add tunnel domain to 'aud' of token
This commit is contained in:
parent
44dce55364
commit
ecbaf4dfd0
|
|
@ -31,11 +31,12 @@ type MWKey string
|
||||||
|
|
||||||
var store authstore.Store
|
var store authstore.Store
|
||||||
var provider challenge.Provider = nil // TODO is this concurrency-safe?
|
var provider challenge.Provider = nil // TODO is this concurrency-safe?
|
||||||
var secret *string
|
var secret string
|
||||||
var primaryDomain string
|
var primaryDomain string
|
||||||
|
var relayDomain string
|
||||||
|
|
||||||
func help() {
|
func help() {
|
||||||
fmt.Fprintf(os.Stderr, "Usage: mgmt --domain <example.com> --secret <128-bit secret>\n")
|
fmt.Fprintf(os.Stderr, "Usage: mgmt --domain <mgmt.example.com> --tunnel-domain <devices.example.com> --secret <128-bit secret>\n")
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
|
@ -48,12 +49,12 @@ func main() {
|
||||||
"postgres://postgres:postgres@localhost/postgres",
|
"postgres://postgres:postgres@localhost/postgres",
|
||||||
"database (postgres) connection url",
|
"database (postgres) connection url",
|
||||||
)
|
)
|
||||||
secret = flag.String("secret", "", "a >= 16-character random string for JWT key signing")
|
flag.StringVar(&secret, "secret", "", "a >= 16-character random string for JWT key signing")
|
||||||
domain := flag.String("domain", "", "the base domain to use for all clients")
|
flag.StringVar(&primaryDomain, "domain", "", "the base domain to use for all clients")
|
||||||
|
flag.StringVar(&relayDomain, "tunnel-domain", "", "the domain name of the tunnel relay service")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
primaryDomain = *domain
|
if "" == primaryDomain || "" == relayDomain {
|
||||||
if "" == primaryDomain {
|
|
||||||
help()
|
help()
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
|
@ -72,10 +73,10 @@ func main() {
|
||||||
panic("Must provide either DUCKDNS or GODADDY credentials")
|
panic("Must provide either DUCKDNS or GODADDY credentials")
|
||||||
}
|
}
|
||||||
|
|
||||||
if "" == *secret {
|
if "" == secret {
|
||||||
*secret = os.Getenv("SECRET")
|
secret = os.Getenv("SECRET")
|
||||||
}
|
}
|
||||||
if "" == *secret {
|
if "" == secret {
|
||||||
help()
|
help()
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
return
|
return
|
||||||
|
|
@ -95,7 +96,7 @@ func main() {
|
||||||
log.Fatal("connection error", err)
|
log.Fatal("connection error", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
_ = store.SetMaster(*secret)
|
_ = store.SetMaster(secret)
|
||||||
defer store.Close()
|
defer store.Close()
|
||||||
|
|
||||||
bind := *addr + ":" + *port
|
bind := *addr + ":" + *port
|
||||||
|
|
|
||||||
|
|
@ -96,7 +96,9 @@ func routeAll() chi.Router {
|
||||||
if "" != claims.Subject && auth.Slug != claims.Subject {
|
if "" != claims.Subject && auth.Slug != claims.Subject {
|
||||||
return nil, fmt.Errorf("invalid jwt payload 'sub' (mismatch)")
|
return nil, fmt.Errorf("invalid jwt payload 'sub' (mismatch)")
|
||||||
}
|
}
|
||||||
|
claims.Subject = claims.Slug
|
||||||
claims.Issuer = primaryDomain
|
claims.Issuer = primaryDomain
|
||||||
|
claims.Audience = fmt.Sprintf("wss://%s/ws", relayDomain)
|
||||||
|
|
||||||
/*
|
/*
|
||||||
// a little misdirection there
|
// a little misdirection there
|
||||||
|
|
@ -146,8 +148,9 @@ func routeAll() chi.Router {
|
||||||
}
|
}
|
||||||
|
|
||||||
w.Write([]byte(fmt.Sprintf(
|
w.Write([]byte(fmt.Sprintf(
|
||||||
`{ "sub": "%s", "domains": [ "%s.%s" ], "ports": [] }`+"\n",
|
`{ "sub": "%s", "aud": "%s", "domains": [ "%s.%s" ], "ports": [] }`+"\n",
|
||||||
claims.Subject,
|
claims.Subject,
|
||||||
|
claims.Audience,
|
||||||
claims.Slug,
|
claims.Slug,
|
||||||
primaryDomain,
|
primaryDomain,
|
||||||
)))
|
)))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue