validate_token_exp, private
This commit is contained in:
Felicia Seo
parent
af936cb46e
commit
4720b6f233
84
src/http.c
84
src/http.c
@ -116,12 +116,18 @@ http_process_headers(struct http_transaction *ta)
|
|||||||
ta->req_content_len = atoi(field_value);
|
ta->req_content_len = atoi(field_value);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ta->valid_token = false; // special case?
|
||||||
/* Handle other headers here. Both field_value and field_name
|
/* Handle other headers here. Both field_value and field_name
|
||||||
* are zero-terminated strings.
|
* are zero-terminated strings.
|
||||||
*/
|
*/
|
||||||
if (!strcasecmp(field_name, "Cookie")) {
|
if (!strcasecmp(field_name, "Cookie")) {
|
||||||
|
if (field_value == NULL)
|
||||||
|
return false;
|
||||||
|
ta->token = field_value + 11; // + 11 gets rid of "auth_token=" heading.
|
||||||
|
|
||||||
|
ta->valid_token = validate_token_exp(ta, ta->token);
|
||||||
|
|
||||||
ta->cookie = bufio_ptr2offset(ta->client->bufio, field_name);
|
ta->cookie = bufio_ptr2offset(ta->client->bufio, field_name);
|
||||||
ta->token = field_value; // fix this! needs to be just auth_token part
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -294,22 +300,31 @@ guess_mime_type(char *filename)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Check a token is not expired. */
|
/* Check a token is not expired. */
|
||||||
static bool validate_token_exp(struct http_transaction *ta, char* grants) {
|
bool validate_token_exp(struct http_transaction *ta, char* token) {
|
||||||
|
jwt_t* cookie;
|
||||||
|
|
||||||
char *gs = calloc(strlen(grants) + 1, sizeof(char));
|
// Decode token.
|
||||||
memcpy(gs, grants, strlen(grants) + 1);
|
int rc = jwt_decode(&cookie, ta->token, (unsigned char *)NEVER_EMBED_A_SECRET_IN_CODE, strlen(NEVER_EMBED_A_SECRET_IN_CODE));
|
||||||
char *end;
|
if (rc)
|
||||||
char *expire = strtok_r(gs, "{\":, }", &end);
|
return send_error(ta, HTTP_OK, "{}");
|
||||||
while (expire != NULL) {
|
|
||||||
if (!strcasecmp(expire, "exp")) {
|
// Get claim (formatted grants).
|
||||||
int exp = atoi(strtok_r(NULL, "{\":, }", &end));
|
char* grants = jwt_get_grants_json(cookie, NULL);
|
||||||
if (time(NULL) >= exp) {
|
if (grants == NULL)
|
||||||
return false;
|
return send_error(ta, HTTP_OK, "{}");
|
||||||
}
|
|
||||||
break;
|
// Get expiration time.
|
||||||
}
|
json_error_t error;
|
||||||
}
|
json_t *jgrants = json_loadb(grants, strlen(grants), 0, &error);
|
||||||
return true;
|
json_int_t exp, iat;
|
||||||
|
const char *sub;
|
||||||
|
json_unpack(jgrants, "{s:I, s:I, s:s}", "exp", &exp, "iat", &iat, "sub", &sub);
|
||||||
|
|
||||||
|
// Check expiration time.
|
||||||
|
if (time(NULL) >= exp)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Handle HTTP transaction for static files. */
|
/* Handle HTTP transaction for static files. */
|
||||||
@ -340,6 +355,7 @@ handle_static_asset(struct http_transaction *ta, char *basedir)
|
|||||||
snprintf(fname, sizeof fname, "%s%s", server_root, "/index.html");
|
snprintf(fname, sizeof fname, "%s%s", server_root, "/index.html");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if (access(fname, R_OK)) {
|
if (access(fname, R_OK)) {
|
||||||
if (errno == EACCES)
|
if (errno == EACCES)
|
||||||
return send_error(ta, HTTP_PERMISSION_DENIED, "Permission denied.");
|
return send_error(ta, HTTP_PERMISSION_DENIED, "Permission denied.");
|
||||||
@ -436,10 +452,12 @@ post_handle_login(struct http_transaction *ta)
|
|||||||
// Add Set-Cookie header.
|
// Add Set-Cookie header.
|
||||||
http_add_header(&ta->resp_headers, "Set-Cookie", "auth_token=%s; Path=%s; Max-Age=%d; HttpOnly", token, "/", max_age);
|
http_add_header(&ta->resp_headers, "Set-Cookie", "auth_token=%s; Path=%s; Max-Age=%d; HttpOnly", token, "/", max_age);
|
||||||
|
|
||||||
//
|
// Get claim (formatted grants).
