jdb/buffoonery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jdb:main
Branches Tags
jdb:main
jdb:0.4.7
jdb:0.4.6
jdb:0.4.5
jdb:0.4.4
jdb:0.4.3
jdb:0.4.2
jdb:0.4.1
jdb:0.4.0
jdb:0.3.0
jdb:0.2.3
jdb:0.2.2
jdb:0.2.1
jdb:0.2.0
jdb:0.1.1
jdb:0.1.0
..
compare: jdb:0.2.3
Branches Tags
jdb:main
jdb:0.4.7
jdb:0.4.6
jdb:0.4.5
jdb:0.4.4
jdb:0.4.3
jdb:0.4.2
jdb:0.4.1
jdb:0.4.0
jdb:0.3.0
jdb:0.2.3
jdb:0.2.2
jdb:0.2.1
jdb:0.2.0
jdb:0.1.1
jdb:0.1.0

No commits in common. "main" and "0.2.3" have entirely different histories.
main ... 0.2.3

7 changed files with 143 additions and 288 deletions
Show Stats Expand all files Collapse all files

36
README.md
View File

@ -1,36 +0,0 @@
# Buffoonery: Tools for the [Jester Web Framework][jester]
Buffoonery is primarily an opinionated implementation of JWT-based session
management
a collection of extensions and patterns built around Jester to
facilitate the types of API services I tend to write.
## Building
### JDB Software Packages
Buffoonery depends on a number of packages which are not yet available in he
official Nim repository. The easiest way to get access to these packages is to
add a new `PackageList` to your [nimble configuration] for the [JDB Software Nim
packages repository]. The url is
`https://git.jdb-software.com/jdb/nim-packages/raw/main/packages.json`
[nimble configuration]: https://github.com/nim-lang/nimble#configuration
[JDB Software Nim packages]: https://git.jdb-software.com/jdb/nim-packages
## License
Buffoonery is available under two licenses depending on usage.
For private use, non-commercial use, or use in small enterprise (defined as any
enterprise bringing in less than $1 million in annual gross profit), Buffoonery
is available under the [MIT License][mit-license].
For commercial use in larger enterprises (more than $1 million in annual
gross profit), Buffoonery is available under the [GNU Affero General Public
License v3.0][agpl3]
[jester]: https://github.com/dom96/jester/
[mit-license]: https://mit-license.org/
[agpl3]: https://www.gnu.org/licenses/agpl-3.0.en.html

6
buffoonery.nimble
View File

@ -1,6 +1,6 @@
# Package # Package
version = "0.4.7" version = "0.2.3"
author = "Jonathan Bernard" author = "Jonathan Bernard"
description = "Jonathan's opinionated extensions and auth layer for Jester." description = "Jonathan's opinionated extensions and auth layer for Jester."
license = "MIT" license = "MIT"
@ -12,10 +12,10 @@ srcDir = "src"
requires "nim >= 1.6.2" requires "nim >= 1.6.2"
# from standard nimble repo # from standard nimble repo
requires @["bcrypt", "mummy", "uuids", "webby"] requires @["bcrypt", "jester >= 0.5.0", "uuids"]
# from https://git.jdb-software.com/jdb/nim-packages # from https://git.jdb-software.com/jdb/nim-packages
requires @["jwt_full >= 0.2.0"] requires @["jwt_full >= 0.2.0", "namespaced_logging >= 0.3.0"]
task unittest, "Runs the unit test suite.": task unittest, "Runs the unit test suite.":
exec "nim c -r test/runner" exec "nim c -r test/runner"

5
src/buffoonery.nim
View File

@ -1,2 +1,5 @@
import buffoonery/[apierror, apiutils, auth, jsonutils] import buffoonery/apierror,
buffoonery/apiutils,
buffoonery/auth,
buffoonery/jsonutils
export apierror, apiutils, auth, jsonutils export apierror, apiutils, auth, jsonutils

