jwt,browser: allow short-expiry tokens for GETs (#4684)

This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2025-11-07 21:02:58 -05:00 · 2017-07-24 12:46:37 -07:00
parent 4785555d34
commit ec5293ce29
7 changed files with 131 additions and 6 deletions
--- a/browser/app/js/components/Browse.js
+++ b/browser/app/js/components/Browse.js
@@ -150,7 +150,16 @@ export default class Browse extends React.Component {
      if (prefix === currentPath) return
      browserHistory.push(utils.pathJoin(currentBucket, encPrefix))
    } else {
-      window.location = `${window.location.origin}/minio/download/${currentBucket}/${encPrefix}?token=${storage.getItem('token')}`
+      // Download the selected file.
+      web.CreateURLToken()
+        .then(res => {
+          let url = `${window.location.origin}/minio/download/${currentBucket}/${encPrefix}?token=${res.token}`
+          window.location = url
+        })
+        .catch(err => dispatch(actions.showAlert({
+          type: 'danger',
+          message: err.message
+        })))
    }
  }

@@ -406,16 +415,24 @@ export default class Browse extends React.Component {
  }

  downloadSelected() {
-    const {dispatch} = this.props
+    const {dispatch, web} = this.props
    let req = {
      bucketName: this.props.currentBucket,
      objects: this.props.checkedObjects,
      prefix: this.props.currentPath
    }
-    let requestUrl = location.origin + "/minio/zip?token=" + localStorage.token

-    this.xhr = new XMLHttpRequest()
-    dispatch(actions.downloadSelected(requestUrl, req, this.xhr))
+    web.CreateURLToken()
+      .then(res => {
+        let requestUrl = location.origin + "/minio/zip?token=" + res.token
+
+        this.xhr = new XMLHttpRequest()
+        dispatch(actions.downloadSelected(requestUrl, req, this.xhr))
+      })
+      .catch(err => dispatch(actions.showAlert({
+        type: 'danger',
+        message: err.message
+      })))
  }

  clearSelected() {
--- a/browser/app/js/web.js
+++ b/browser/app/js/web.js
@@ -112,6 +112,9 @@ export default class Web {
        return res
      })
  }
+  CreateURLToken() {
+    return this.makeCall('CreateURLToken')
+  }
  GetBucketPolicy(args) {
    return this.makeCall('GetBucketPolicy', args)
  }