From 6140920cb83e29725f03f541b46e37154b5ce766 Mon Sep 17 00:00:00 2001 From: konrad Date: Sun, 8 Sep 2019 19:11:42 +0000 Subject: [PATCH] Fixed rate limit panic when authenticatin with a link share auth token (#97) --- pkg/routes/api/v1/auth.go | 17 +++++++++++++++++ pkg/routes/rate_limit.go | 8 ++++---- pkg/routes/routes.go | 15 +-------------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/pkg/routes/api/v1/auth.go b/pkg/routes/api/v1/auth.go index d3f48aed7..1910f131b 100644 --- a/pkg/routes/api/v1/auth.go +++ b/pkg/routes/api/v1/auth.go @@ -19,7 +19,10 @@ package v1 import ( "code.vikunja.io/api/pkg/config" "code.vikunja.io/api/pkg/models" + "code.vikunja.io/web" "github.com/dgrijalva/jwt-go" + "github.com/labstack/echo/v4" + "net/http" "time" ) @@ -65,3 +68,17 @@ func NewLinkShareJWTAuthtoken(share *models.LinkSharing) (token string, err erro // Generate encoded token and send it as response. return t.SignedString([]byte(config.ServiceJWTSecret.GetString())) } + +// GetAuthFromClaims returns a web.Auth object from jwt claims +func GetAuthFromClaims(c echo.Context) (a web.Auth, err error) { + jwtinf := c.Get("user").(*jwt.Token) + claims := jwtinf.Claims.(jwt.MapClaims) + typ := int(claims["type"].(float64)) + if typ == AuthTypeLinkShare && config.ServiceEnableLinkSharing.GetBool() { + return models.GetLinkShareFromClaims(claims) + } + if typ == AuthTypeUser { + return models.GetUserFromClaims(claims) + } + return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Invalid JWT token."}) +} diff --git a/pkg/routes/rate_limit.go b/pkg/routes/rate_limit.go index e3434d470..a9cb5bc26 100644 --- a/pkg/routes/rate_limit.go +++ b/pkg/routes/rate_limit.go @@ -20,8 +20,8 @@ package routes import ( "code.vikunja.io/api/pkg/config" "code.vikunja.io/api/pkg/log" - "code.vikunja.io/api/pkg/models" "code.vikunja.io/api/pkg/red" + apiv1 "code.vikunja.io/api/pkg/routes/api/v1" "github.com/labstack/echo/v4" "github.com/ulule/limiter/v3" "github.com/ulule/limiter/v3/drivers/store/memory" @@ -40,11 +40,11 @@ func RateLimit(rateLimiter *limiter.Limiter) echo.MiddlewareFunc { case "ip": rateLimitKey = c.RealIP() case "user": - user, err := models.GetCurrentUser(c) + auth, err := apiv1.GetAuthFromClaims(c) if err != nil { - log.Errorf("Error while getting the current user for rate limiting: %s", err) + log.Errorf("Error getting auth from jwt claims: %v", err) } - rateLimitKey = "user_" + strconv.FormatInt(user.ID, 10) + rateLimitKey = "user_" + strconv.FormatInt(auth.GetID(), 10) default: log.Errorf("Unknown rate limit kind configured: %s", config.RateLimitKind.GetString()) } diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go index a72168393..a37912dbd 100644 --- a/pkg/routes/routes.go +++ b/pkg/routes/routes.go @@ -48,11 +48,9 @@ import ( "code.vikunja.io/web" "code.vikunja.io/web/handler" "github.com/asaskevich/govalidator" - "github.com/dgrijalva/jwt-go" "github.com/labstack/echo/v4" "github.com/labstack/echo/v4/middleware" elog "github.com/labstack/gommon/log" - "net/http" "strings" ) @@ -109,18 +107,7 @@ func NewEcho() *echo.Echo { // Handler config handler.SetAuthProvider(&web.Auths{ - AuthObject: func(c echo.Context) (web.Auth, error) { - jwtinf := c.Get("user").(*jwt.Token) - claims := jwtinf.Claims.(jwt.MapClaims) - typ := int(claims["type"].(float64)) - if typ == apiv1.AuthTypeLinkShare && config.ServiceEnableLinkSharing.GetBool() { - return models.GetLinkShareFromClaims(claims) - } - if typ == apiv1.AuthTypeUser { - return models.GetUserFromClaims(claims) - } - return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Invalid JWT token."}) - }, + AuthObject: apiv1.GetAuthFromClaims, }) handler.SetLoggingProvider(log.GetLogger())