z0x/anubis
Code Activity

cmd/anubis: use golang-jwt to check expiry date (#56)

Browse source 
* cmd/anubis: use golang-jwt to check expiry date

Also:
* check parse error
* require strict base64 decoding
* ignore always nil sha256sum error to simplify codeflow

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>

* cmd/anubis: handle unlikely case when token claims aren't the right go type

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Alexander Yastrebov 2025-03-21 20:47:22 +01:00 committed by GitHub
parent 194e55088b
commit ad432897ca
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 11 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

32
cmd/anubis/main.go
View file

@ -469,39 +469,29 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request) {
token, err := jwt.ParseWithClaims(ckie.Value, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {
return s.pub, nil
})
}, jwt.WithExpirationRequired(), jwt.WithStrictDecoding())
if !token.Valid {
lg.Debug("invalid token", "path", r.URL.Path)
if err != nil || !token.Valid {
lg.Debug("invalid token", "path", r.URL.Path, "err", err)
clearCookie(w)
s.renderIndex(w, r)
return
}
claims := token.Claims.(jwt.MapClaims)
exp, ok := claims["exp"].(float64)
if !ok {
lg.Debug("exp is not int64", "ok", ok, "typeof(exp)", fmt.Sprintf("%T", exp))
clearCookie(w)
s.renderIndex(w, r)
return
}
if exp := time.Unix(int64(exp), 0); time.Now().After(exp) {
lg.Debug("token has expired", "exp", exp.Format(time.RFC3339))
clearCookie(w)
s.renderIndex(w, r)
return
}
if token.Valid && randomJitter() {
if randomJitter() {
r.Header.Add("X-Anubis-Status", "PASS-BRIEF")
lg.Debug("cookie is not enrolled into secondary screening")
s.rp.ServeHTTP(w, r)
return
}
claims, ok := token.Claims.(jwt.MapClaims)
if !ok {
lg.Debug("invalid token claims type", "path", r.URL.Path)
clearCookie(w)
s.renderIndex(w, r)
return
}
challenge := s.challengeFor(r, rule.Challenge.Difficulty)
if claims["challenge"] != challenge {