14
src/buffoonery/apierror.nim
View File

@ -1,20 +1,15 @@
from strutils import isEmptyOrWhitespace from strutils import isEmptyOrWhitespace
from httpcore import HttpCode from httpclient import HttpCode
type ApiError* = object of CatchableError type ApiError* = object of CatchableError
respMsg*: string respMsg*: string
respCode*: HttpCode respCode*: HttpCode
proc newApiError*(parent: ref Exception = nil, respCode: HttpCode, respMsg: string, msg = ""): ref ApiError = proc newApiError*(parent: ref Exception = nil, respCode: HttpCode, respMsg: string, msg = ""): ref ApiError =
result = newException(ApiError, msg, parent) result = newException(ApiError, msg, parent)
result.respCode = respCode result.respCode = respCode
result.respMsg = respMsg result.respMsg = respMsg
if not parent.isNil:
result.trace &= parent.trace
proc raiseApiError*(respCode: HttpCode, respMsg: string, msg = "") = proc raiseApiError*(respCode: HttpCode, respMsg: string, msg = "") =
var apiError = newApiError( var apiError = newApiError(
parent = nil, parent = nil,
@ -24,13 +19,10 @@ proc raiseApiError*(respCode: HttpCode, respMsg: string, msg = "") =
else: msg) else: msg)
raise apiError raise apiError
proc raiseApiError*(parent: ref Exception, respCode: HttpCode, respMsg: string, msg = "") =
proc raiseApiError*(respCode: HttpCode, parent: ref Exception, respMsg: string = "", msg = "") =
var apiError = newApiError( var apiError = newApiError(
parent = parent, parent = parent,
respCode = respCode, respCode = respCode,
respMsg = respMsg = respMsg,
if respMsg.isEmptyOrWhitespace: parent.msg
else: respMsg,
msg = msg) msg = msg)
raise apiError raise apiError

