|
|
|
|
@ -167,7 +167,7 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
|
|
|
|
|
failAuth(getCurrentExceptionMsg(), getCurrentException())
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
|
|
|
|
|
proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): JWT =
|
|
|
|
|
## Extracts a valid JWT representing the user's authentication and
|
|
|
|
|
## authorization details, if present. If there are no valid credentials an
|
|
|
|
|
## exception is raised.
|
|
|
|
|
@ -191,6 +191,12 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
|
|
|
|
|
##
|
|
|
|
|
## In the split-cookie mode we also check that the `csrfToken` claim in the
|
|
|
|
|
## JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header.
|
|
|
|
|
## This CSRF check can be disabled by setting `validateCsrf` to `false`.
|
|
|
|
|
## This option is proivded to support occasional use-cases where you want to
|
|
|
|
|
## be able to serve a request using cookie auth when the client can't set
|
|
|
|
|
## custom headers (e.g. a simple link from an <a> tag). Obviously, this is a
|
|
|
|
|
## security risk and should only be used with caution with a full
|
|
|
|
|
## understanding of the risk.
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
if req.headers.contains("Authorization"):
|
|
|
|
|
@ -214,6 +220,7 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
|
|
|
|
|
|
|
|
|
|
# Because this is a web session, check that the CSRF is present and
|
|
|
|
|
# matches.
|
|
|
|
|
if validateCsrf:
|
|
|
|
|
if not req.headers.contains("X-CSRF-TOKEN") or
|
|
|
|
|
not result.claims["csrfToken"].isSome:
|
|
|
|
|
failAuth "missing CSRF token"
|
|
|
|
|
|