|
||||||
char *grants = jwt_get_grants_json(cookie, NULL);
|
char *grants = jwt_get_grants_json(cookie, NULL);
|
||||||
buffer_appends(&ta->resp_body, grants);
|
buffer_appends(&ta->resp_body, grants);
|
||||||
buffer_appends(&ta->resp_body, CRLF);
|
buffer_appends(&ta->resp_body, CRLF);
|
||||||
|
|
||||||
|
// Send claim.
|
||||||
ta->resp_status = HTTP_OK;
|
ta->resp_status = HTTP_OK;
|
||||||
return send_response(ta);
|
return send_response(ta);
|
||||||
}
|
}
|
||||||
@ -451,29 +469,14 @@ post_handle_login(struct http_transaction *ta)
|
|||||||
static bool get_handle_login(struct http_transaction *ta) {
|
static bool get_handle_login(struct http_transaction *ta) {
|
||||||
http_add_header(&ta->resp_headers, "Content-Type", "application/json");
|
http_add_header(&ta->resp_headers, "Content-Type", "application/json");
|
||||||
|
|
||||||
if (ta->token == NULL) {
|
if (!ta->valid_token) {
|
||||||
return send_error(ta, HTTP_OK, "{}");
|
|
||||||
}
|
|
||||||
|
|
||||||
jwt_t *cookie;
|
|
||||||
int rc = jwt_decode(&cookie, ta->token, (unsigned char *) "key", 3);
|
|
||||||
if (rc) {
|
|
||||||
return send_error(ta, HTTP_OK, "{}\n");
|
|
||||||
}
|
|
||||||
/* Send claims */
|
|
||||||
char *grants = jwt_get_grants_json(cookie, NULL);
|
|
||||||
if (grants == NULL) {
|
|
||||||
return send_error(ta, HTTP_OK, "{}\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!validate_token_exp(ta, grants)) {
|
|
||||||
return send_error(ta, HTTP_PERMISSION_DENIED,"Forbidden.\n");
|
return send_error(ta, HTTP_PERMISSION_DENIED,"Forbidden.\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
char *json = buffer_ensure_capacity(&ta->resp_body, MAX_HEADER_LEN);
|
//~ char *json = buffer_ensure_capacity(&ta->resp_body, MAX_HEADER_LEN);
|
||||||
int len = snprintf(json, strlen(grants) + 2, "%s\n", grants);
|
//~ int len = snprintf(json, strlen(grants) + 2, "%s\n", grants);
|
||||||
int length = len > MAX_HEADER_LEN ? MAX_HEADER_LEN - 1 : len;
|
//~ int length = len > MAX_HEADER_LEN ? MAX_HEADER_LEN - 1 : len;
|
||||||
ta->resp_body.len += length;
|
//~ ta->resp_body.len += length;
|
||||||
|
|
||||||
return send_response(ta);
|
return send_response(ta);
|
||||||
}
|
}
|
||||||
@ -595,7 +598,10 @@ http_setup_client(struct http_client *self, struct bufio *bufio)
|
|||||||
static bool
|
static bool
|
||||||
handle_private(struct http_transaction *ta)
|
handle_private(struct http_transaction *ta)
|
||||||
{
|
{
|
||||||
return false;
|
if (ta->valid_token) {
|
||||||
|
return handle_static_asset(ta, server_root);
|
||||||
|
}
|
||||||
|
return send_error(ta, HTTP_PERMISSION_DENIED,"Forbidden.\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Handle a single HTTP transaction. Returns true on success. */
|
/* Handle a single HTTP transaction. Returns true on success. */
|
||||||
|
|||||||
@ -42,6 +42,7 @@ struct http_transaction {
|
|||||||
|
|
||||||
size_t cookie; // offset to cookie header
|
size_t cookie; // offset to cookie header
|
||||||
char *token; // authentication token
|
char *token; // authentication token
|
||||||
|
bool valid_token;
|
||||||
|
|
||||||
/* response related fields */
|
/* response related fields */
|
||||||
enum http_response_status resp_status;
|
enum http_response_status resp_status;
|
||||||
@ -58,5 +59,6 @@ struct http_client {
|
|||||||
void http_setup_client(struct http_client *, struct bufio *bufio);
|
void http_setup_client(struct http_client *, struct bufio *bufio);
|
||||||
bool http_handle_transaction(struct http_client *);
|
bool http_handle_transaction(struct http_client *);
|
||||||
void http_add_header(buffer_t * resp, char* key, char* fmt, ...);
|
void http_add_header(buffer_t * resp, char* key, char* fmt, ...);
|
||||||
|
bool validate_token_exp(struct http_transaction *ta, char* token);
|
||||||
|
|
||||||
#endif /* _HTTP_H */
|
#endif /* _HTTP_H */
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user