Remove requirement for issued at JWT claims (#5364)

Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed || utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139 We can bring in support for leeway later. Fixes #5237
7 years ago · b526cd7e55
parent 3f8379d07d
commit b526cd7e55
1 changed files with 4 additions and 7 deletions
--- a/cmd/jwt.go
+++ b/cmd/jwt.go
@ -63,14 +63,11 @@ func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string,
 		return "", errAuthentication
 	}

-	utcNow := UTCNow()
-	token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
-		ExpiresAt: utcNow.Add(expiry).Unix(),
-		IssuedAt:  utcNow.Unix(),
+	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
+		ExpiresAt: UTCNow().Add(expiry).Unix(),
 		Subject:   accessKey,
 	})
-
-	return token.SignedString([]byte(serverCred.SecretKey))
+	return jwt.SignedString([]byte(serverCred.SecretKey))
 }

 func authenticateNode(accessKey, secretKey string) (string, error) {
@ -127,7 +124,7 @@ func webRequestAuthenticate(req *http.Request) error {
 		return errAuthentication
 	}
 	if err = claims.Valid(); err != nil {
-		return err
+		return errAuthentication
 	}
 	if claims.Subject != globalServerConfig.GetCredential().AccessKey {
 		return errInvalidAccessKeyID