[security] rpc: Do not transfer access/secret key. (#4857)

This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
2025-11-30 13:42:53 -05:00 · 2017-09-19 12:37:56 -07:00
parent f680b8482f
commit f8024cadbb
14 changed files with 184 additions and 141 deletions
--- a/cmd/auth-rpc-server.go
+++ b/cmd/auth-rpc-server.go
@@ -20,8 +20,7 @@ package cmd
 const loginMethodName = ".Login"

 // AuthRPCServer RPC server authenticates using JWT.
-type AuthRPCServer struct {
-}
+type AuthRPCServer struct{}

 // Login - Handles JWT based RPC login.
 func (b AuthRPCServer) Login(args *LoginRPCArgs, reply *LoginRPCReply) error {
@@ -30,14 +29,10 @@ func (b AuthRPCServer) Login(args *LoginRPCArgs, reply *LoginRPCReply) error {
 		return err
 	}

-	// Authenticate using JWT.
-	token, err := authenticateNode(args.Username, args.Password)
-	if err != nil {
-		return err
+	// Return an error if token is not valid.
+	if !isAuthTokenValid(args.AuthToken) {
+		return errAuthentication
 	}

-	// Return the token.
-	reply.AuthToken = token
-
 	return nil
 }