182
src/buffoonery/apiutils.nim
View File

@ -1,123 +1,109 @@
import std/[json, jsonutils, options, sequtils, strtabs, strutils] import std/json, std/logging, std/options, std/strutils, std/sequtils
import mummy, webby import jester, namespaced_logging
import std/httpcore except HttpHeaders
import ./apierror import ./apierror
const CONTENT_TYPE_JSON* = "application/json" const CONTENT_TYPE_JSON* = "application/json"
var logNs {.threadvar.}: LoggingNamespace
template log(): untyped =
if logNs.isNil: logNs = getLoggerForNamespace("buffoonery/apiutils", lvlDebug)
logNs
## Response Utilities ## Response Utilities
## ------------------ template halt*(
code: HttpCode,
headers: RawHeaders,
content: string) =
## Immediately replies with the specified request. This means any further
## code will not be executed after calling this template in the current
## route.
bind TCActionSend, newHttpHeaders
result[0] = CallbackAction.TCActionSend
result[1] = code
result[2] = if isSome(result[2]): some(result[2].get & headers)
else: some(headers)
result[3] = content
result.matched = true
break allRoutes
type template sendJsonResp*(
ApiResponse*[T] = object body: JsonNode,
details*: Option[string] code: HttpCode = Http200,
data*: Option[T] knownOrigins: seq[string],
nextOffset*: Option[int] headersToSend: RawHeaders) =
totalItems*: Option[int] ## Immediately send a JSON response and stop processing the request.
nextLink*: Option[string] let reqOrigin =
prevLink*: Option[string] if headers(request).hasKey("Origin"): $(headers(request)["Origin"])
else: ""
let corsHeaders =
if knownOrigins.contains(reqOrigin):
@{
"Access-Control-Allow-Origin": reqOrigin,
"Access-Control-Allow-Credentials": "true",
"Access-Control-Allow-Methods": $(reqMethod(request)),
"Access-Control-Allow-Headers": "Authorization,X-CSRF-TOKEN"
}
else:
log().debug "Unrecognized Origin '" & reqOrigin & "', excluding CORS headers."
@{:}
func initApiResponse*[T]( halt(
details = none[string](), code,
data: Option[T] = none[T](), cast[RawHeaders](headersToSend) & corsHeaders & @{
"Content-Type": CONTENT_TYPE_JSON,
"Cache-Control": "no-cache"
},
$body
)
proc makeDataBody*(
data: JsonNode,
nextOffset = none[int](), nextOffset = none[int](),
totalItems = none[int](), totalItems = none[int](),
nextLink = none[string](), nextLink = none[string](),
prevLink = none[string]()): ApiResponse[T] = prevLink = none[string]()): JsonNode =
ApiResponse[T](details: details, data: data, nextOffset: nextOffset,
totalItems: totalItems, nextLink: nextLink, prevLink: prevLink)
result = %*{"details":"","data":data}
func `%`*(r: ApiResponse): JsonNode = if nextOffset.isSome: result["nextOffset"] = %nextOffset.get
result = newJObject() if totalItems.isSome: result["totalItems"] = %totalItems.get
if r.details.isSome: result["details"] = %r.details if nextLink.isSome: result["next"] = %nextLink.get
if r.data.isSome: result["data"] = %r.data if prevLink.isSome: result["prev"] = %prevLink.get
if r.nextOffset.isSome: result["nextOffset"] = %r.nextOffset
if r.totalItems.isSome: result["totalItems"] = %r.totalItems
if r.nextLink.isSome: result["nextLink"] = %r.nextLink
if r.prevLink.isSome: result["prevLink"] = %r.prevLink
proc makeStatusBody*(details: string): JsonNode = %*{"details":details}
func `$`*(r: ApiResponse): string = $(%r) template sendErrorResp*(err: ref ApiError, knownOrigins: seq[string]): void =
log().error err.respMsg & ( if err.msg.len > 0: ": " & err.msg else: "")
if not err.parent.isNil: log().error " original exception: " & err.parent.msg
sendJsonResp(makeStatusBody(err.respMsg), err.respCode, knownOrigins, @{:})
## CORS support
template sendOptionsResp*(
allowedMethods: seq[HttpMethod],
knownOrigins: seq[string]) =
proc makeCorsHeaders*( let reqOrigin =
allowedMethods: seq[string], if headers(request).hasKey("Origin"): $(headers(request)["Origin"])
allowedOrigins: seq[string], else: ""
reqOrigin = none[string]()): HttpHeaders =
result = let corsHeaders =
if reqOrigin.isSome and allowedOrigins.contains(reqOrigin.get): if knownOrigins.contains(reqOrigin):
@{ @{
"Access-Control-Allow-Origin": reqOrigin.get, "Access-Control-Allow-Origin": reqOrigin,
"Access-Control-Allow-Credentials": "true", "Access-Control-Allow-Credentials": "true",
"Access-Control-Allow-Methods": allowedMethods.join(", "), "Access-Control-Allow-Methods": allowedMethods.mapIt($it).join(", "),
"Access-Control-Allow-Headers": "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-TOKEN" "Access-Control-Allow-Headers": "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-TOKEN"
} }
else: else:
if reqOrigin.isSome: log().debug "Unrecognized Origin '" & reqOrigin & "', excluding CORS headers."
@{"X-Invalid-Origin-Details": "Unrecognized origin '" & reqOrigin.get & "'."} log().debug "Valid origins: " & knownOrigins.join(", ")
else: @{:}
@{"X-Invalid-Origin-Details": "Missing Origin."}
halt(
proc makeCorsHeaders*( Http200,
allowedMethods: seq[HttpMethod], corsHeaders,
allowedOrigins: seq[string], ""
reqOrigin = none[string]()): HttpHeaders = )
makeCorsHeaders(allowedMethods.mapIt($it), allowedOrigins, reqOrigin )
func origin*(req: Request): Option[string] =
if req.headers.contains("Origin"): some(req.headers["Origin"])
else: none[string]()
proc respondWithRawJson*(
req: Request,
body: JsonNode,
code = Http200,
allowedOrigins = newSeq[string](),
headersToSend: HttpHeaders = @{:}) =
## Immediately send a JSON response and stop processing the request.
var headers =
headersToSend &
makeCorsHeaders(@[req.httpMethod], allowedOrigins, req.origin) &
@[("Content-Type", CONTENT_TYPE_JSON),
("Cache-Control", "no-cache")]
req.respond(code.ord, headers, $body)
proc respond*[T](
req: Request,
resp: ApiResponse[T],
code = Http200,
allowedOrigins = newSeq[string](),
headersToSend: HttpHeaders = @{:}) =
req.respondWithRawJson(%resp, code, allowedOrigins, headersToSend)
proc respondWithData*[T](
req: Request,
data: T,
code = Http200,
allowedOrigins = newSeq[string](),
headersToSend: HttpHeaders = @{:}) =
req.respond(initApiResponse[T](data = some(data)),
code, allowedOrigins, headersToSend)
proc respondToOptions*(
req: Request,
allowedMethods: seq[HttpMethod],
allowedOrigins: seq[string]) =
req.respond(
Http200.ord,
makeCorsHeaders(allowedMethods, allowedOrigins, req.origin),
"")

