37: Removed auth_jwt_redirect and auth_jwt_loginurl directives

Author: max-lt

.gitignore

@@ -0,0 +1 @@
+ngx_http_auth_jwt_module.so

README.md

@@ -11,16 +11,23 @@ This module requires several new nginx.conf directives, which can be specified i
 
 ```
 auth_jwt_key "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
-auth_jwt_loginurl "https://yourdomain.com/loginpage";
 auth_jwt_enabled on;
 auth_jwt_algorithm HS256; # or RS256
 auth_jwt_validate_email on;  # or off
 ```
 
-So, a typical use would be to specify the key and loginurl on the main level and then only turn on the locations that you want to secure (not the login page).  Unauthorized requests are given 302 "Moved Temporarily" responses with a ___location of the specified loginurl.
+So, a typical use would be to specify the key on the main level and then only turn on the locations that you want to secure (not the login page).  Unauthorized requests are given 401 "Unauthorized" responses, you can redirect them with the nginx's `error_page` directive.
 
 ```
-auth_jwt_redirect            off;
+___location @login_redirect {
+  allow all;
+  return 302 https://yourdomain.com/loginpage;
+}
+
+___location /secure-___location/ {
+  auth_jwt_enabled   on;
+  error_page  401 = @login_redirect;
+}
 ```
 If you prefer to return 401 Unauthorized, you may turn `auth_jwt_redirect` off.
 

resources/test-jwt-nginx.conf

@@ -1,33 +1,38 @@
 server {
     auth_jwt_key                 "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
-    auth_jwt_loginurl            "https://teslagov.com";
+    set $auth_jwt_login_url      "https://teslagov.com";
     auth_jwt_enabled             off;
-    auth_jwt_redirect            on;
 
     listen       8000;
     server_name  localhost;
 
+    root  /usr/share/nginx/html;
+    index  index.html index.htm;
+
+    ___location @login_redirect {
+      return 302 $auth_jwt_login_url?redirect=$request_uri&$args;
+    }
+
     ___location ~ ^/secure-no-redirect/ {
+        rewrite "" / break;
         auth_jwt_enabled   on;
-        auth_jwt_redirect  off;
-        root  /usr/share/nginx;
-        index  index.html index.htm;
     }
 
     ___location ~ ^/secure/ {
+        rewrite "" / break;
         auth_jwt_enabled   on;
         auth_jwt_validation_type COOKIE=rampartjwt;
-        root  /usr/share/nginx;
-        index  index.html index.htm;
+        error_page  401 = @login_redirect;
     }
 
     ___location ~ ^/secure-auth-header/ {
+        rewrite "" / break;
         auth_jwt_enabled on;
-        root  /usr/share/nginx;
-        index  index.html index.htm;
+        error_page  401 = @login_redirect;
     }
 
     ___location ~ ^/secure-rs256/ {
+        rewrite "" / break;
         auth_jwt_enabled on;
         auth_jwt_validation_type COOKIE=rampartjwt;
         auth_jwt_algorithm RS256;
@@ -40,13 +45,7 @@ ZQX0miOXXWdkQvWTZFXhmsFCmJLE67oQFSar4hzfAaCulaMD+b3Mcsjlh0yvSq7g
 K49NdYBvFP+hNVEoeZzJz5K/nd6C35IX0t2bN5CVXchUFmaUMYk2iPdhXdsC720t
 BwIDAQAB
 -----END PUBLIC KEY-----";
-        root  /usr/share/nginx;
-        index  index.html index.htm;
     }
 
-    ___location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
-    }
+    ___location / {}
 }
-

src/ngx_http_auth_jwt_module.c

@@ -19,10 +19,8 @@
 #include "ngx_http_auth_jwt_string.h"
 
 typedef struct {
-	ngx_str_t    auth_jwt_loginurl;
 	ngx_str_t    auth_jwt_key;
 	ngx_flag_t   auth_jwt_enabled;
-	ngx_flag_t   auth_jwt_redirect;
 	ngx_str_t    auth_jwt_validation_type;
 	ngx_str_t    auth_jwt_algorithm;
 	ngx_flag_t   auth_jwt_validate_email;
@@ -37,13 +35,6 @@ static char * getJwt(ngx_http_request_t *r, ngx_str_t auth_jwt_validation_type);
 
 static ngx_command_t ngx_http_auth_jwt_commands[] = {
 
-	{ ngx_string("auth_jwt_loginurl"),
-		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
-		ngx_conf_set_str_slot,
-		NGX_HTTP_LOC_CONF_OFFSET,
-		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_loginurl),
-		NULL },
-
 	{ ngx_string("auth_jwt_key"),
 		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
 		ngx_conf_set_str_slot,
@@ -58,13 +49,6 @@ static ngx_command_t ngx_http_auth_jwt_commands[] = {
 		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_enabled),
 		NULL },
 
-	{ ngx_string("auth_jwt_redirect"),
-		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
-		ngx_conf_set_flag_slot,
-		NGX_HTTP_LOC_CONF_OFFSET,
-		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_redirect),
-		NULL },
-
 	{ ngx_string("auth_jwt_validation_type"),
 		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
 		ngx_conf_set_str_slot,
@@ -126,7 +110,6 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	ngx_str_t useridHeaderName = ngx_string("x-userid");
 	ngx_str_t emailHeaderName = ngx_string("x-email");
 	char* jwtCookieValChrPtr;
-	char* return_url;
 	ngx_http_auth_jwt_loc_conf_t *jwtcf;
 	u_char *keyBinary;
 	jwt_t *jwt = NULL;
@@ -140,21 +123,21 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	time_t now;
 	ngx_str_t auth_jwt_algorithm;
 	int keylen;
-	
+
 	jwtcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_jwt_module);
-	
-	if (!jwtcf->auth_jwt_enabled) 
+
+	if (!jwtcf->auth_jwt_enabled)
 	{
 		return NGX_DECLINED;
 	}
-	
+
 	jwtCookieValChrPtr = getJwt(r, jwtcf->auth_jwt_validation_type);
 	if (jwtCookieValChrPtr == NULL)
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to find a jwt");
-		goto redirect;
+		return NGX_HTTP_UNAUTHORIZED;
 	}
-	
+
 	// convert key from hex to binary, if a symmetric key
 
 	auth_jwt_algorithm = jwtcf->auth_jwt_algorithm;
@@ -165,7 +148,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 		if (0 != hex_to_binary((char *)jwtcf->auth_jwt_key.data, keyBinary, jwtcf->auth_jwt_key.len))
 		{
 			ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to turn hex key into binary");
-			goto redirect;
+		    return NGX_HTTP_UNAUTHORIZED;
 		}
 	}
 	else if ( auth_jwt_algorithm.len == sizeof("RS256") - 1 && ngx_strncmp(auth_jwt_algorithm.data, "RS256", sizeof("RS256") - 1) == 0 )
@@ -177,32 +160,32 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	else
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "unsupported algorithm");
-		goto redirect;
+		return NGX_HTTP_UNAUTHORIZED;
 	}
-	
+
 	// validate the jwt
 	jwtParseReturnCode = jwt_decode(&jwt, jwtCookieValChrPtr, keyBinary, keylen);
 	if (jwtParseReturnCode != 0)
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to parse jwt");
-		goto redirect;
+		return NGX_HTTP_UNAUTHORIZED;
 	}
-	
+
 	// validate the algorithm
 	alg = jwt_get_alg(jwt);
 	if (alg != JWT_ALG_HS256 && alg != JWT_ALG_RS256)
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "invalid algorithm in jwt %d", alg);
-		goto redirect;
+		return NGX_HTTP_UNAUTHORIZED;
 	}
-	
+
 	// validate the exp date of the JWT
 	exp = (time_t)jwt_get_grant_int(jwt, "exp");
 	now = time(NULL);
 	if (exp < now)
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "the jwt has expired");
-		goto redirect;
+		return NGX_HTTP_UNAUTHORIZED;
 	}
 
 	// extract the userid
@@ -234,103 +217,6 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	jwt_free(jwt);
 
