Skip to content

Commit ce48f82

Browse files
ImperiopolisImperiopolis
committed
Add a 5s leeway to JWT validation
1 parent a829cf4 commit ce48f82

File tree

2 files changed

+24
-11
lines changed

2 files changed

+24
-11
lines changed

router/router.go

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
package router
22

33
import (
4-
"context"
54
cryptoRand "crypto/rand"
65
"crypto/sha256"
76
"encoding/hex"
@@ -116,11 +115,17 @@ func RunRouter(
116115
return c.Blob(http.StatusOK, echo.MIMEOctetStream, serializedResponse)
117116

118117
}, middleware.BodyLimit("2K"), echojwt.WithConfig(echojwt.Config{
119-
KeyFunc: func(t *jwt.Token) (interface{}, error) {
120-
return secrets.GetJWTSigningKey(context.TODO(), provider.SecretsManager, t)
121-
},
122-
NewClaimsFunc: func(_ echo.Context) jwt.Claims {
123-
return &claims{}
118+
ParseTokenFunc: func(c echo.Context, auth string) (interface{}, error) {
119+
token, err := jwt.ParseWithClaims(auth, &claims{}, func(t *jwt.Token) (interface{}, error) {
120+
return secrets.GetJWTSigningKey(c.Request().Context(), provider.SecretsManager, t)
121+
}, jwt.WithLeeway(5*time.Second))
122+
if err != nil {
123+
return nil, &echojwt.TokenError{Token: token, Err: err}
124+
}
125+
if !token.Valid {
126+
return nil, &echojwt.TokenError{Token: token, Err: errors.New("invalid token")}
127+
}
128+
return token, nil
124129
},
125130
}))
126131

router/tenant_log.go

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,11 @@ package router
33
import (
44
"context"
55
"encoding/json"
6+
"errors"
67
"fmt"
78
"io"
89
"net/http"
10+
"time"
911

1012
"github.com/golang-jwt/jwt/v5"
1113
"github.com/juicebox-systems/juicebox-software-realm/otel"
@@ -44,11 +46,17 @@ func NewTenantAPIServer(
4446

4547
func AddTenantLogHandlers(e *echo.Echo, realmID types.RealmID, pubsub pubsub.PubSub, secretsManager secrets.SecretsManager, secretsPrefix string) {
4648
jwtConfig := echojwt.Config{
47-
KeyFunc: func(t *jwt.Token) (interface{}, error) {
48-
return secrets.GetJWTSigningKeyWithPrefix(context.TODO(), secretsManager, secretsPrefix, t)
49-
},
50-
NewClaimsFunc: func(_ echo.Context) jwt.Claims {
51-
return &claims{}
49+
ParseTokenFunc: func(c echo.Context, auth string) (interface{}, error) {
50+
token, err := jwt.ParseWithClaims(auth, &claims{}, func(t *jwt.Token) (interface{}, error) {
51+
return secrets.GetJWTSigningKeyWithPrefix(c.Request().Context(), secretsManager, secretsPrefix, t)
52+
}, jwt.WithLeeway(5*time.Second))
53+
if err != nil {
54+
return nil, &echojwt.TokenError{Token: token, Err: err}
55+
}
56+
if !token.Valid {
57+
return nil, &echojwt.TokenError{Token: token, Err: errors.New("invalid token")}
58+
}
59+
return token, nil
5260
},
5361
}
5462
e.POST("/tenant_log", func(c echo.Context) error {

0 commit comments

Comments
 (0)