177
src/buffoonery/auth.nim
View File

@ -1,20 +1,17 @@
import std/[cookies, json, options, sequtils, strtabs, strutils, tables, times] import std/httpclient, std/json, std/logging, std/options, std/sequtils,
import mummy, uuids, webby std/strutils, std/tables, std/times
import std/httpclient except HttpHeaders import jester, namespaced_logging
import jwt_full, jwt_full/encoding import jwt_full, jwt_full/encoding
import ./[apiutils,jsonutils] import ./jsonutils
const SUPPORTED_SIGNATURE_ALGORITHMS = @[ HS256, RS256 ] const SUPPORTED_SIGNATURE_ALGORITHMS = @[ HS256, RS256 ]
type type
AuthError* = object of CatchableError AuthError* = object of CatchableError
additionalInfo*: Option[TableRef[string, JsonNode]]
ApiAuthContext* = ref object ApiAuthContext* = ref object
appDomain*: string ## Application domain for session cookies
cookiePrefix*: string ## Prefix for the user and session cookies cookiePrefix*: string ## Prefix for the user and session cookies
validAudiences*: seq[string] ## Expected audience values for for `aud` JWT check validAudiences*: seq[string] ## Expected audience values for for `aud` JWT check
issuer*: string ## The JWT issuer for tokens created by this API issuer*: string ## The JWT issuer for tokens created by this API
@ -28,33 +25,20 @@ type
issuerKeys: TableRef[string, JwkSet] issuerKeys: TableRef[string, JwkSet]
var logNs {.threadvar.}: LoggingNamespace
proc failAuth*[T]( template log(): untyped =
reason: string, if logNs.isNil: logNs = getLoggerForNamespace("buffoonery/auth", lvlDebug)
additionalInfo: TableRef[string, T], logNs
parentException: ref Exception = nil) =
## Syntactic sugar to raise an AuthError. Reason will be the exception
## message and should be considered an internal message.
let err = newException(AuthError, reason, parentException)
err.additionalInfo = some(newTable[string, JsonNode]())
for key, val in additionalInfo.pairs:
err.additionalInfo.get[key] = %val
raise err
proc failAuth*(reason: string, parentException: ref Exception = nil) = proc failAuth*(reason: string, parentException: ref Exception = nil) =
## Syntactic sugar to raise an AuthError. Reason will be the exception
## message and should be considered an internal message.
raise newException(AuthError, reason, parentException) raise newException(AuthError, reason, parentException)
proc validateSigningKey(k: JWK): void = proc validateSigningKey(k: JWK): void =
if k.alg.isNone: failAuth "JWK is missing 'alg'" if k.alg.isNone: failAuth "JWK is missing 'alg'"
if k.kid.isNone: failAuth "JWK is missing 'kid'" if k.kid.isNone: failAuth "JWK is missing 'kid'"
proc initApiAuthContext*( proc initApiAuthContext*(
appDomain: string,
cookiePrefix: string, cookiePrefix: string,
validAudiences: seq[string], validAudiences: seq[string],
issuer: string, issuer: string,
@ -65,7 +49,6 @@ proc initApiAuthContext*(
for k in signingKeys: validateSigningKey(k) for k in signingKeys: validateSigningKey(k)
result = ApiAuthContext( result = ApiAuthContext(
appDomain: appDomain,
cookiePrefix: cookiePrefix, cookiePrefix: cookiePrefix,
validAudiences: validAudiences, validAudiences: validAudiences,
issuer: issuer, issuer: issuer,
@ -73,33 +56,27 @@ proc initApiAuthContext*(
signingKid: signingKid, signingKid: signingKid,
issuerKeys: newTable[string, JwkSet]([(issuer, signingKeys)])) issuerKeys: newTable[string, JwkSet]([(issuer, signingKeys)]))
proc fetchJWKs(openIdConfigUrl: string): JwkSet {.gcsafe.} = proc fetchJWKs(openIdConfigUrl: string): JwkSet {.gcsafe.} =
## Fetch signing keys for an OAuth issuer. `openIdConfigUrl` is expected to ## Fetch signing keys for an OAuth issuer. `openIdConfigUrl` is expected to
## be a well-known URL (ISSUER_BASE/.well-known/openid-configuration) ## be a well-known URL (ISSUER_BASE/.well-known/openid-configuration)
var jwksKeysURI: string
try: try:
let http = newHttpClient() let http = newHttpClient()
# Inspect the OAuth metadata via the well-known address. # Inspect the OAuth metadata via the well-known address.
log.debug "fetchJwks: Fetching metadata from " & openIdConfigUrl
