From 5f33f6cb075c0a72bd624452c2181fc77918445b Mon Sep 17 00:00:00 2001 From: santeriok Date: Wed, 16 Aug 2023 17:30:13 +0300 Subject: [PATCH 01/10] Add functionality and tests for providing jwt-tokens in query-string --- config | 2 +- src/ngx_http_auth_jwt_args_processing.c | 73 +++++++++++++++++++++++++ src/ngx_http_auth_jwt_args_processing.h | 23 ++++++++ src/ngx_http_auth_jwt_module.c | 51 +++++++++++++++++ test/etc/nginx/conf.d/test.conf | 9 +++ test/test.sh | 36 ++++++++++++ 6 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 src/ngx_http_auth_jwt_args_processing.c create mode 100644 src/ngx_http_auth_jwt_args_processing.h diff --git a/config b/config index 0271a79..b66bdd1 100644 --- a/config +++ b/config @@ -1,7 +1,7 @@ ngx_module_type=HTTP ngx_addon_name=ngx_http_auth_jwt_module ngx_module_name=$ngx_addon_name -ngx_module_srcs="${ngx_addon_dir}/src/arrays.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_binary_converters.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_header_processing.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_string.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_module.c" +ngx_module_srcs="${ngx_addon_dir}/src/arrays.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_args_processing.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_binary_converters.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_header_processing.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_string.c ${ngx_addon_dir}/src/ngx_http_auth_jwt_module.c" ngx_module_libs="-ljansson -ljwt -lm" . auto/module diff --git a/src/ngx_http_auth_jwt_args_processing.c b/src/ngx_http_auth_jwt_args_processing.c new file mode 100644 index 0000000..bf0a4ea --- /dev/null +++ b/src/ngx_http_auth_jwt_args_processing.c @@ -0,0 +1,73 @@ +#include "ngx_http_auth_jwt_args_processing.h" + +u_char *create_args_without_token( + ngx_pool_t *pool, + ngx_str_t *args, + size_t token_key_start, + size_t token_end, + size_t *write_args_len +) { + /* Creates a new version of args without token present. + Writes length of new args to *write_args_len + */ + *write_args_len = args->len - token_end + token_key_start; + + u_char *args_ptr = ngx_palloc(pool, *write_args_len); + + if (args_ptr == NULL) return NULL; + + if (token_key_start > 0) { + ngx_memcpy(args_ptr, args->data, token_key_start); + } + if (token_end < (args->len - 1)) { + ngx_memcpy( + args_ptr + token_key_start, + args->data + token_end, + *write_args_len - token_key_start + ); + } + + return args_ptr; +} + +bool search_token_from_args( + const ngx_str_t *jwt_location, + const ngx_str_t *args, + size_t *write_to_token_key_start, + size_t *write_to_token_value_start, + size_t *write_to_token_end +) { + /* Tries to extract token from query string. Returns true if found, false otherwise. + + Searches for the string contained in *jwt_location in *args. If it finds the token + in question it writes the location of the start of key to *write_to_token_key_start, + start of token itself to *write_to_token_value_start and end of token to *write_to_token_end. + */ + size_t i = 0, j = 0; + size_t max_i = args->len > jwt_location->len ? args->len - jwt_location->len : 0; + + while (i < max_i) { + j = 0; + if (i == 0 || *(args->data + i - 1) == '&') { + while (j < jwt_location->len && *(args->data + i + j) == *(jwt_location->data + j)) { + if (j == (jwt_location->len - 1)) { + *write_to_token_key_start = i; + i++; + if (i >= max_i || *(args->data + i + j) != '=') { + // key doesn't match + break; + } + *write_to_token_value_start = i + j + 1; + while (i < args->len && *(args->data + i) != '&') { + i++; + } + *write_to_token_end = i; + return true; + } + j++; + } + } + i++; + } + return false; +} diff --git a/src/ngx_http_auth_jwt_args_processing.h b/src/ngx_http_auth_jwt_args_processing.h new file mode 100644 index 0000000..f743479 --- /dev/null +++ b/src/ngx_http_auth_jwt_args_processing.h @@ -0,0 +1,23 @@ +#ifndef _NGX_HTTP_AUTH_JWT_ARGS_PROCESSING_H +#define _NGX_HTTP_AUTH_JWT_ARGS_PROCESSING_H + +#include +#include + +u_char *create_args_without_token( + ngx_pool_t *pool, + ngx_str_t *args, + size_t token_key_start, + size_t token_end, + size_t *write_mutated_args_len +); + +bool search_token_from_args( + const ngx_str_t *jwt_location, + const ngx_str_t *args, + size_t *write_to_token_key_start, + size_t *write_to_token_value_start, + size_t *write_to_token_end +); + +#endif /* _NGX_HTTP_AUTH_JWT_ARGS_PROCESSING_H */ \ No newline at end of file diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c index 744b50d..ce7c32a 100644 --- a/src/ngx_http_auth_jwt_module.c +++ b/src/ngx_http_auth_jwt_module.c @@ -15,6 +15,7 @@ #include #include "arrays.h" +#include "ngx_http_auth_jwt_args_processing.h" #include "ngx_http_auth_jwt_header_processing.h" #include "ngx_http_auth_jwt_binary_converters.h" #include "ngx_http_auth_jwt_string.h" @@ -613,6 +614,7 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) { static const char *HEADER_PREFIX = "HEADER="; static const char *COOKIE_PREFIX = "COOKIE="; + static const char QUERY_STRING_PREFIX[] = "QUERY_STRING="; char *jwtPtr = NULL; ngx_log_debug(NGX_LOG_DEBUG, r->connection->log, 0, "jwt_location.len %d", jwt_location.len); @@ -670,6 +672,55 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) jwtPtr = ngx_str_t_to_char_ptr(r->pool, jwtCookieVal); } } + else if (jwt_location.len > sizeof(QUERY_STRING_PREFIX) && ngx_strncmp(jwt_location.data, QUERY_STRING_PREFIX, sizeof(QUERY_STRING_PREFIX) - 1) == 0) { + jwt_location.data += sizeof(QUERY_STRING_PREFIX) - 1; + jwt_location.len -= sizeof(QUERY_STRING_PREFIX) - 1; + size_t token_key_start = 0, token_value_start = 0, token_end = 0; + + bool found_token = search_token_from_args( + &jwt_location, + &r->args, + &token_key_start, + &token_value_start, + &token_end + ); + + if (!found_token) return NULL; + + int token_len = token_end - token_value_start; + + jwtPtr = ngx_palloc(r->pool, token_len + 1); + if (jwtPtr != NULL) { + ngx_memcpy(jwtPtr, r->args.data + token_value_start, token_len); + *(jwtPtr + token_len) = '\0'; + } + + // strip first or last & from args + if (token_key_start > 0) { + token_key_start--; + } else if (token_end < (r->args.len - 1)) { + token_end++; + } + + size_t mutated_args_len = 0; + + // Strip key from args + u_char *args_ptr = create_args_without_token( + r->pool, + &r->args, + token_key_start, + token_end, + &mutated_args_len + ); + + if (args_ptr == NULL) return jwtPtr; + + int free_ok = ngx_pfree(r->pool, r->args.data); + if (free_ok == NGX_OK) { + r->args.data = args_ptr; + r->args.len = mutated_args_len; + } + } return jwtPtr; } diff --git a/test/etc/nginx/conf.d/test.conf b/test/etc/nginx/conf.d/test.conf index 00c990b..1c35308 100644 --- a/test/etc/nginx/conf.d/test.conf +++ b/test/etc/nginx/conf.d/test.conf @@ -165,6 +165,15 @@ BwIDAQAB try_files index.html =404; } + location /secure/auth-query-string/hs256 { + auth_jwt_enabled on; + auth_jwt_location QUERY_STRING=jwt-token; + auth_jwt_algorithm HS256; + + alias /usr/share/nginx/html/; + try_files index.html =404; + } + location /secure/extract-claim/request/sub { auth_jwt_enabled on; auth_jwt_redirect off; diff --git a/test/test.sh b/test/test.sh index 29a0bf3..859a800 100755 --- a/test/test.sh +++ b/test/test.sh @@ -202,6 +202,42 @@ main() { -p '/secure/custom-header/hs256/' \ -c '200' \ -x '--header "Auth-Token: Bearer ${JWT_HS256_VALID}"' + + run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token, returns 200' \ + -p '/secure/auth-query-string/hs256/?jwt-token=${JWT_HS256_VALID}' \ + -c '200' + + run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string something-jwt-token, returns 401' \ + -p '/secure/auth-query-string/hs256/?something-jwt-token=${JWT_HS256_VALID}' \ + -c '401' + + run_test -n 'when auth enabled with HS256 algorithm and non-valid JWT as query-string jwt-token, returns 401' \ + -p '/secure/auth-query-string/hs256/?jwt-token=ABBAKEY' \ + -c '401' + + run_test -n 'when auth enabled with HS256 algorithm and no query-string present, returns 401' \ + -p '/secure/auth-query-string/hs256/' \ + -c '401' + + run_test -n 'when auth enabled with HS256 algorithm and just random query-string present, returns 401' \ + -p '/secure/auth-query-string/hs256/?key1=abba' \ + -c '401' + + run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token after first query-string, returns 200' \ + -p '/secure/auth-query-string/hs256/?key1=abba\&jwt-token=${JWT_HS256_VALID}' \ + -c '200' + + run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token, second query-string after, returns 200' \ + -p '/secure/auth-query-string/hs256/?jwt-token=${JWT_HS256_VALID}\&key1=abba' \ + -c '200' + + run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token in middle, returns 200' \ + -p '/secure/auth-query-string/hs256/?key1=abba\&jwt-token=${JWT_HS256_VALID}\&key2=abba' \ + -c '200' + + run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token with overlapping query-string first, returns 200' \ + -p '/secure/auth-query-string/hs256/?jwt-token2=abba\&jwt-token=${JWT_HS256_VALID}' \ + -c '200' run_test -n 'extracts single claim to request variable' \ -p '/secure/extract-claim/request/sub' \ From d21d40888d15624cb9c0f032345052ed47a7cd08 Mon Sep 17 00:00:00 2001 From: santeriok Date: Wed, 16 Aug 2023 17:33:15 +0300 Subject: [PATCH 02/10] Add description to readme --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 8c34d5c..8e55b7c 100644 --- a/README.md +++ b/README.md @@ -72,8 +72,11 @@ By default, the`Authorization` header is used to provide a JWT for validation. H ```nginx auth_jwt_location HEADER=auth-token; # get the JWT from the "auth-token" header auth_jwt_location COOKIE=auth-token; # get the JWT from the "auth-token" cookie +auth_jwt_location QUERY_STRING=jwt-token; # get the JWT from the "jwt-token" query-string ``` +Note: If you use the QUERY_STRING location, the given key is stripped from the outgoing request, if the request is to be forwarded. + ## `sub` Validation Optionally, the module can validate that a `sub` claim (e.g. the user's id) exists in the JWT. You may enable this feature as follows: From 8702e17118d356d54f3fa1a792616f3673d511c4 Mon Sep 17 00:00:00 2001 From: santerioksanen Date: Thu, 17 Aug 2023 09:49:40 +0300 Subject: [PATCH 03/10] Update README.md Co-authored-by: Josh McCullough --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8e55b7c..0d417e1 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ By default, the`Authorization` header is used to provide a JWT for validation. H ```nginx auth_jwt_location HEADER=auth-token; # get the JWT from the "auth-token" header auth_jwt_location COOKIE=auth-token; # get the JWT from the "auth-token" cookie -auth_jwt_location QUERY_STRING=jwt-token; # get the JWT from the "jwt-token" query-string +auth_jwt_location QUERYSTRING=token; # get the JWT from the "token" querystring parameter ``` Note: If you use the QUERY_STRING location, the given key is stripped from the outgoing request, if the request is to be forwarded. From d00aa5bc65b969dcdc0bb469e16dfb0e0f1e364d Mon Sep 17 00:00:00 2001 From: santerioksanen Date: Thu, 17 Aug 2023 09:50:10 +0300 Subject: [PATCH 04/10] Update README with QUERYSTRING information Co-authored-by: Josh McCullough --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d417e1..2b62f97 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,8 @@ auth_jwt_location COOKIE=auth-token; # get the JWT from the "auth-token" cookie auth_jwt_location QUERYSTRING=token; # get the JWT from the "token" querystring parameter ``` -Note: If you use the QUERY_STRING location, the given key is stripped from the outgoing request, if the request is to be forwarded. +### Querystring Location +If you use the `QUERYSTRING` location, the given querystring parameter is stripped from the outgoing request, if the request is to be forwarded. Please also note that including a JWT in the querystring may be a security risk as the JWT could be logged/viewed by intermediary devices/software. In most cases it is best to store the JWT in a header. ## `sub` Validation From affce53d725cacd3db017c8edaed5005fd25f525 Mon Sep 17 00:00:00 2001 From: santerioksanen Date: Thu, 17 Aug 2023 09:51:12 +0300 Subject: [PATCH 05/10] Apply styling changes Co-authored-by: Josh McCullough --- src/ngx_http_auth_jwt_args_processing.c | 36 ++++++++++++++----------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/src/ngx_http_auth_jwt_args_processing.c b/src/ngx_http_auth_jwt_args_processing.c index bf0a4ea..f50b013 100644 --- a/src/ngx_http_auth_jwt_args_processing.c +++ b/src/ngx_http_auth_jwt_args_processing.c @@ -1,5 +1,8 @@ #include "ngx_http_auth_jwt_args_processing.h" +/* Creates a new version of args without token present. + * Writes length of new args to `*write_args_len`. + */ u_char *create_args_without_token( ngx_pool_t *pool, ngx_str_t *args, @@ -7,27 +10,28 @@ u_char *create_args_without_token( size_t token_end, size_t *write_args_len ) { - /* Creates a new version of args without token present. - Writes length of new args to *write_args_len - */ *write_args_len = args->len - token_end + token_key_start; - u_char *args_ptr = ngx_palloc(pool, *write_args_len); - if (args_ptr == NULL) return NULL; - - if (token_key_start > 0) { - ngx_memcpy(args_ptr, args->data, token_key_start); + if (args_ptr == NULL) + { + return NULL; } - if (token_end < (args->len - 1)) { - ngx_memcpy( - args_ptr + token_key_start, - args->data + token_end, - *write_args_len - token_key_start - ); + else + { + if (token_key_start > 0) { + ngx_memcpy(args_ptr, args->data, token_key_start); + } + if (token_end < (args->len - 1)) { + ngx_memcpy( + args_ptr + token_key_start, + args->data + token_end, + *write_args_len - token_key_start + ); + } + + return args_ptr; } - - return args_ptr; } bool search_token_from_args( From 7dd8b005b8e932175e7cef4f34c026eb1b9c6fdf Mon Sep 17 00:00:00 2001 From: santeriok Date: Thu, 17 Aug 2023 10:09:04 +0300 Subject: [PATCH 06/10] Apply styling changes per code-review --- src/ngx_http_auth_jwt_args_processing.c | 30 ++++++----- src/ngx_http_auth_jwt_module.c | 66 ++++++++++++++----------- test/etc/nginx/conf.d/test.conf | 2 +- 3 files changed, 56 insertions(+), 42 deletions(-) diff --git a/src/ngx_http_auth_jwt_args_processing.c b/src/ngx_http_auth_jwt_args_processing.c index f50b013..feb9e68 100644 --- a/src/ngx_http_auth_jwt_args_processing.c +++ b/src/ngx_http_auth_jwt_args_processing.c @@ -34,6 +34,12 @@ u_char *create_args_without_token( } } +/* Tries to extract token from query string. Returns true if found, false otherwise. + + Searches for the string contained in *jwt_location in *args. If it finds the token + in question it writes the location of the start of key to *write_to_token_key_start, + start of token itself to *write_to_token_value_start and end of token to *write_to_token_end. +*/ bool search_token_from_args( const ngx_str_t *jwt_location, const ngx_str_t *args, @@ -41,28 +47,28 @@ bool search_token_from_args( size_t *write_to_token_value_start, size_t *write_to_token_end ) { - /* Tries to extract token from query string. Returns true if found, false otherwise. - - Searches for the string contained in *jwt_location in *args. If it finds the token - in question it writes the location of the start of key to *write_to_token_key_start, - start of token itself to *write_to_token_value_start and end of token to *write_to_token_end. - */ size_t i = 0, j = 0; size_t max_i = args->len > jwt_location->len ? args->len - jwt_location->len : 0; - while (i < max_i) { + while (i < max_i) + { j = 0; - if (i == 0 || *(args->data + i - 1) == '&') { - while (j < jwt_location->len && *(args->data + i + j) == *(jwt_location->data + j)) { - if (j == (jwt_location->len - 1)) { + if (i == 0 || *(args->data + i - 1) == '&') + { + while (j < jwt_location->len && *(args->data + i + j) == *(jwt_location->data + j)) + { + if (j == (jwt_location->len - 1)) + { *write_to_token_key_start = i; i++; - if (i >= max_i || *(args->data + i + j) != '=') { + if (i >= max_i || *(args->data + i + j) != '=') + { // key doesn't match break; } *write_to_token_value_start = i + j + 1; - while (i < args->len && *(args->data + i) != '&') { + while (i < args->len && *(args->data + i) != '&') + { i++; } *write_to_token_end = i; diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c index ce7c32a..34d71d5 100644 --- a/src/ngx_http_auth_jwt_module.c +++ b/src/ngx_http_auth_jwt_module.c @@ -614,7 +614,7 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) { static const char *HEADER_PREFIX = "HEADER="; static const char *COOKIE_PREFIX = "COOKIE="; - static const char QUERY_STRING_PREFIX[] = "QUERY_STRING="; + static const char QUERY_STRING_PREFIX[] = "QUERYSTRING="; char *jwtPtr = NULL; ngx_log_debug(NGX_LOG_DEBUG, r->connection->log, 0, "jwt_location.len %d", jwt_location.len); @@ -686,40 +686,48 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) &token_end ); - if (!found_token) return NULL; - - int token_len = token_end - token_value_start; - - jwtPtr = ngx_palloc(r->pool, token_len + 1); - if (jwtPtr != NULL) { - ngx_memcpy(jwtPtr, r->args.data + token_value_start, token_len); - *(jwtPtr + token_len) = '\0'; + if (!found_token){ + return NULL; } + else + { + int token_len = token_end - token_value_start; - // strip first or last & from args - if (token_key_start > 0) { - token_key_start--; - } else if (token_end < (r->args.len - 1)) { - token_end++; - } + jwtPtr = ngx_palloc(r->pool, token_len + 1); + if (jwtPtr != NULL) { + ngx_memcpy(jwtPtr, r->args.data + token_value_start, token_len); + *(jwtPtr + token_len) = '\0'; + } - size_t mutated_args_len = 0; + // strip first or last & from args + if (token_key_start > 0) + { + token_key_start--; + } + else if (token_end < (r->args.len - 1)) + { + token_end++; + } - // Strip key from args - u_char *args_ptr = create_args_without_token( - r->pool, - &r->args, - token_key_start, - token_end, - &mutated_args_len - ); + size_t mutated_args_len = 0; - if (args_ptr == NULL) return jwtPtr; + // Strip key from args + u_char *args_ptr = create_args_without_token( + r->pool, + &r->args, + token_key_start, + token_end, + &mutated_args_len + ); - int free_ok = ngx_pfree(r->pool, r->args.data); - if (free_ok == NGX_OK) { - r->args.data = args_ptr; - r->args.len = mutated_args_len; + if (args_ptr != NULL) + { + int free_ok = ngx_pfree(r->pool, r->args.data); + if (free_ok == NGX_OK) { + r->args.data = args_ptr; + r->args.len = mutated_args_len; + } + } } } return jwtPtr; diff --git a/test/etc/nginx/conf.d/test.conf b/test/etc/nginx/conf.d/test.conf index 1c35308..0315675 100644 --- a/test/etc/nginx/conf.d/test.conf +++ b/test/etc/nginx/conf.d/test.conf @@ -167,7 +167,7 @@ BwIDAQAB location /secure/auth-query-string/hs256 { auth_jwt_enabled on; - auth_jwt_location QUERY_STRING=jwt-token; + auth_jwt_location QUERYSTRING=token; auth_jwt_algorithm HS256; alias /usr/share/nginx/html/; From 6be00861b8750aa60f6bebb8fd038c6d3e9bad1e Mon Sep 17 00:00:00 2001 From: santeriok Date: Thu, 17 Aug 2023 10:09:37 +0300 Subject: [PATCH 07/10] Add test-cases, change tests to use token instead of jwt-token --- test/test.sh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/test/test.sh b/test/test.sh index 859a800..f2ea0fe 100755 --- a/test/test.sh +++ b/test/test.sh @@ -204,7 +204,7 @@ main() { -x '--header "Auth-Token: Bearer ${JWT_HS256_VALID}"' run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token, returns 200' \ - -p '/secure/auth-query-string/hs256/?jwt-token=${JWT_HS256_VALID}' \ + -p '/secure/auth-query-string/hs256/?token=${JWT_HS256_VALID}' \ -c '200' run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string something-jwt-token, returns 401' \ @@ -212,31 +212,39 @@ main() { -c '401' run_test -n 'when auth enabled with HS256 algorithm and non-valid JWT as query-string jwt-token, returns 401' \ - -p '/secure/auth-query-string/hs256/?jwt-token=ABBAKEY' \ + -p '/secure/auth-query-string/hs256/?token=ABBAKEY' \ -c '401' run_test -n 'when auth enabled with HS256 algorithm and no query-string present, returns 401' \ -p '/secure/auth-query-string/hs256/' \ -c '401' + run_test -n 'when auth enabled with HS256 algorithm and empty token present, returns 401' \ + -p '/secure/auth-query-string/hs256/?token' \ + -c '401' + + run_test -n 'when auth enabled with HS256 algorithm and empty token present, returns 401' \ + -p '/secure/auth-query-string/hs256/?token=' \ + -c '401' + run_test -n 'when auth enabled with HS256 algorithm and just random query-string present, returns 401' \ -p '/secure/auth-query-string/hs256/?key1=abba' \ -c '401' run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token after first query-string, returns 200' \ - -p '/secure/auth-query-string/hs256/?key1=abba\&jwt-token=${JWT_HS256_VALID}' \ + -p '/secure/auth-query-string/hs256/?key1=abba\&token=${JWT_HS256_VALID}' \ -c '200' run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token, second query-string after, returns 200' \ - -p '/secure/auth-query-string/hs256/?jwt-token=${JWT_HS256_VALID}\&key1=abba' \ + -p '/secure/auth-query-string/hs256/?token=${JWT_HS256_VALID}\&key1=abba' \ -c '200' run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token in middle, returns 200' \ - -p '/secure/auth-query-string/hs256/?key1=abba\&jwt-token=${JWT_HS256_VALID}\&key2=abba' \ + -p '/secure/auth-query-string/hs256/?key1=abba\&token=${JWT_HS256_VALID}\&key2=abba' \ -c '200' run_test -n 'when auth enabled with HS256 algorithm and valid JWT as query-string jwt-token with overlapping query-string first, returns 200' \ - -p '/secure/auth-query-string/hs256/?jwt-token2=abba\&jwt-token=${JWT_HS256_VALID}' \ + -p '/secure/auth-query-string/hs256/?jwt-token2=abba\&token=${JWT_HS256_VALID}' \ -c '200' run_test -n 'extracts single claim to request variable' \ From df039e21fa5ea8547e7cb8a8b03ea74d5228991e Mon Sep 17 00:00:00 2001 From: santeriok Date: Thu, 17 Aug 2023 10:12:06 +0300 Subject: [PATCH 08/10] Change prefix char pointers to char arrays --- src/ngx_http_auth_jwt_module.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c index 34d71d5..0704e48 100644 --- a/src/ngx_http_auth_jwt_module.c +++ b/src/ngx_http_auth_jwt_module.c @@ -612,8 +612,8 @@ static ngx_int_t load_public_key(ngx_conf_t *cf, auth_jwt_conf_t *conf) static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) { - static const char *HEADER_PREFIX = "HEADER="; - static const char *COOKIE_PREFIX = "COOKIE="; + static const char HEADER_PREFIX[] = "HEADER="; + static const char COOKIE_PREFIX[] = "COOKIE="; static const char QUERY_STRING_PREFIX[] = "QUERYSTRING="; char *jwtPtr = NULL; From 17fbdc0c5bc5f587cefe710c5ce164d2c810d096 Mon Sep 17 00:00:00 2001 From: santeriok Date: Thu, 17 Aug 2023 10:14:41 +0300 Subject: [PATCH 09/10] Remove redundant else --- src/ngx_http_auth_jwt_module.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c index 0704e48..574dae5 100644 --- a/src/ngx_http_auth_jwt_module.c +++ b/src/ngx_http_auth_jwt_module.c @@ -686,10 +686,7 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) &token_end ); - if (!found_token){ - return NULL; - } - else + if (found_token) { int token_len = token_end - token_value_start; From ed421fae7c122bcdadfb1639389790c935b4142a Mon Sep 17 00:00:00 2001 From: santeriok Date: Thu, 17 Aug 2023 11:11:11 +0300 Subject: [PATCH 10/10] Remove ngx_pfree for args --- src/ngx_http_auth_jwt_module.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c index 574dae5..d392727 100644 --- a/src/ngx_http_auth_jwt_module.c +++ b/src/ngx_http_auth_jwt_module.c @@ -719,11 +719,8 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) if (args_ptr != NULL) { - int free_ok = ngx_pfree(r->pool, r->args.data); - if (free_ok == NGX_OK) { - r->args.data = args_ptr; - r->args.len = mutated_args_len; - } + r->args.data = args_ptr; + r->args.len = mutated_args_len; } } }