From 87420291095bc8285dd83a4bfb36dd7e8fd10652 Mon Sep 17 00:00:00 2001 From: Daniel Ponte Date: Sun, 4 Aug 2024 08:55:12 -0400 Subject: [PATCH] config --- config.yaml.sample | 8 +++++++- pkg/gordio/auth/auth.go | 10 ++++++---- pkg/gordio/auth/jwt.go | 8 ++++++-- pkg/gordio/config/config.go | 18 ++++++++++++------ pkg/gordio/server/server.go | 2 +- 5 files changed, 32 insertions(+), 14 deletions(-) diff --git a/config.yaml.sample b/config.yaml.sample index 3b39e8c..8e5741b 100644 --- a/config.yaml.sample +++ b/config.yaml.sample @@ -1,6 +1,12 @@ db: driver: pgx connect: 'postgres://postgres:password@localhost:5432/example' -jwtsecret: 'super secret string' +auth: + jwtsecret: 'super secret string' + # this is the JWT cookie domain + domain: example.com + # this allows the JWT cookie to be served over plain HTTP only for these Host: header values + allowInsecureFor: + "localhost:3050": true listen: ':3050' public: true diff --git a/pkg/gordio/auth/auth.go b/pkg/gordio/auth/auth.go index 858d07f..1f10e5c 100644 --- a/pkg/gordio/auth/auth.go +++ b/pkg/gordio/auth/auth.go @@ -4,6 +4,7 @@ import ( "errors" "net/http" + "dynatron.me/x/stillbox/pkg/gordio/config" "github.com/go-chi/jwtauth/v5" ) @@ -28,13 +29,14 @@ type Authenticator interface { type authenticator struct { domain string jwt *jwtauth.JWTAuth + cfg *config.Auth } -// NewAuthenticator creates a new Authenticator with the provided JWT secret and cookie domain. -func NewAuthenticator(jwtSecret string, domain string) Authenticator { +// NewAuthenticator creates a new Authenticator with the provided config. +func NewAuthenticator(cfg *config.Auth) Authenticator { return &authenticator{ - domain: domain, - jwt: jwtauth.New("HS256", []byte(jwtSecret), nil), + domain: cfg.Domain, + jwt: jwtauth.New("HS256", []byte(cfg.JWTSecret), nil), } } diff --git a/pkg/gordio/auth/jwt.go b/pkg/gordio/auth/jwt.go index 25c5ec1..cc45ba5 100644 --- a/pkg/gordio/auth/jwt.go +++ b/pkg/gordio/auth/jwt.go @@ -3,7 +3,6 @@ package auth import ( "context" "net/http" - "strings" "time" "golang.org/x/crypto/bcrypt" @@ -94,6 +93,11 @@ func (a *authenticator) PublicRoutes(r chi.Router) { r.Post("/login", a.routeAuth) } +func (a *authenticator) allowInsecureCookie(r *http.Request) bool { + v, has := a.cfg.AllowInsecure[r.Host] + return has && v == true +} + func (a *authenticator) routeAuth(w http.ResponseWriter, r *http.Request) { err := r.ParseForm() if err != nil { @@ -115,7 +119,7 @@ func (a *authenticator) routeAuth(w http.ResponseWriter, r *http.Request) { Name: "jwt", Value: tok, HttpOnly: true, - Secure: !strings.HasPrefix(r.Host, "localhost:"), + Secure: a.allowInsecureCookie(r), Domain: a.domain, }) diff --git a/pkg/gordio/config/config.go b/pkg/gordio/config/config.go index 734ae92..573f230 100644 --- a/pkg/gordio/config/config.go +++ b/pkg/gordio/config/config.go @@ -1,22 +1,28 @@ package config import ( + "os" + "github.com/rs/zerolog/log" "github.com/spf13/cobra" "gopkg.in/yaml.v3" - "os" ) type Config struct { - DB DB `yaml:"db"` - JWTSecret string `yaml:"jwtsecret"` - Listen string `yaml:"listen"` - Public bool `yaml:"public"` - Domain string `yaml:"domain"` + DB DB `yaml:"db"` + Auth Auth `yaml:"auth"` + Listen string `yaml:"listen"` + Public bool `yaml:"public"` configPath string } +type Auth struct { + JWTSecret string `yaml:"jwtsecret"` + Domain string `yaml:"domain"` + AllowInsecure map[string]bool `yaml:"allowInsecureFor"` +} + type DB struct { Connect string `yaml:"connect"` Driver string `yaml:"driver"` diff --git a/pkg/gordio/server/server.go b/pkg/gordio/server/server.go index d36ec00..25e71d6 100644 --- a/pkg/gordio/server/server.go +++ b/pkg/gordio/server/server.go @@ -30,7 +30,7 @@ func New(cfg *config.Config) (*Server, error) { } r := chi.NewRouter() - authenticator := auth.NewAuthenticator(cfg.JWTSecret, cfg.Domain) + authenticator := auth.NewAuthenticator(&cfg.Auth) srv := &Server{ auth: authenticator, conf: cfg,