root
/
telebit
mirror of https://github.com/therootcompany/telebit.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add token auth

This commit is contained in:
AJ ONeal 2020-05-26 03:05:39 -06:00
parent 10a9ed8e3a
commit 1f22f5f34f
3 changed files with 135 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -5,6 +5,7 @@ acme.d
xversion.go xversion.go
/mplexer/cmd/mgmt/mgmt /mplexer/cmd/mgmt/mgmt
/mplexer/cmd/signjwt/signjwt
/mplexer/cmd/telebit/telebit /mplexer/cmd/telebit/telebit
/telebit /telebit
/cmd/telebit/telebit /cmd/telebit/telebit

139
mplexer/cmd/mgmt/mgmt.go
View File

@ -3,13 +3,16 @@
package main package main
import ( import (
"context"
"encoding/json" "encoding/json"
"flag" "flag"
"fmt" "fmt"
"net/http" "net/http"
"os" "os"
"strings"
"time" "time"
jwt "github.com/dgrijalva/jwt-go"
"github.com/go-acme/lego/v3/challenge" "github.com/go-acme/lego/v3/challenge"
"github.com/go-acme/lego/v3/providers/dns/duckdns" "github.com/go-acme/lego/v3/providers/dns/duckdns"
"github.com/go-acme/lego/v3/providers/dns/godaddy" "github.com/go-acme/lego/v3/providers/dns/godaddy"
@ -27,6 +30,8 @@ var (
GitTimestamp = "0000-00-00T00:00:00+0000" GitTimestamp = "0000-00-00T00:00:00+0000"
) )
type MWKey string
func main() { func main() {
var err error var err error
var provider challenge.Provider = nil // TODO is this concurrency-safe? var provider challenge.Provider = nil // TODO is this concurrency-safe?
@ -35,12 +40,13 @@ func main() {
addr := flag.String("address", "", "IPv4 or IPv6 bind address") addr := flag.String("address", "", "IPv4 or IPv6 bind address")
port := flag.String("port", "3000", "port to listen to") port := flag.String("port", "3000", "port to listen to")
secret := flag.String("secret", "", "a >= 16-character random string for JWT key signing") // SECRET
flag.Parse() flag.Parse()
if "" != os.Getenv("GODADDY_API_KEY") { if "" != os.Getenv("GODADDY_API_KEY") {
id := os.Getenv("GODADDY_API_KEY") id := os.Getenv("GODADDY_API_KEY")
secret := os.Getenv("GODADDY_API_SECRET") apiSecret := os.Getenv("GODADDY_API_SECRET")
if provider, err = newGoDaddyDNSProvider(id, secret); nil != err { if provider, err = newGoDaddyDNSProvider(id, apiSecret); nil != err {
panic(err) panic(err)
} }
} else if "" != os.Getenv("DUCKDNS_TOKEN") { } else if "" != os.Getenv("DUCKDNS_TOKEN") {
@ -51,67 +57,102 @@ func main() {
panic("Must provide either DUCKDNS or GODADDY credentials") panic("Must provide either DUCKDNS or GODADDY credentials")
} }
if "" == *secret {
*secret = os.Getenv("SECRET")
}
if "" == *secret {
fmt.Fprintf(os.Stderr, "Usage: signjwt <secret>")
os.Exit(1)
return
}
r := chi.NewRouter() r := chi.NewRouter()
r.Use(middleware.Logger) r.Use(middleware.Logger)
r.Use(middleware.Timeout(15 * time.Second)) r.Use(middleware.Timeout(15 * time.Second))
r.Use(middleware.Recoverer) r.Use(middleware.Recoverer)
// TODO add authorization header and validation r.Route("/api/dns", func(r chi.Router) {
//r.Post("/api/dns/{domain:[a-z0-9\\.-]+}", func(w http.ResponseWriter, r *http.Request) { r.Use(func(next http.Handler) http.Handler {
//r.Post("/api/dns/*", func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
r.Post("/api/dns/{domain}", func(w http.ResponseWriter, r *http.Request) { var tokenString string
w.Header().Set("Content-Type", "application/json") if auth := strings.Split(r.Header.Get("Authorization"), " "); len(auth) > 1 {
// TODO handle Basic auth tokens as well
tokenString = auth[1]
}
if "" == tokenString {
tokenString = r.URL.Query().Get("access_token")
}
ch := Challenge{} // TODO check expiration and such
tok, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return []byte(*secret), nil
})
if nil != err {
fmt.Println("validation error:", tokenString, err)
http.Error(w, "{\"error\":\"could not verify token\"}", http.StatusBadRequest)
return
}
// TODO prevent slow loris ctx := context.WithValue(r.Context(), MWKey("token"), tok)
decoder := json.NewDecoder(r.Body)
