
"config": cfgIss,
|
||||||
|
}).Debugln("unequal or missing issuer when validating JWT")
|
||||||
return jwt.ErrInvalidISSClaim
|
return jwt.ErrInvalidISSClaim
|
||||||
}
|
}
|
||||||
|
|
||||||
if aud, ok := claims.Audience(); !ok || !validAudience(aud, cfgAud) {
|
if aud, ok := claims.Audience(); !ok || !validAudience(aud, cfgAud) {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"exists": ok,
|
||||||
|
"claim": aud,
|
||||||
|
"config": cfgAud,
|
||||||
|
}).Debugln("unequal or missing audience when validating JWT")
|
||||||
return jwt.ErrInvalidAUDClaim
|
return jwt.ErrInvalidAUDClaim
|
||||||
}
|
}
|
||||||
|
|
||||||
if ihClaim, ok := claims.Get("infohash").(string); !ok || !validInfoHash(ihClaim, ih) {
|
if ihClaim, ok := claims.Get("infohash").(string); !ok || !validInfoHash(ihClaim, ih) {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"exists": ok,
|
||||||
|
"request": ih,
|
||||||
|
"claim": ihClaim,
|
||||||
|
}).Debugln("unequal or missing infohash when validating JWT")
|
||||||
return errors.New("claim \"infohash\" is invalid")
|
return errors.New("claim \"infohash\" is invalid")
|
||||||
}
|
}
|
||||||
|
|
||||||
parsedJWS := parsedJWT.(jws.JWS)
|
parsedJWS := parsedJWT.(jws.JWS)
|
||||||
kid, ok := parsedJWS.Protected().Get("kid").(string)
|
kid, ok := parsedJWS.Protected().Get("kid").(string)
|
||||||
if !ok {
|
if !ok {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"exists": ok,
|
||||||
|
"claim": kid,
|
||||||
|
}).Debugln("missing kid when validating JWT")
|
||||||
return errors.New("invalid kid")
|
return errors.New("invalid kid")
|
||||||
}
|
}
|
||||||
publicKey, ok := publicKeys[kid]
|
publicKey, ok := publicKeys[kid]
|
||||||
if !ok {
|
if !ok {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"kid": kid,
|
||||||
|
}).Debugln("missing public key for kid when validating JWT")
|
||||||
return errors.New("signed by unknown kid")
|
return errors.New("signed by unknown kid")
|
||||||
}
|
}
|
||||||
|
|
||||||
return parsedJWS.Verify(publicKey, jc.SigningMethodRS256)
|
err = parsedJWS.Verify(publicKey, jc.SigningMethodRS256)
|
||||||
|
if err != nil {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"err": err,
|
||||||
|
}).Debugln("failed to verify signature of JWT")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func validAudience(aud []string, cfgAud string) bool {
|
func validAudience(aud []string, cfgAud string) bool {
|
||||||
|
|
@ -188,6 +218,8 @@ func validAudience(aud []string, cfgAud string) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// validInfoHash attempts to match the claim for the Infohash field of a JWT by
|
||||||
|
// checking both the raw and unescaped forms of the contents of the field.
|
||||||
func validInfoHash(claim string, ih bittorrent.InfoHash) bool {
|
func validInfoHash(claim string, ih bittorrent.InfoHash) bool {
|
||||||
if len(claim) == 20 && bittorrent.InfoHashFromString(claim) == ih {
|
if len(claim) == 20 && bittorrent.InfoHashFromString(claim) == ih {
|
||||||
return true
|
return true
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue