Allow bypassing of CSRF valdiation when needed.

buffoonery.nimble

@@ -1,6 +1,6 @@
 # Package
 
-version       = "0.4.0"
+version       = "0.4.6"
 author        = "Jonathan Bernard"
 description   = "Jonathan's opinionated extensions and auth layer for Jester."
 license       = "MIT"
@@ -15,7 +15,7 @@ requires "nim >= 1.6.2"
 requires @["bcrypt", "mummy", "uuids", "webby"]
 
 # from https://git.jdb-software.com/jdb/nim-packages
-requires @["jwt_full >= 0.2.0", "namespaced_logging >= 0.3.0"]
+requires @["jwt_full >= 0.2.0"]
 
 task unittest, "Runs the unit test suite.":
   exec "nim c -r test/runner"

src/buffoonery/apierror.nim

@@ -11,6 +11,9 @@ proc newApiError*(parent: ref Exception = nil, respCode: HttpCode, respMsg: stri
   result.respCode = respCode
   result.respMsg = respMsg
 
+  if not parent.isNil:
+    result.trace &= parent.trace
+
 
 proc raiseApiError*(respCode: HttpCode, respMsg: string, msg = "") =
   var apiError = newApiError(
@@ -22,7 +25,7 @@ proc raiseApiError*(respCode: HttpCode, respMsg: string, msg = "") =
   raise apiError
 
 
-proc raiseApiError*(parent: ref Exception, respCode: HttpCode, respMsg: string = "", msg = "") =
+proc raiseApiError*(respCode: HttpCode, parent: ref Exception, respMsg: string = "", msg = "") =
   var apiError = newApiError(
     parent = parent,
     respCode = respCode,

src/buffoonery/apiutils.nim

@@ -1,5 +1,5 @@
-import std/[json, jsonutils, logging, options, sequtils, strtabs, strutils]
-import mummy, namespaced_logging, webby
+import std/[json, jsonutils, options, sequtils, strtabs, strutils]
+import mummy, webby
 
 import std/httpcore except HttpHeaders
 
@@ -7,12 +7,6 @@ import ./apierror
 
 const CONTENT_TYPE_JSON* = "application/json"
 
-var logNs {.threadvar.}: LoggingNamespace
-
-template log(): untyped =
-  if logNs.isNil: logNs = getLoggerForNamespace("buffoonery/apiutils", lvlDebug)
-  logNs
-
 ## Response Utilities
 ## ------------------
 
@@ -65,11 +59,9 @@ proc makeCorsHeaders*(
       }
     else:
       if reqOrigin.isSome:
-        log().debug "Unrecognized Origin '" & reqOrigin.get & "', excluding CORS headers."
+        @{"X-Invalid-Origin-Details": "Unrecognized origin '" & reqOrigin.get & "'."}
       else:
-        log().debug "No Origin supplied, excluding CORS headers."
-      log().debug "Valid origins: " & allowedOrigins.join(", ")
-      @{:}
+        @{"X-Invalid-Origin-Details": "Missing Origin."}
 
 
 proc makeCorsHeaders*(

src/buffoonery/auth.nim

@@ -1,6 +1,5 @@
-import std/[cookies, json, logging, options, sequtils, strtabs,
-            strutils, tables, times]
-import mummy, namespaced_logging, uuids, webby
+import std/[cookies, json, options, sequtils, strtabs, strutils, tables, times]
+import mummy, uuids, webby
 import std/httpclient except HttpHeaders
 
 import jwt_full, jwt_full/encoding
@@ -28,12 +27,6 @@ type
 
     issuerKeys: TableRef[string, JwkSet]
 
-var logNs {.threadvar.}: LoggingNamespace
-
-template log(): untyped =
-  if logNs.isNil: logNs = getLoggerForNamespace("buffoonery/auth", lvlDebug)
-  logNs
-
 
 proc failAuth*(reason: string, parentException: ref Exception = nil) =
   ## Syntactic sugar to raise an AuthError. Reason will be the exception
@@ -74,20 +67,17 @@ proc fetchJWKs(openIdConfigUrl: string): JwkSet {.gcsafe.} =
     let http = newHttpClient()
 
     # Inspect the OAuth metadata via the well-known address.
-    log().debug "fetchJwks: Fetching metadata from " & openIdConfigUrl
     let metadata = parseJson(http.getContent(openIdConfigUrl))
 
     # Fetch the keys from the jwk_keys URI.
     let jwksKeysURI = metadata.getOrFail("jwks_uri").getStr
-    debug "fetchJwks: Fetching JWKs from " & jwksKeysURI
     let jwksKeys = parseJson(http.getContent(jwksKeysURI))
 
     # Parse and load the keys provided.
     return initJwkSet(jwksKeys)
 
   except:
-    log().error "unable to fetch issuer signing keys: " & getCurrentExceptionMsg()
-    failAuth "unable to fetch isser signing keys"
+    failAuth("unable to fetch isser signing keys", getCurrentException())
 
 
 proc addSigningKeys*(ctx: ApiAuthContext, issuer: string, keySet: JwkSet): void =
@@ -97,7 +87,6 @@ proc addSigningKeys*(ctx: ApiAuthContext, issuer: string, keySet: JwkSet): void
     if ctx.issuerKeys.isNil: ctx.issuerKeys = newTable[string, JwkSet]()
     ctx.issuerKeys[issuer] = keySet
   except:
-    log().error "unable to add a set of signing keys: " & getCurrentExceptionMsg()
     raise getCurrentException()
 
 
@@ -134,7 +123,6 @@ proc findSigningKey*(ctx: ApiAuthContext, jwt: JWT, allowFetch = true): JWK {.gc
     failAuth "unable to find JWT signing key"
 
   except:
-    log().error "unable to find JWT signing key: " & getCurrentExceptionMsg()
     failAuth("unable to find JWT signing key", getCurrentException())
 
 
@@ -142,7 +130,6 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
   ## Given a JWT, validate that it is a well-formed JWT, validate the issuer's
   ## signature on the token, and validate all the claims that it preesnts.
   try:
-    log().debug "Validating JWT: " & $jwt
     if jwt.claims.iss.isNone: failAuth "Missing 'iss' claim."
     let jwtIssuer = jwt.claims.iss.get
 
@@ -156,11 +143,15 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
     if jwt.claims.sub.isNone: failAuth "Missing 'sub' claim."
     if jwt.claims.exp.isNone: failAuth "Missing or invalid 'exp' claim."
 
-    if not ctx.validAudiences.contains(jwt.claims.aud.get):
-      log().debug(
-        "Valid audiences: $#\ttoken audience: $#" %
-        [$ctx.validAudiences, jwt.claims.aud.get])
-      failAuth "JWT is not for us (invalid audience)."
+    if jwt.claims["aud"].get.kind == JString:
+      # If the token is for a single audience, check that it is for us.
+      if not ctx.validAudiences.contains(jwt.claims.aud.get):
+        failAuth "JWT is not for us (invalid audience)."
+    elif jwt.claims["aud"].get.kind == JArray:
+      # If the token is for multiple audiences, check that at least one is for us.
+      let auds = jwt.claims["aud"].get.getElems
+      if not auds.anyIt(ctx.validAudiences.contains(it.getStr)):
+        failAuth "JWT is not for us (invalid audience)."
 
     let signingAlgorithm = jwt.header.alg.get
 
@@ -176,7 +167,7 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
     failAuth(getCurrentExceptionMsg(), getCurrentException())
 
 
-proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
+proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): JWT =
   ## Extracts a valid JWT representing the user's authentication and
   ## authorization details, if present. If there are no valid credentials an
   ## exception is raised.
@@ -200,6 +191,12 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
   ##
   ##   In the split-cookie mode we also check that the `csrfToken` claim in the
   ##   JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header.
+  ##   This CSRF check can be disabled by setting `validateCsrf` to `false`.
+  ##   This option is proivded to support occasional use-cases where you want to
+  ##   be able to serve a request using cookie auth when the client can't set
+  ##   custom headers (e.g. a simple link from an <a> tag). Obviously, this is a
+  ##   security risk and should only be used with caution with a full
+  ##   understanding of the risk.
 
   try:
     if req.headers.contains("Authorization"):
@@ -223,12 +220,13 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
 
       # Because this is a web session, check that the CSRF is present and
       # matches.
-      if not req.headers.contains("X-CSRF-TOKEN") or
-         not result.claims["csrfToken"].isSome:
-        failAuth "missing CSRF token"
+      if validateCsrf:
+        if not req.headers.contains("X-CSRF-TOKEN") or
+           not result.claims["csrfToken"].isSome:
+          failAuth "missing CSRF token"
 
-      if req.headers["X-CSRF-TOKEN"] != result.claims["csrfToken"].get.getStr(""):
-        failAuth "invalid CSRF token"
+        if req.headers["X-CSRF-TOKEN"] != result.claims["csrfToken"].get.getStr(""):
+          failAuth "invalid CSRF token"
 
     else: failAuth "no auth token, no Authorization or Cookie headers"