err := decoder.Decode(&ch)
if nil != err || "" == ch.Token || "" == ch.KeyAuth {
msg := `{"error":"expected json in the format {\"token\":\"xxx\",\"key_authorization\":\"yyy\"}"}`
http.Error(w, msg, http.StatusUnprocessableEntity)
return
}
domain := chi.URLParam(r, "domain") next.ServeHTTP(w, r.WithContext(ctx))
//domain := chi.URLParam(r, "*") })
ch.Domain = domain })
// TODO some additional error checking before the handoff r.Post("/{domain}", func(w http.ResponseWriter, r *http.Request) {
//ch.error = make(chan error, 1) w.Header().Set("Content-Type", "application/json")
ch.error = make(chan error)
presenters <- &ch
err = <-ch.error
if nil != err || "" == ch.Token || "" == ch.KeyAuth {
msg := `{"error":"expected json in the format {\"token\":\"xxx\",\"key_authorization\":\"yyy\"}"}`
http.Error(w, msg, http.StatusUnprocessableEntity)
return
}
w.Write([]byte("{\"success\":true}\n")) ch := Challenge{}
})
// TODO ugly Delete, but wahtever // TODO prevent slow loris
r.Delete("/api/dns/{domain}/{token}/{keyAuth}", func(w http.ResponseWriter, r *http.Request) { decoder := json.NewDecoder(r.Body)
w.Header().Set("Content-Type", "application/json") err := decoder.Decode(&ch)
if nil != err || "" == ch.Token || "" == ch.KeyAuth {
msg := `{"error":"expected json in the format {\"token\":\"xxx\",\"key_authorization\":\"yyy\"}"}`
http.Error(w, msg, http.StatusUnprocessableEntity)
return
}
ch := Challenge{ domain := chi.URLParam(r, "domain")
Domain: chi.URLParam(r, "domain"), //domain := chi.URLParam(r, "*")
Token: chi.URLParam(r, "token"), ch.Domain = domain
KeyAuth: chi.URLParam(r, "keyAuth"),
error: make(chan error),
//error: make(chan error, 1),
}
cleanups <- &ch // TODO some additional error checking before the handoff
err = <-ch.error //ch.error = make(chan error, 1)
if nil != err || "" == ch.Token || "" == ch.KeyAuth { ch.error = make(chan error)
msg := `{"error":"expected json in the format {\"token\":\"xxx\",\"key_authorization\":\"yyy\"}"}` presenters <- &ch
http.Error(w, msg, http.StatusUnprocessableEntity) err = <-ch.error
return if nil != err || "" == ch.Token || "" == ch.KeyAuth {
} msg := `{"error":"expected json in the format {\"token\":\"xxx\",\"key_authorization\":\"yyy\"}"}`
http.Error(w, msg, http.StatusUnprocessableEntity)
return
}
w.Write([]byte("{\"success\":true}\n")) w.Write([]byte("{\"success\":true}\n"))
})
// TODO ugly Delete, but whatever
r.Delete("/{domain}/{token}/{keyAuth}", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
ch := Challenge{
Domain: chi.URLParam(r, "domain"),
Token: chi.URLParam(r, "token"),
KeyAuth: chi.URLParam(r, "keyAuth"),
error: make(chan error),
//error: make(chan error, 1),
}
cleanups <- &ch
err = <-ch.error
if nil != err || "" == ch.Token || "" == ch.KeyAuth {
msg := `{"error":"expected json in the format {\"token\":\"xxx\",\"key_authorization\":\"yyy\"}"}`
http.Error(w, msg, http.StatusUnprocessableEntity)
return
}
w.Write([]byte("{\"success\":true}\n"))
})
}) })
r.Get("/", func(w http.ResponseWriter, r *http.Request) { r.Get("/", func(w http.ResponseWriter, r *http.Request) {

44
mplexer/cmd/signjwt/signjwt.go Normal file
View File

@ -0,0 +1,44 @@
package main
import (
"fmt"
"os"
jwt "github.com/dgrijalva/jwt-go"
_ "github.com/joho/godotenv/autoload"
)
func main() {
var secret string
if len(os.Args) == 2 {
secret = os.Args[1]
}
if "" == secret {
secret = os.Getenv("SECRET")
}
if "" == secret {
fmt.Fprintf(os.Stderr, "Usage: signjwt <secret>")
os.Exit(1)
return
}
tok, err := getToken(secret, []string{})
if nil != err {
fmt.Fprintf(os.Stderr, "signing error: %s", err)
os.Exit(1)
return
}
fmt.Println(tok)
}
func getToken(secret string, domains []string) (token string, err error) {
tokenData := jwt.MapClaims{"domains": domains}
jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, tokenData)
if token, err = jwtToken.SignedString([]byte(secret)); err != nil {
return "", err
}
return token, nil
}