Allow bypassing of CSRF valdiation when needed.

Bugfix: guard NPE in ApiError creation.
ApiError appends parent stacktrace to its own.
2025-02-04 17:54:07 -06:00 · 2025-01-30 07:23:50 -06:00 · 2025-01-20 06:40:38 -06:00 · 2025-01-10 21:01:36 -06:00
3 changed files with 26 additions and 9 deletions
--- a/buffoonery.nimble
+++ b/buffoonery.nimble
@ -1,6 +1,6 @@
 # Package

-version       = "0.4.2"
+version       = "0.4.6"
 author        = "Jonathan Bernard"
 description   = "Jonathan's opinionated extensions and auth layer for Jester."
 license       = "MIT"
--- a/src/buffoonery/apierror.nim
+++ b/src/buffoonery/apierror.nim
@ -11,6 +11,9 @@ proc newApiError*(parent: ref Exception = nil, respCode: HttpCode, respMsg: stri
  result.respCode = respCode
  result.respMsg = respMsg

+  if not parent.isNil:
+    result.trace &= parent.trace
+

 proc raiseApiError*(respCode: HttpCode, respMsg: string, msg = "") =
  var apiError = newApiError(
--- a/src/buffoonery/auth.nim
+++ b/src/buffoonery/auth.nim
@ -143,8 +143,15 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
    if jwt.claims.sub.isNone: failAuth "Missing 'sub' claim."
    if jwt.claims.exp.isNone: failAuth "Missing or invalid 'exp' claim."

+    if jwt.claims["aud"].get.kind == JString:
+      # If the token is for a single audience, check that it is for us.
      if not ctx.validAudiences.contains(jwt.claims.aud.get):
        failAuth "JWT is not for us (invalid audience)."
+    elif jwt.claims["aud"].get.kind == JArray:
+      # If the token is for multiple audiences, check that at least one is for us.
+      let auds = jwt.claims["aud"].get.getElems
+      if not auds.anyIt(ctx.validAudiences.contains(it.getStr)):
+        failAuth "JWT is not for us (invalid audience)."

    let signingAlgorithm = jwt.header.alg.get

@ -160,7 +167,7 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
    failAuth(getCurrentExceptionMsg(), getCurrentException())


-proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
+proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): JWT =
  ## Extracts a valid JWT representing the user's authentication and
  ## authorization details, if present. If there are no valid credentials an
  ## exception is raised.
@ -184,6 +191,12 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
  ##
  ##   In the split-cookie mode we also check that the `csrfToken` claim in the
  ##   JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header.
+  ##   This CSRF check can be disabled by setting `validateCsrf` to `false`.
+  ##   This option is proivded to support occasional use-cases where you want to
+  ##   be able to serve a request using cookie auth when the client can't set
+  ##   custom headers (e.g. a simple link from an <a> tag). Obviously, this is a
+  ##   security risk and should only be used with caution with a full
+  ##   understanding of the risk.

  try:
    if req.headers.contains("Authorization"):
@ -207,6 +220,7 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =

      # Because this is a web session, check that the CSRF is present and
      # matches.
+      if validateCsrf:
        if not req.headers.contains("X-CSRF-TOKEN") or
           not result.claims["csrfToken"].isSome:
          failAuth "missing CSRF token"
Author	SHA1	Message	Date
Jonathan Bernard	7bc77ac7d7	Allow bypassing of CSRF valdiation when needed.	2025-02-04 17:54:07 -06:00
Jonathan Bernard	e4c7524d3d	Bugfix: guard NPE in ApiError creation.	2025-01-30 07:23:50 -06:00
Jonathan Bernard	c75c973350	ApiError appends parent stacktrace to its own.	2025-01-20 06:40:38 -06:00
Jonathan Bernard	3c3edacd7c	Support cases where the aud token is a list of valid audiences.	2025-01-10 21:01:36 -06:00