From 6b602a60271b40481a742565e42dbc9b47971714 Mon Sep 17 00:00:00 2001 From: mahdizadsar Date: Fri, 20 Sep 2024 18:52:29 +0330 Subject: [PATCH 1/2] Update README.md ACL in MySQL local mode configuration had some problems, added some explanation for using ACL using MySQL database in local mode. --- README.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 4f1dbe6..f023206 100644 --- a/README.md +++ b/README.md @@ -1000,11 +1000,14 @@ auth_opt_jwt_userquery select count(*) from test_user where username = $1 limit Thus, the following specific JWT local options are supported: -| Option | default | Mandatory | Meaning | -| ----------------------- | --------- | :-------: | -------------------------------------------------------- | -| auth_opt_jwt_db | postgres | N | The DB backend to be used, either `postgres` or `mysql` | -| auth_opt_jwt_userquery | | Y | SQL query for users | - +| Option | default | Mandatory | Meaning | +| ----------------------------- | --------- | :-------: | -------------------------------------------------------- | +| auth_opt_jwt_db | postgres | N | The DB backend to be used, either `postgres` or `mysql` | +| auth_opt_jwt_userquery | | Y | SQL query for users | +| auth_opt_jwt_mysql_dbname | | Y/N | must set if auth_opt_jwt_db set is `mysql` | +| auth_opt_jwt_mysql_user | | Y/N | must set if auth_opt_jwt_db set is `mysql` | +| auth_opt_jwt_mysql_password | | Y/N | must set if auth_opt_jwt_db set is `mysql` | +| auth_opt_jwt_mysql_aclquery | | Y/N | ACL query must set if auth_opt_jwt_db set is `mysql` | Notice that general `jwt_secret` is mandatory when using this mode. `jwt_userfield` is still optional and serves as a mean to extract the username from either the claim's `Subject` (`sub` field), @@ -1022,7 +1025,7 @@ auth_opt_jwt_userquery select count(*) from "user" where username = $1 and is_ac For mysql: ``` -auth_opt_jwt_userquery select count(*) from "user" where username = ? and is_active = true limit 1 +auth_opt_jwt_mysql_aclquery select count(*) from "user" where username = ? and is_active = true limit 1 ``` *Important note:* From 245a01a2cdb9bf5d757c846fb9f82e4131058f73 Mon Sep 17 00:00:00 2001 From: mahdizadsar Date: Fri, 20 Sep 2024 19:01:54 +0330 Subject: [PATCH 2/2] Update jwt.go issue: When `auth_opt_jwt_skip_user_expiration` is enabled in config file and the wrong JWT token is sent by client to server (with a few or completely wrong segments), the code crashes. Workaround: modify the code structure by moving the checking of token expiration conditions --- backends/jwt.go | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/backends/jwt.go b/backends/jwt.go index e3a0e31..5e0fc96 100644 --- a/backends/jwt.go +++ b/backends/jwt.go @@ -132,15 +132,19 @@ func getJWTClaims(secret string, tokenStr string, skipExpiration bool) (*jwtGo.M }) expirationError := false - if err != nil { - if !skipExpiration { - log.Debugf("jwt parse error: %s", err) - return nil, err - } - + if err != nil { if v, ok := err.(*jwtGo.ValidationError); ok && v.Errors == jwtGo.ValidationErrorExpired { - expirationError = true - } + log.Debugf("token expired: %s", err) + if skipExpiration { + expirationError = true + }else{ + log.Debugf("jwt parse error: %s", err) + return nil, err + } + }else{ + log.Debugf("jwt parse error: %s", err) + return nil, err + } } if !jwtToken.Valid && !expirationError {