From 63a7ca1af07a546cca6f2d98cf1bd28bbcb19697 Mon Sep 17 00:00:00 2001 From: Bala FA Date: Wed, 5 Oct 2016 10:18:55 -0700 Subject: [PATCH] web: fix jwt token expiry set to one day by default. (#2819) Fixes #2818 --- cmd/auth-rpc-client.go | 2 +- cmd/controller-handlers.go | 2 +- cmd/lock-rpc-server.go | 2 +- cmd/signature-jwt.go | 12 ++++++++---- cmd/signature-jwt_test.go | 6 +++--- cmd/storage-rpc-server.go | 2 +- cmd/web-handlers.go | 13 ++++--------- 7 files changed, 19 insertions(+), 20 deletions(-) diff --git a/cmd/auth-rpc-client.go b/cmd/auth-rpc-client.go index dbaaaee3e..cb956d701 100644 --- a/cmd/auth-rpc-client.go +++ b/cmd/auth-rpc-client.go @@ -59,7 +59,7 @@ type RPCLoginReply struct { // Validates if incoming token is valid. func isRPCTokenValid(tokenStr string) bool { - jwt, err := newJWT(defaultTokenExpiry) // Expiry set to 100yrs. + jwt, err := newJWT(defaultInterNodeJWTExpiry) if err != nil { errorIf(err, "Unable to initialize JWT") return false diff --git a/cmd/controller-handlers.go b/cmd/controller-handlers.go index b20c1f2d5..75d819192 100644 --- a/cmd/controller-handlers.go +++ b/cmd/controller-handlers.go @@ -28,7 +28,7 @@ var errServerVersionMismatch = errors.New("Server versions do not match.") // Login - login handler. func (c *controllerAPIHandlers) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error { - jwt, err := newJWT(defaultTokenExpiry) + jwt, err := newJWT(defaultInterNodeJWTExpiry) if err != nil { return err } diff --git a/cmd/lock-rpc-server.go b/cmd/lock-rpc-server.go index 837bc41ea..ea40429e3 100644 --- a/cmd/lock-rpc-server.go +++ b/cmd/lock-rpc-server.go @@ -141,7 +141,7 @@ func registerStorageLockers(mux *router.Router, lockServers []*lockServer) { // LoginHandler - handles LoginHandler RPC call. func (l *lockServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error { - jwt, err := newJWT(defaultTokenExpiry) + jwt, err := newJWT(defaultInterNodeJWTExpiry) if err != nil { return err } diff --git a/cmd/signature-jwt.go b/cmd/signature-jwt.go index bcf99fc31..28da1d701 100644 --- a/cmd/signature-jwt.go +++ b/cmd/signature-jwt.go @@ -30,11 +30,15 @@ const jwtAlgorithm = "Bearer" // JWT - jwt auth backend type JWT struct { credential + expiry time.Duration } -// Default each token expires in 100yrs. const ( - defaultTokenExpiry time.Duration = time.Hour * 876000 // 100yrs. + // Default JWT token for web handlers is one day. + defaultJWTExpiry time.Duration = time.Hour * 24 + + // Inter-node JWT token expiry is 100 years. + defaultInterNodeJWTExpiry time.Duration = time.Hour * 24 * 365 * 100 ) // newJWT - returns new JWT object. @@ -52,7 +56,7 @@ func newJWT(expiry time.Duration) (*JWT, error) { return nil, errors.New("Invalid secret key") } - return &JWT{cred}, nil + return &JWT{cred, expiry}, nil } // GenerateToken - generates a new Json Web Token based on the incoming access key. @@ -67,7 +71,7 @@ func (jwt *JWT) GenerateToken(accessKey string) (string, error) { tUTCNow := time.Now().UTC() token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{ // Token expires in 10hrs. - "exp": tUTCNow.Add(defaultTokenExpiry).Unix(), + "exp": tUTCNow.Add(jwt.expiry).Unix(), "iat": tUTCNow.Unix(), "sub": accessKey, }) diff --git a/cmd/signature-jwt_test.go b/cmd/signature-jwt_test.go index 0405f7435..0300ef389 100644 --- a/cmd/signature-jwt_test.go +++ b/cmd/signature-jwt_test.go @@ -108,7 +108,7 @@ func TestNewJWT(t *testing.T) { serverConfig.SetCredential(*testCase.cred) } - _, err := newJWT(defaultWebTokenExpiry) + _, err := newJWT(defaultJWTExpiry) if testCase.expectedErr != nil { if err == nil { @@ -132,7 +132,7 @@ func TestGenerateToken(t *testing.T) { } defer removeAll(testPath) - jwt, err := newJWT(defaultWebTokenExpiry) + jwt, err := newJWT(defaultJWTExpiry) if err != nil { t.Fatalf("unable get new JWT, %s", err) } @@ -179,7 +179,7 @@ func TestAuthenticate(t *testing.T) { } defer removeAll(testPath) - jwt, err := newJWT(defaultWebTokenExpiry) + jwt, err := newJWT(defaultJWTExpiry) if err != nil { t.Fatalf("unable get new JWT, %s", err) } diff --git a/cmd/storage-rpc-server.go b/cmd/storage-rpc-server.go index 6f347c2c0..99cc55a5a 100644 --- a/cmd/storage-rpc-server.go +++ b/cmd/storage-rpc-server.go @@ -40,7 +40,7 @@ type storageServer struct { // Login - login handler. func (s *storageServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error { - jwt, err := newJWT(defaultTokenExpiry) + jwt, err := newJWT(defaultInterNodeJWTExpiry) if err != nil { return err } diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go index 976c171be..afd458a48 100644 --- a/cmd/web-handlers.go +++ b/cmd/web-handlers.go @@ -42,7 +42,7 @@ import ( // isJWTReqAuthenticated validates if any incoming request to be a // valid JWT authenticated request. func isJWTReqAuthenticated(req *http.Request) bool { - jwt, err := newJWT(defaultWebTokenExpiry) + jwt, err := newJWT(defaultJWTExpiry) if err != nil { errorIf(err, "unable to initialize a new JWT") return false @@ -290,14 +290,9 @@ type LoginRep struct { UIVersion string `json:"uiVersion"` } -// Default JWT for minio browser expires in 24hrs. -const ( - defaultWebTokenExpiry time.Duration = time.Hour * 24 // 24Hrs. -) - // Login - user login handler. func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error { - jwt, err := newJWT(defaultWebTokenExpiry) + jwt, err := newJWT(defaultJWTExpiry) if err != nil { return &json2.Error{Message: err.Error()} } @@ -362,7 +357,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se return &json2.Error{Message: err.Error()} } - jwt, err := newJWT(defaultWebTokenExpiry) // JWT Expiry set to 24Hrs. + jwt, err := newJWT(defaultJWTExpiry) // JWT Expiry set to 24Hrs. if err != nil { return &json2.Error{Message: err.Error()} } @@ -447,7 +442,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) { object := vars["object"] tokenStr := r.URL.Query().Get("token") - jwt, err := newJWT(defaultWebTokenExpiry) // Expiry set to 24Hrs. + jwt, err := newJWT(defaultJWTExpiry) // Expiry set to 24Hrs. if err != nil { errorIf(err, "error in getting new JWT") return