web: fix jwt token expiry set to one day by default. (#2819)

Fixes #2818
master
Bala FA 8 years ago committed by Harshavardhana
parent 95f544657a
commit 63a7ca1af0
  1. 2
      cmd/auth-rpc-client.go
  2. 2
      cmd/controller-handlers.go
  3. 2
      cmd/lock-rpc-server.go
  4. 12
      cmd/signature-jwt.go
  5. 6
      cmd/signature-jwt_test.go
  6. 2
      cmd/storage-rpc-server.go
  7. 13
      cmd/web-handlers.go

@ -59,7 +59,7 @@ type RPCLoginReply struct {
// Validates if incoming token is valid. // Validates if incoming token is valid.
func isRPCTokenValid(tokenStr string) bool { func isRPCTokenValid(tokenStr string) bool {
jwt, err := newJWT(defaultTokenExpiry) // Expiry set to 100yrs. jwt, err := newJWT(defaultInterNodeJWTExpiry)
if err != nil { if err != nil {
errorIf(err, "Unable to initialize JWT") errorIf(err, "Unable to initialize JWT")
return false return false

@ -28,7 +28,7 @@ var errServerVersionMismatch = errors.New("Server versions do not match.")
// Login - login handler. // Login - login handler.
func (c *controllerAPIHandlers) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error { func (c *controllerAPIHandlers) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
jwt, err := newJWT(defaultTokenExpiry) jwt, err := newJWT(defaultInterNodeJWTExpiry)
if err != nil { if err != nil {
return err return err
} }

@ -141,7 +141,7 @@ func registerStorageLockers(mux *router.Router, lockServers []*lockServer) {
// LoginHandler - handles LoginHandler RPC call. // LoginHandler - handles LoginHandler RPC call.
func (l *lockServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error { func (l *lockServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
jwt, err := newJWT(defaultTokenExpiry) jwt, err := newJWT(defaultInterNodeJWTExpiry)
if err != nil { if err != nil {
return err return err
} }

@ -30,11 +30,15 @@ const jwtAlgorithm = "Bearer"
// JWT - jwt auth backend // JWT - jwt auth backend
type JWT struct { type JWT struct {
credential credential
expiry time.Duration
} }
// Default each token expires in 100yrs.
const ( const (
defaultTokenExpiry time.Duration = time.Hour * 876000 // 100yrs. // Default JWT token for web handlers is one day.
defaultJWTExpiry time.Duration = time.Hour * 24
// Inter-node JWT token expiry is 100 years.
defaultInterNodeJWTExpiry time.Duration = time.Hour * 24 * 365 * 100
) )
// newJWT - returns new JWT object. // newJWT - returns new JWT object.
@ -52,7 +56,7 @@ func newJWT(expiry time.Duration) (*JWT, error) {
return nil, errors.New("Invalid secret key") return nil, errors.New("Invalid secret key")
} }
return &JWT{cred}, nil return &JWT{cred, expiry}, nil
} }
// GenerateToken - generates a new Json Web Token based on the incoming access key. // GenerateToken - generates a new Json Web Token based on the incoming access key.
@ -67,7 +71,7 @@ func (jwt *JWT) GenerateToken(accessKey string) (string, error) {
tUTCNow := time.Now().UTC() tUTCNow := time.Now().UTC()
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{ token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
// Token expires in 10hrs. // Token expires in 10hrs.
"exp": tUTCNow.Add(defaultTokenExpiry).Unix(), "exp": tUTCNow.Add(jwt.expiry).Unix(),
"iat": tUTCNow.Unix(), "iat": tUTCNow.Unix(),
"sub": accessKey, "sub": accessKey,
}) })

@ -108,7 +108,7 @@ func TestNewJWT(t *testing.T) {
serverConfig.SetCredential(*testCase.cred) serverConfig.SetCredential(*testCase.cred)
} }
_, err := newJWT(defaultWebTokenExpiry) _, err := newJWT(defaultJWTExpiry)
if testCase.expectedErr != nil { if testCase.expectedErr != nil {
if err == nil { if err == nil {
@ -132,7 +132,7 @@ func TestGenerateToken(t *testing.T) {
} }
defer removeAll(testPath) defer removeAll(testPath)
jwt, err := newJWT(defaultWebTokenExpiry) jwt, err := newJWT(defaultJWTExpiry)
if err != nil { if err != nil {
t.Fatalf("unable get new JWT, %s", err) t.Fatalf("unable get new JWT, %s", err)
} }
@ -179,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
} }
defer removeAll(testPath) defer removeAll(testPath)
jwt, err := newJWT(defaultWebTokenExpiry) jwt, err := newJWT(defaultJWTExpiry)
if err != nil { if err != nil {
t.Fatalf("unable get new JWT, %s", err) t.Fatalf("unable get new JWT, %s", err)
} }

@ -40,7 +40,7 @@ type storageServer struct {
// Login - login handler. // Login - login handler.
func (s *storageServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error { func (s *storageServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
jwt, err := newJWT(defaultTokenExpiry) jwt, err := newJWT(defaultInterNodeJWTExpiry)
if err != nil { if err != nil {
return err return err
} }

@ -42,7 +42,7 @@ import (
// isJWTReqAuthenticated validates if any incoming request to be a // isJWTReqAuthenticated validates if any incoming request to be a
// valid JWT authenticated request. // valid JWT authenticated request.
func isJWTReqAuthenticated(req *http.Request) bool { func isJWTReqAuthenticated(req *http.Request) bool {
jwt, err := newJWT(defaultWebTokenExpiry) jwt, err := newJWT(defaultJWTExpiry)
if err != nil { if err != nil {
errorIf(err, "unable to initialize a new JWT") errorIf(err, "unable to initialize a new JWT")
return false return false
@ -290,14 +290,9 @@ type LoginRep struct {
UIVersion string `json:"uiVersion"` UIVersion string `json:"uiVersion"`
} }
// Default JWT for minio browser expires in 24hrs.
const (
defaultWebTokenExpiry time.Duration = time.Hour * 24 // 24Hrs.
)
// Login - user login handler. // Login - user login handler.
func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error { func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error {
jwt, err := newJWT(defaultWebTokenExpiry) jwt, err := newJWT(defaultJWTExpiry)
if err != nil { if err != nil {
return &json2.Error{Message: err.Error()} return &json2.Error{Message: err.Error()}
} }
@ -362,7 +357,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
return &json2.Error{Message: err.Error()} return &json2.Error{Message: err.Error()}
} }
jwt, err := newJWT(defaultWebTokenExpiry) // JWT Expiry set to 24Hrs. jwt, err := newJWT(defaultJWTExpiry) // JWT Expiry set to 24Hrs.
if err != nil { if err != nil {
return &json2.Error{Message: err.Error()} return &json2.Error{Message: err.Error()}
} }
@ -447,7 +442,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
object := vars["object"] object := vars["object"]
tokenStr := r.URL.Query().Get("token") tokenStr := r.URL.Query().Get("token")
jwt, err := newJWT(defaultWebTokenExpiry) // Expiry set to 24Hrs. jwt, err := newJWT(defaultJWTExpiry) // Expiry set to 24Hrs.
if err != nil { if err != nil {
errorIf(err, "error in getting new JWT") errorIf(err, "error in getting new JWT")
return return

Loading…
Cancel
Save