let metadata = parseJson(http.getContent(openIdConfigUrl)) let metadata = parseJson(http.getContent(openIdConfigUrl))
# Fetch the keys from the jwk_keys URI. # Fetch the keys from the jwk_keys URI.
jwksKeysURI = metadata.getOrFail("jwks_uri").getStr let jwksKeysURI = metadata.getOrFail("jwks_uri").getStr
debug "fetchJwks: Fetching JWKs from " & jwksKeysURI
let jwksKeys = parseJson(http.getContent(jwksKeysURI)) let jwksKeys = parseJson(http.getContent(jwksKeysURI))
# Parse and load the keys provided. # Parse and load the keys provided.
return initJwkSet(jwksKeys) return initJwkSet(jwksKeys)
except Exception: except:
#failAuth "unable to fetch isser signing keys" log.error "unable to fetch issuer signing keys: " & getCurrentExceptionMsg()
failAuth( failAuth "unable to fetch isser signing keys"
reason = "unable to fetch isser signing keys",
additionalInfo = newTable[string, string]({
"openIdConfigUrl": openIdConfigUrl,
"jwksKeysURI": jwksKeysURI }),
parentException = getCurrentException())
proc addSigningKeys*(ctx: ApiAuthContext, issuer: string, keySet: JwkSet): void = proc addSigningKeys*(ctx: ApiAuthContext, issuer: string, keySet: JwkSet): void =
## Manually add a set of signing keys associated with a given issuer. ## Manually add a set of signing keys associated with a given issuer.
@ -108,9 +85,9 @@ proc addSigningKeys*(ctx: ApiAuthContext, issuer: string, keySet: JwkSet): void
if ctx.issuerKeys.isNil: ctx.issuerKeys = newTable[string, JwkSet]() if ctx.issuerKeys.isNil: ctx.issuerKeys = newTable[string, JwkSet]()
ctx.issuerKeys[issuer] = keySet ctx.issuerKeys[issuer] = keySet
except: except:
log.error "unable to add a set of signing keys: " & getCurrentExceptionMsg()
raise getCurrentException() raise getCurrentException()
proc findSigningKey*(ctx: ApiAuthContext, jwt: JWT, allowFetch = true): JWK {.gcsafe.} = proc findSigningKey*(ctx: ApiAuthContext, jwt: JWT, allowFetch = true): JWK {.gcsafe.} =
## Lookup the signing key for a given JWT. This method assumes that you trust ## Lookup the signing key for a given JWT. This method assumes that you trust
## the issuer named in the JWT. ## the issuer named in the JWT.
@ -121,8 +98,8 @@ proc findSigningKey*(ctx: ApiAuthContext, jwt: JWT, allowFetch = true): JWK {.gc
## [OpenID Connect standard discovery mechanism](https://openid.net/specs/openid-connect-discovery-1_0.html) ## [OpenID Connect standard discovery mechanism](https://openid.net/specs/openid-connect-discovery-1_0.html)
try: try:
if jwt.claims.iss.isNone: failAuth "JWT is missing 'iss' claim." if jwt.claims.iss.isNone: failAuth "Missing 'iss' claim."
if jwt.header.kid.isNone: failAuth "JWT is missing 'kid' header." if jwt.header.kid.isNone: failAuth "Missing 'kid' header."
if ctx.issuerKeys.isNil: ctx.issuerKeys = newTable[string, JwkSet]() if ctx.issuerKeys.isNil: ctx.issuerKeys = newTable[string, JwkSet]()
@ -141,45 +118,33 @@ proc findSigningKey*(ctx: ApiAuthContext, jwt: JWT, allowFetch = true): JWK {.gc
fetchJWKs(jwtIssuer & "/.well-known/openid-configuration") fetchJWKs(jwtIssuer & "/.well-known/openid-configuration")
return ctx.findSigningKey(jwt, false) return ctx.findSigningKey(jwt, false)
failAuth( failAuth "unable to find JWT signing key"
reason = "unable to find JWT signing key",
additionalInfo = newTable[string, string]({
"jwtIssuer": jwtIssuer,
"jwtKid": jwt.header.kid.get}))
except: except:
log.error "unable to find JWT signing key: " & getCurrentExceptionMsg()
failAuth("unable to find JWT signing key", getCurrentException()) failAuth("unable to find JWT signing key", getCurrentException())
proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) = proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
## Given a JWT, validate that it is a well-formed JWT, validate the issuer's ## Given a JWT, validate that it is a well-formed JWT, validate the issuer's
## signature on the token, and validate all the claims that it preesnts. ## signature on the token, and validate all the claims that it preesnts.
try: try:
