mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
web: fix jwt token expiry set to one day by default. (#2819)
Fixes #2818
This commit is contained in:
parent
95f544657a
commit
63a7ca1af0
@ -59,7 +59,7 @@ type RPCLoginReply struct {
|
|||||||
|
|
||||||
// Validates if incoming token is valid.
|
// Validates if incoming token is valid.
|
||||||
func isRPCTokenValid(tokenStr string) bool {
|
func isRPCTokenValid(tokenStr string) bool {
|
||||||
jwt, err := newJWT(defaultTokenExpiry) // Expiry set to 100yrs.
|
jwt, err := newJWT(defaultInterNodeJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errorIf(err, "Unable to initialize JWT")
|
errorIf(err, "Unable to initialize JWT")
|
||||||
return false
|
return false
|
||||||
|
@ -28,7 +28,7 @@ var errServerVersionMismatch = errors.New("Server versions do not match.")
|
|||||||
|
|
||||||
// Login - login handler.
|
// Login - login handler.
|
||||||
func (c *controllerAPIHandlers) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
|
func (c *controllerAPIHandlers) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
|
||||||
jwt, err := newJWT(defaultTokenExpiry)
|
jwt, err := newJWT(defaultInterNodeJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -141,7 +141,7 @@ func registerStorageLockers(mux *router.Router, lockServers []*lockServer) {
|
|||||||
|
|
||||||
// LoginHandler - handles LoginHandler RPC call.
|
// LoginHandler - handles LoginHandler RPC call.
|
||||||
func (l *lockServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
|
func (l *lockServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
|
||||||
jwt, err := newJWT(defaultTokenExpiry)
|
jwt, err := newJWT(defaultInterNodeJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -30,11 +30,15 @@ const jwtAlgorithm = "Bearer"
|
|||||||
// JWT - jwt auth backend
|
// JWT - jwt auth backend
|
||||||
type JWT struct {
|
type JWT struct {
|
||||||
credential
|
credential
|
||||||
|
expiry time.Duration
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default each token expires in 100yrs.
|
|
||||||
const (
|
const (
|
||||||
defaultTokenExpiry time.Duration = time.Hour * 876000 // 100yrs.
|
// Default JWT token for web handlers is one day.
|
||||||
|
defaultJWTExpiry time.Duration = time.Hour * 24
|
||||||
|
|
||||||
|
// Inter-node JWT token expiry is 100 years.
|
||||||
|
defaultInterNodeJWTExpiry time.Duration = time.Hour * 24 * 365 * 100
|
||||||
)
|
)
|
||||||
|
|
||||||
// newJWT - returns new JWT object.
|
// newJWT - returns new JWT object.
|
||||||
@ -52,7 +56,7 @@ func newJWT(expiry time.Duration) (*JWT, error) {
|
|||||||
return nil, errors.New("Invalid secret key")
|
return nil, errors.New("Invalid secret key")
|
||||||
}
|
}
|
||||||
|
|
||||||
return &JWT{cred}, nil
|
return &JWT{cred, expiry}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GenerateToken - generates a new Json Web Token based on the incoming access key.
|
// GenerateToken - generates a new Json Web Token based on the incoming access key.
|
||||||
@ -67,7 +71,7 @@ func (jwt *JWT) GenerateToken(accessKey string) (string, error) {
|
|||||||
tUTCNow := time.Now().UTC()
|
tUTCNow := time.Now().UTC()
|
||||||
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
|
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
|
||||||
// Token expires in 10hrs.
|
// Token expires in 10hrs.
|
||||||
"exp": tUTCNow.Add(defaultTokenExpiry).Unix(),
|
"exp": tUTCNow.Add(jwt.expiry).Unix(),
|
||||||
"iat": tUTCNow.Unix(),
|
"iat": tUTCNow.Unix(),
|
||||||
"sub": accessKey,
|
"sub": accessKey,
|
||||||
})
|
})
|
||||||
|
@ -108,7 +108,7 @@ func TestNewJWT(t *testing.T) {
|
|||||||
serverConfig.SetCredential(*testCase.cred)
|
serverConfig.SetCredential(*testCase.cred)
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err := newJWT(defaultWebTokenExpiry)
|
_, err := newJWT(defaultJWTExpiry)
|
||||||
|
|
||||||
if testCase.expectedErr != nil {
|
if testCase.expectedErr != nil {
|
||||||
if err == nil {
|
if err == nil {
|
||||||
@ -132,7 +132,7 @@ func TestGenerateToken(t *testing.T) {
|
|||||||
}
|
}
|
||||||
defer removeAll(testPath)
|
defer removeAll(testPath)
|
||||||
|
|
||||||
jwt, err := newJWT(defaultWebTokenExpiry)
|
jwt, err := newJWT(defaultJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unable get new JWT, %s", err)
|
t.Fatalf("unable get new JWT, %s", err)
|
||||||
}
|
}
|
||||||
@ -179,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
defer removeAll(testPath)
|
defer removeAll(testPath)
|
||||||
|
|
||||||
jwt, err := newJWT(defaultWebTokenExpiry)
|
jwt, err := newJWT(defaultJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unable get new JWT, %s", err)
|
t.Fatalf("unable get new JWT, %s", err)
|
||||||
}
|
}
|
||||||
|
@ -40,7 +40,7 @@ type storageServer struct {
|
|||||||
|
|
||||||
// Login - login handler.
|
// Login - login handler.
|
||||||
func (s *storageServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
|
func (s *storageServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
|
||||||
jwt, err := newJWT(defaultTokenExpiry)
|
jwt, err := newJWT(defaultInterNodeJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -42,7 +42,7 @@ import (
|
|||||||
// isJWTReqAuthenticated validates if any incoming request to be a
|
// isJWTReqAuthenticated validates if any incoming request to be a
|
||||||
// valid JWT authenticated request.
|
// valid JWT authenticated request.
|
||||||
func isJWTReqAuthenticated(req *http.Request) bool {
|
func isJWTReqAuthenticated(req *http.Request) bool {
|
||||||
jwt, err := newJWT(defaultWebTokenExpiry)
|
jwt, err := newJWT(defaultJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errorIf(err, "unable to initialize a new JWT")
|
errorIf(err, "unable to initialize a new JWT")
|
||||||
return false
|
return false
|
||||||
@ -290,14 +290,9 @@ type LoginRep struct {
|
|||||||
UIVersion string `json:"uiVersion"`
|
UIVersion string `json:"uiVersion"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default JWT for minio browser expires in 24hrs.
|
|
||||||
const (
|
|
||||||
defaultWebTokenExpiry time.Duration = time.Hour * 24 // 24Hrs.
|
|
||||||
)
|
|
||||||
|
|
||||||
// Login - user login handler.
|
// Login - user login handler.
|
||||||
func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error {
|
func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error {
|
||||||
jwt, err := newJWT(defaultWebTokenExpiry)
|
jwt, err := newJWT(defaultJWTExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return &json2.Error{Message: err.Error()}
|
return &json2.Error{Message: err.Error()}
|
||||||
}
|
}
|
||||||
@ -362,7 +357,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
|
|||||||
return &json2.Error{Message: err.Error()}
|
return &json2.Error{Message: err.Error()}
|
||||||
}
|
}
|
||||||
|
|
||||||
jwt, err := newJWT(defaultWebTokenExpiry) // JWT Expiry set to 24Hrs.
|
jwt, err := newJWT(defaultJWTExpiry) // JWT Expiry set to 24Hrs.
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return &json2.Error{Message: err.Error()}
|
return &json2.Error{Message: err.Error()}
|
||||||
}
|
}
|
||||||
@ -447,7 +442,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
|
|||||||
object := vars["object"]
|
object := vars["object"]
|
||||||
tokenStr := r.URL.Query().Get("token")
|
tokenStr := r.URL.Query().Get("token")
|
||||||
|
|
||||||
jwt, err := newJWT(defaultWebTokenExpiry) // Expiry set to 24Hrs.
|
jwt, err := newJWT(defaultJWTExpiry) // Expiry set to 24Hrs.
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errorIf(err, "error in getting new JWT")
|
errorIf(err, "error in getting new JWT")
|
||||||
return
|
return
|
||||||
|
Loading…
Reference in New Issue
Block a user