From e6da8277c44d21e76af56a968a6b6aeec5c3b353 Mon Sep 17 00:00:00 2001 From: tigerbot Date: Mon, 5 Jun 2017 11:20:15 -0600 Subject: [PATCH] added audience to the tokens we generate --- bin/stunnel.js | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/bin/stunnel.js b/bin/stunnel.js index 66a9012..fc0c5b6 100755 --- a/bin/stunnel.js +++ b/bin/stunnel.js @@ -120,8 +120,8 @@ program }) .option('-k --insecure', 'Allow TLS connections to stunneld without valid certs (rejectUnauthorized: false)') .option('--locals ', 'comma separated list of : to which matching incoming http and https should forward (reverse proxy). Ex: https:8443,smtps:8465', collectProxies, [ ]) // --reverse-proxies - .option('--domains ', 'comma separated list of domain names to set to the tunnel (to caputer a specific protocol to a specific local port use the format https:example.com:1337 instead). Ex: example.com,example.net', collectDomains, [ ]) - .option('--device [HOSTNAME]', 'Tunnel all domains associated with this device instead of specific domainnames. Use with --locals :*:. Ex: macbook-pro.local (the output of `hostname`)') + .option('--domains ', 'comma separated list of domain names to set to the tunnel (to capture a specific protocol to a specific local port use the format https:example.com:1337 instead). Ex: example.com,example.net', collectDomains, [ ]) + .option('--device [HOSTNAME]', 'Tunnel all domains associated with this device instead of specific domainnames. Use with --locals :. Ex: macbook-pro.local (the output of `hostname`)') .option('--stunneld ', 'the domain (or ip address) at which you are running stunneld.js (the proxy)') // --proxy .option('--secret ', 'the same secret used by stunneld (used for JWT authentication)') .option('--token ', 'a pre-generated token for use with stunneld (instead of generating one with --secret)') @@ -181,21 +181,23 @@ function rawTunnel() { return; } - if (!program.token) { - var jwt = require('jsonwebtoken'); - var tokenData = { - domains: Object.keys(domainsMap).filter(Boolean) - }; - - program.token = jwt.sign(tokenData, program.secret); - } - var location = url.parse(program.stunneld); if (!location.protocol || /\./.test(location.protocol)) { program.stunneld = 'wss://' + program.stunneld; location = url.parse(program.stunneld); } - program.stunneld = location.protocol + '//' + location.hostname + (location.port ? ':' + location.port : ''); + var aud = location.hostname + (location.port ? ':' + location.port : ''); + program.stunneld = location.protocol + '//' + aud; + + if (!program.token) { + var jwt = require('jsonwebtoken'); + var tokenData = { + domains: Object.keys(domainsMap).filter(Boolean) + , aud: aud + }; + + program.token = jwt.sign(tokenData, program.secret); + } connectTunnel(); }