add tunnel domain to 'aud' of token

2020-07-21 21:56:46 -06:00 · 2020-07-21 21:56:46 -06:00 · ecbaf4dfd0
parent 44dce55364
commit ecbaf4dfd0
2 changed files with 15 additions and 11 deletions
--- a/cmd/mgmt/mgmt.go
+++ b/cmd/mgmt/mgmt.go
@ -31,11 +31,12 @@ type MWKey string

 var store authstore.Store
 var provider challenge.Provider = nil // TODO is this concurrency-safe?
-var secret *string
+var secret string
 var primaryDomain string
+var relayDomain string

 func help() {
-	fmt.Fprintf(os.Stderr, "Usage: mgmt --domain <example.com> --secret <128-bit secret>\n")
+	fmt.Fprintf(os.Stderr, "Usage: mgmt --domain <mgmt.example.com> --tunnel-domain <devices.example.com> --secret <128-bit secret>\n")
 }

 func main() {
@ -48,12 +49,12 @@ func main() {
 		"postgres://postgres:postgres@localhost/postgres",
 		"database (postgres) connection url",
 	)
-	secret = flag.String("secret", "", "a >= 16-character random string for JWT key signing")
-	domain := flag.String("domain", "", "the base domain to use for all clients")
+	flag.StringVar(&secret, "secret", "", "a >= 16-character random string for JWT key signing")
+	flag.StringVar(&primaryDomain, "domain", "", "the base domain to use for all clients")
+	flag.StringVar(&relayDomain, "tunnel-domain", "", "the domain name of the tunnel relay service")
 	flag.Parse()

-	primaryDomain = *domain
-	if "" == primaryDomain {
+	if "" == primaryDomain || "" == relayDomain {
 		help()
 		os.Exit(1)
 	}
@ -72,10 +73,10 @@ func main() {
 		panic("Must provide either DUCKDNS or GODADDY credentials")
 	}

-	if "" == *secret {
-		*secret = os.Getenv("SECRET")
+	if "" == secret {
+		secret = os.Getenv("SECRET")
 	}
-	if "" == *secret {
+	if "" == secret {
 		help()
 		os.Exit(1)
 		return
@ -95,7 +96,7 @@ func main() {
 		log.Fatal("connection error", err)
 		return
 	}
-	_ = store.SetMaster(*secret)
+	_ = store.SetMaster(secret)
 	defer store.Close()

 	bind := *addr + ":" + *port
--- a/cmd/mgmt/route.go
+++ b/cmd/mgmt/route.go
@ -96,7 +96,9 @@ func routeAll() chi.Router {
 						if "" != claims.Subject && auth.Slug != claims.Subject {
 							return nil, fmt.Errorf("invalid jwt payload 'sub' (mismatch)")
 						}
+						claims.Subject = claims.Slug
 						claims.Issuer = primaryDomain
+						claims.Audience = fmt.Sprintf("wss://%s/ws", relayDomain)

 						/*
 							// a little misdirection there
@ -146,8 +148,9 @@ func routeAll() chi.Router {
 			}

 			w.Write([]byte(fmt.Sprintf(
-				`{ "sub": "%s", "domains": [ "%s.%s" ], "ports": [] }`+"\n",
+				`{ "sub": "%s", "aud": "%s", "domains": [ "%s.%s" ], "ports": [] }`+"\n",
 				claims.Subject,
+				claims.Audience,
 				claims.Slug,
 				primaryDomain,
 			)))