Commit d3b21e5a authored by Kali Kaneko's avatar Kali Kaneko

protect certificate handler

parent d437b73a
build:
go build cmd/vpnweb/vpnweb.go
demo:
. config/CONFIG && ./vpnweb -notls
. config/CONFIG && ./vpnweb -notls -auth=sip
clean:
rm -f public/1/*
rm public/ca.crt
......
......@@ -5,6 +5,7 @@ import (
"net/http"
//"0xacab.org/leap/pkg/auth"
"0xacab.org/leap/vpnweb/pkg/auth"
"0xacab.org/leap/vpnweb/pkg/config"
"0xacab.org/leap/vpnweb/pkg/web"
)
......@@ -22,10 +23,9 @@ func main() {
/* TODO ----
http.HandleFunc("/3/auth", auth.AuthMiddleware(opts.Auth))
http.HandleFunc("/3/refresh-token", auth.RefreshAuthMiddleware(opts.Auth))
http.HandleFunc("/3/cert", jwtMiddleware.Handler(ch.certResponder))
*/
http.HandleFunc("/3/cert", ch.CertResponder)
http.Handle("/3/cert", auth.AuthMiddleware(opts.Auth, ch))
/* static files */
......
package auth
import ()
import (
"0xacab.org/leap/vpnweb/pkg/web"
"github.com/auth0/go-jwt-middleware"
jwt "github.com/dgrijalva/jwt-go"
"log"
"net/http"
)
func getProtectedHandler() {
jwtMiddleware.Handler(CertHandler)
const anonAuth string = "anon"
const sipAuth string = "sip"
var jwtSecret = []byte("somethingverysecret")
func getHandler(ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) {
return ch.CertResponder
}
//func AuthMiddleware(auth string, ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) {
func AuthMiddleware(auth string, ch web.CertHandler) http.Handler {
jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{
ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) {
return jwtSecret, nil
},
// When set, the middleware verifies that tokens are signed with the specific signing algorithm
// If the signing method is not constant the ValidationKeyGetter callback can be used to implement additional checks
// Important to avoid security issues described here: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
SigningMethod: jwt.SigningMethodHS256,
})
switch auth {
case anonAuth:
return http.HandlerFunc(ch.CertResponder)
case sipAuth:
return jwtMiddleware.Handler(http.HandlerFunc(ch.CertResponder))
default:
log.Fatal("Unknown auth module: '", auth, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".")
}
return nil
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment