Skip to content

Commit 9aad8e0

Browse files
fitzyjoefitzyjoe
committed
Check length and content of strings and fixed test
1 parent dba2163 commit 9aad8e0

File tree

2 files changed

+29
-11
lines changed

2 files changed

+29
-11
lines changed

build.sh

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,11 @@ else
3232
echo -e "${RED}Secure test with jwt fail ${TEST_SECURE_EXPECT_200}${NONE}";
3333
fi
3434

35-
TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4;PassportKey=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4"`
35+
TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --header "Authorization: Bearer
36+
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4"
37+
--cookie "rampartjwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
38+
eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4;PassportKey=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
39+
eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4"`
3640
if [ "$TEST_SECURE_EXPECT_200" -eq "200" ];then
3741
echo -e "${GREEN}Secure test with jwt pass ${TEST_SECURE_EXPECT_200}${NONE}";
3842
else

src/ngx_http_auth_jwt_module.c

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
9898
jwt_alg_t alg;
9999
time_t exp;
100100
time_t now;
101+
int BEARER_LEN = 7; // strlen("Bearer ");
101102

102103
jwtcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_jwt_module);
103104

@@ -110,16 +111,6 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
110111
// jwtcf->auth_jwt_key.data,
111112
// jwtcf->auth_jwt_enabled);
112113

113-
ngx_table_elt_t *h;
114-
ngx_str_t authorizationHeaderName = ngx_string("Authorization");
115-
h = search_headers_in(r, authorizationHeaderName.data, authorizationHeaderName.len);
116-
if (h != NULL)
117-
{
118-
char* authvalue = ngx_str_t_to_char_ptr(r->pool, h->value);
119-
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "authorization header %s", authvalue);
120-
}
121-
122-
123114

124115
// get the cookie
125116
// TODO: the cookie name could be passed in dynamicallly
@@ -175,6 +166,29 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
175166
goto redirect;
176167
}
177168

169+
// if an Authorization header exists, it must match the cookie
170+
ngx_table_elt_t *authorizationHeader;
171+
ngx_str_t authorizationHeaderName = ngx_string("Authorization");
172+
authorizationHeader = search_headers_in(r, authorizationHeaderName.data, authorizationHeaderName.len);
173+
if (authorizationHeader != NULL)
174+
{
175+
// compare lengths first
176+
if (authorizationHeader->value.len != jwtCookieVal.len + BEARER_LEN)
177+
{
178+
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "Authorization and Cookie do not match lengths");
179+
goto redirect;
180+
}
181+
182+
if (0 != strncmp(authorizationHeader->value.data + BEARER_LEN, jwtCookieVal.data))
183+
{
184+
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "Authorization and Cookie do not match content");
185+
goto redirect;
186+
}
187+
188+
char* authvalue = ngx_str_t_to_char_ptr(r->pool, authorizationHeader->value);
189+
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "authorization header %s", authvalue);
190+
}
191+
178192
return NGX_OK;
179193

180194
redirect:

0 commit comments

Comments
 (0)