if jwt.claims.iss.isNone: failAuth "JWT is missing 'iss' claim." log.debug "Validating JWT: " & $jwt
if jwt.claims.iss.isNone: failAuth "Missing 'iss' claim."
let jwtIssuer = jwt.claims.iss.get let jwtIssuer = jwt.claims.iss.get
if not ctx.trustedIssuers.contains(jwtIssuer): if not ctx.trustedIssuers.contains(jwtIssuer):
failAuth( failAuth "JWT is issued by $# but we only trust $#" %
reason = "We don't trust the JWT's issuer.", [jwtIssuer, $ctx.trustedIssuers]
additionalInfo = newTable[string, JsonNode]({
"issuer": %jwtIssuer,
"trustedIssuers": %ctx.trustedIssuers}))
if jwt.header.alg.isNone: failAuth "JWT is missing 'alg' header property." if jwt.header.alg.isNone: failAuth "Missing 'alg' header property."
if jwt.claims.aud.isNone: failAuth "JWT is missing 'aud' claim."
if jwt.claims.iss.isNone: failAuth "JWT is missing 'iss' claim."
if jwt.claims.sub.isNone: failAuth "JWT is missing 'sub' claim."
if jwt.claims.exp.isNone: failAuth "JWT is missing or invalid 'exp' claim."
if jwt.claims["aud"].get.kind == JString: if jwt.claims.aud.isNone: failAuth "Missing 'aud' claim."
# If the token is for a single audience, check that it is for us.
if not ctx.validAudiences.contains(jwt.claims.aud.get): if not ctx.validAudiences.contains(jwt.claims.aud.get):
failAuth "JWT is not for us (invalid audience)." log.debug(
elif jwt.claims["aud"].get.kind == JArray: "Valid audiences: $#\ttoken audience: $#" %
# If the token is for multiple audiences, check that at least one is for us. [$ctx.validAudiences, jwt.claims.aud.get])
let auds = jwt.claims["aud"].get.getElems failAuth "JWT is not for us (invalid audience)."
if not auds.anyIt(ctx.validAudiences.contains(it.getStr)):
failAuth "JWT is not for us (invalid audience)."
let signingAlgorithm = jwt.header.alg.get let signingAlgorithm = jwt.header.alg.get
@ -194,8 +159,7 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
except: except:
failAuth(getCurrentExceptionMsg(), getCurrentException()) failAuth(getCurrentExceptionMsg(), getCurrentException())
proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): JWT =
## Extracts a valid JWT representing the user's authentication and ## Extracts a valid JWT representing the user's authentication and
## authorization details, if present. If there are no valid credentials an ## authorization details, if present. If there are no valid credentials an
## exception is raised. ## exception is raised.
@ -209,7 +173,7 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): J
## - Split JWT via two cookies: ## - Split JWT via two cookies:
## ##
## - `${cookiePrefix}-user`: Contains the JWT header and payload, but not the ## - `${cookiePrefix}-user`: Contains the JWT header and payload, but not the
## signature. This cookie should be set Secure. The JWT payload should ## signature. This cookie should be set Secure. The JWT payload should
## have a defined expiration date (matching the Max-Age of the cookie) ## have a defined expiration date (matching the Max-Age of the cookie)
## and a CSRF token. This cookie is accessible by the web application. ## and a CSRF token. This cookie is accessible by the web application.
## ##
@ -219,86 +183,39 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): J
## ##
## In the split-cookie mode we also check that the `csrfToken` claim in the ## In the split-cookie mode we also check that the `csrfToken` claim in the
## JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header. ## JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header.
## This CSRF check can be disabled by setting `validateCsrf` to `false`.
## This option is proivded to support occasional use-cases where you want to
## be able to serve a request using cookie auth when the client can't set
## custom headers (e.g. a simple link from an <a> tag). Obviously, this is a
## security risk and should only be used with caution with a full
## understanding of the risk.
try: try:
if req.headers.contains("Authorization"): if headers(req).hasKey("Authorization"):