 	return NGX_OK;
-	
-	redirect:
-
-		if (jwt)
-		{
-			jwt_free(jwt);
-		}
-
-		r->headers_out.___location = ngx_list_push(&r->headers_out.headers);
-		
-		if (r->headers_out.___location == NULL) 
-		{
-			ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
-		}
-
-		r->headers_out.___location->hash = 1;
-		r->headers_out.___location->key.len = sizeof("Location") - 1;
-		r->headers_out.___location->key.data = (u_char *) "Location";
-
-		if (r->method == NGX_HTTP_GET)
-		{
-			int loginlen;
-			char * scheme;
-			ngx_str_t server;
-			ngx_str_t uri_variable_name = ngx_string("request_uri");
-			ngx_int_t uri_variable_hash;
-			ngx_http_variable_value_t * request_uri_var;
-			ngx_str_t uri;
-			ngx_str_t uri_escaped;
-			uintptr_t escaped_len;
-
-			loginlen = jwtcf->auth_jwt_loginurl.len;
-
-			scheme = (r->connection->ssl) ? "https" : "http";
-			server = r->headers_in.server;
-
-			// get the URI
-			uri_variable_hash = ngx_hash_key(uri_variable_name.data, uri_variable_name.len);
-			request_uri_var = ngx_http_get_variable(r, &uri_variable_name, uri_variable_hash);
-
-			// get the URI
-			if(request_uri_var && !request_uri_var->not_found && request_uri_var->valid)
-			{
-				// ideally we would like the uri with the querystring parameters
-				uri.data = ngx_palloc(r->pool, request_uri_var->len);
-				uri.len = request_uri_var->len;
-				ngx_memcpy(uri.data, request_uri_var->data, request_uri_var->len);
-
-				// ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "found uri with querystring %s", ngx_str_t_to_char_ptr(r->pool, uri));
-			}
-			else
-			{
-				// fallback to the querystring without params
-				uri = r->uri;
-
-				// ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "fallback to querystring without params");
-			}
-
-			// escape the URI
-			escaped_len = 2 * ngx_escape_uri(NULL, uri.data, uri.len, NGX_ESCAPE_ARGS) + uri.len;
-			uri_escaped.data = ngx_palloc(r->pool, escaped_len);
-			uri_escaped.len = escaped_len;
-			ngx_escape_uri(uri_escaped.data, uri.data, uri.len, NGX_ESCAPE_ARGS);
-
-			r->headers_out.___location->value.len = loginlen + sizeof("?return_url=") - 1 + strlen(scheme) + sizeof("://") - 1 + server.len + uri_escaped.len;
-			return_url = ngx_palloc(r->pool, r->headers_out.___location->value.len);
-			ngx_memcpy(return_url, jwtcf->auth_jwt_loginurl.data, jwtcf->auth_jwt_loginurl.len);
-			int return_url_idx = jwtcf->auth_jwt_loginurl.len;
-			ngx_memcpy(return_url+return_url_idx, "?return_url=", sizeof("?return_url=") - 1);
-			return_url_idx += sizeof("?return_url=") - 1;
-			ngx_memcpy(return_url+return_url_idx, scheme, strlen(scheme));
-			return_url_idx += strlen(scheme);
-			ngx_memcpy(return_url+return_url_idx, "://", sizeof("://") - 1);
-			return_url_idx += sizeof("://") - 1;
-			ngx_memcpy(return_url+return_url_idx, server.data, server.len);
-			return_url_idx += server.len;
-			ngx_memcpy(return_url+return_url_idx, uri_escaped.data, uri_escaped.len);
-			return_url_idx += uri_escaped.len;
-			r->headers_out.___location->value.data = (u_char *)return_url;
-
-			// ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "return_url: %s", ngx_str_t_to_char_ptr(r->pool, r->headers_out.___location->value));
-		}
-		else
-		{
-			// for non-get requests, redirect to the login page without a return URL
-			r->headers_out.___location->value.len = jwtcf->auth_jwt_loginurl.len;
-			r->headers_out.___location->value.data = jwtcf->auth_jwt_loginurl.data;
-		}
-
-		if (jwtcf->auth_jwt_redirect)
-		{
-			return NGX_HTTP_MOVED_TEMPORARILY;
-		}
-		else
-		{
-			return NGX_HTTP_UNAUTHORIZED;
-		}
 }
 
 
@@ -342,7 +228,7 @@ static ngx_int_t ngx_http_auth_jwt_init(ngx_conf_t *cf)
 	cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
 
 	h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers);
-	if (h == NULL) 
+	if (h == NULL)
 	{
 		return NGX_ERROR;
 	}
@@ -359,18 +245,17 @@ ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
 	ngx_http_auth_jwt_loc_conf_t *conf;
 
 	conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_jwt_loc_conf_t));
-	if (conf == NULL) 
+	if (conf == NULL)
 	{
 		return NULL;
 	}
-	
+
 	// set the flag to unset
 	conf->auth_jwt_enabled = (ngx_flag_t) -1;
-	conf->auth_jwt_redirect = (ngx_flag_t) -1;
 	conf->auth_jwt_validate_email = (ngx_flag_t) -1;
 
 	ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, "Created Location Configuration");
-	
+
 	return conf;
 }
 
@@ -381,20 +266,14 @@ ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 	ngx_http_auth_jwt_loc_conf_t *prev = parent;
 	ngx_http_auth_jwt_loc_conf_t *conf = child;
 
-	ngx_conf_merge_str_value(conf->auth_jwt_loginurl, prev->auth_jwt_loginurl, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_key, prev->auth_jwt_key, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_validation_type, prev->auth_jwt_validation_type, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_algorithm, prev->auth_jwt_algorithm, "HS256");
 	ngx_conf_merge_off_value(conf->auth_jwt_validate_email, prev->auth_jwt_validate_email, 1);
-	
-	if (conf->auth_jwt_enabled == ((ngx_flag_t) -1)) 
-	{
-		conf->auth_jwt_enabled = (prev->auth_jwt_enabled == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_enabled;
-	}
 
-	if (conf->auth_jwt_redirect == ((ngx_flag_t) -1))
+	if (conf->auth_jwt_enabled == ((ngx_flag_t) -1))
 	{
-		conf->auth_jwt_redirect = (prev->auth_jwt_redirect == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_redirect;
+		conf->auth_jwt_enabled = (prev->auth_jwt_enabled == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_enabled;
 	}
 
 	return NGX_CONF_OK;
@@ -435,7 +314,7 @@ static char * getJwt(ngx_http_request_t *r, ngx_str_t auth_jwt_validation_type)
 		// get the cookie
 		// TODO: the cookie name could be passed in dynamicallly
 		n = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &auth_jwt_validation_type, &jwtCookieVal);
-		if (n != NGX_DECLINED) 
+		if (n != NGX_DECLINED)
 		{
 			jwtCookieValChrPtr = ngx_str_t_to_char_ptr(r->pool, jwtCookieVal);
 		}