# Using a Bearer token. # Using a Bearer token.
result = toJWT(req.headers["Authorization"][7..^1]) result = toJWT(headers(req)["Authorization"][7..^1])
elif req.headers.contains("Cookie"): else:
# Using a user/session cookie pair # Using a user/session cookie pair
let userCookieName = ctx.cookiePrefix & "-user" let userCookieName = ctx.cookiePrefix & "-user"
let sessionCookieName = ctx.cookiePrefix & "-session" let sessionCookieName = ctx.cookiePrefix & "-session"
let cookies = parseCookies(req.headers["Cookie"]) if not cookies(req).hasKey(userCookieName):
if not cookies.contains(userCookieName):
failAuth "missing cookie '$#'" % userCookieName failAuth "missing cookie '$#'" % userCookieName
if not cookies.contains(sessionCookieName): if not cookies(req).hasKey(sessionCookieName):
failAuth "missing cookie '$#'" % sessionCookieName failAuth "missing cookie '$#'" % sessionCookieName
let userVal = cookies[userCookieName] let userVal = cookies(req)[userCookieName]
let sessionVal = cookies[sessionCookieName] let sessionVal = cookies(req)[sessionCookieName]
result = toJWT(userVal & "." & sessionVal) result = toJWT(userVal & "." & sessionVal)
# Because this is a web session, check that the CSRF is present and # Because this is a web session, check that the CSRF is present and
# matches. # matches.
if validateCsrf: if not headers(req).hasKey("X-CSRF-TOKEN") or
if not req.headers.contains("X-CSRF-TOKEN") or not result.claims["csrfToken"].isSome:
not result.claims["csrfToken"].isSome: failAuth "missing CSRF token"
failAuth "missing CSRF token"
if req.headers["X-CSRF-TOKEN"] != result.claims["csrfToken"].get.getStr(""): if headers(req)["X-CSRF-TOKEN"] != result.claims["csrfToken"].get.getStr(""):
failAuth( failAuth "invalid CSRF token"
reason = "invalid CSRF token",
additionalInfo = newTable[string, string]({
"header": req.headers["X-CSRF-TOKEN"],
"jwt": result.claims["csrfToken"].get.getStr("")}))
else: failAuth "no auth token, no Authorization or Cookie headers" ctx.validateJwt(result)
ctx.validateJWT(result)
except: except:
failAuth(getCurrentExceptionMsg(), getCurrentException()) failAuth(getCurrentExceptionMsg(), getCurrentException())
proc createSessionCookies*(ctx: ApiAuthContext, jwt: JWT): HttpHeaders =
# Split the token to get the user and session cookie values.
let strToken = $jwt
let splitToken = strToken.rsplit('.', 1)
# User cookie (accessible by the application)
let userCookie = setCookie(
key = ctx.cookiePrefix & "-user",
value = splitToken[0],
domain = ctx.appDomain,
expires = jwt.claims.exp.get.utc,
httpOnly = false,
path = "/",
sameSite = SameSite.Strict,
secure = true)
# Session cookie (used by the API)
let sessionCookie = setCookie(
key = ctx.cookiePrefix & "-session",
value = splitToken[1],
domain = ctx.appDomain,
httpOnly = true,
path = "/",
sameSite = SameSite.Strict,
secure = true)
for c in [userCookie, sessionCookie]:
let parts = c.split(": ")
result &= [(parts[0], parts[1])]
proc createSignedJWT*(ctx: ApiAuthContext, claims: JsonNode, kid: string): JWT = proc createSignedJWT*(ctx: ApiAuthContext, claims: JsonNode, kid: string): JWT =
## Given a set of claims, create a JWT using the given key for our issuer ## Given a set of claims, create a JWT using the given key for our issuer
## (as defined in the ApiAuthContext). This is an opinionated method that ## (as defined in the ApiAuthContext). This is an opinionated method that
@ -320,12 +237,10 @@ proc createSignedJWT*(ctx: ApiAuthContext, claims: JsonNode, kid: string): JWT =
initJwtClaims(claims), initJwtClaims(claims),
sigKey) sigKey)
proc newApiAccessToken*(ctx: ApiAuthContext, sub: string, duration = 1.hours): JWT = proc newApiAccessToken*(ctx: ApiAuthContext, sub: string, duration = 1.hours): JWT =
## Create a new JWT for API access. ## Create a new JWT for API access.
result = ctx.createSignedJWT( result = ctx.createSignedJWT(
%*{ %*{
"sid": $genUUID(),
"sub": sub, "sub": sub,
"iss": ctx.issuer, "iss": ctx.issuer,
"iat": now().utc.toTime.toUnix.int, "iat": now().utc.toTime.toUnix.int,

11
src/buffoonery/jsonutils.nim
View File

@ -3,26 +3,21 @@ import json, times, timeutils, uuids
const MONTH_FORMAT* = "YYYY-MM" const MONTH_FORMAT* = "YYYY-MM"
proc getOrFail*(n: JsonNode, key: string): JsonNode =
func getOrFail*(n: JsonNode, key: string): JsonNode =
## convenience method to get a key from a JObject or raise an exception ## convenience method to get a key from a JObject or raise an exception
if not n.hasKey(key): if not n.hasKey(key):
raise newException(ValueError, "missing key '" & key & "'") raise newException(ValueError, "missing key '" & key & "'")
return n[key] return n[key]
proc parseUUID*(n: JsonNode, key: string): UUID =
func parseUUID*(n: JsonNode, key: string): UUID =
return parseUUID(n.getOrFail(key).getStr) return parseUUID(n.getOrFail(key).getStr)
proc parseIso8601*(n: JsonNode, key: string): DateTime = proc parseIso8601*(n: JsonNode, key: string): DateTime =
return parseIso8601(n.getOrFail(key).getStr) return parseIso8601(n.getOrFail(key).getStr)
proc parseMonth*(n: JsonNode, key: string): DateTime = proc parseMonth*(n: JsonNode, key: string): DateTime =
return parse(n.getOrFail(key).getStr, MONTH_FORMAT) return parse(n.getOrFail(key).getStr, MONTH_FORMAT)
proc formatMonth*(dt: DateTime): string =
func formatMonth*(dt: DateTime): string =
return dt.format(MONTH_FORMAT) return dt.format(MONTH_FORMAT)