Improve provider name handling #213
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
golangci-lint fixes are in #214 |
Pull Request Test Coverage Report for Build 12588015969Details
💛 - Coveralls |
paskal
approved these changes
Dec 29, 2024
Add provider name into JWT token claims to allow provider names with multiple underscore "_" symbols. Forbid provider names containing URL reserved symbols.
paskal
force-pushed
the
fix-providers-names
branch
from
5a80324 to
3157345
Compare
|
Rebased on top of master, without altering anything. @umputun could you please take a look? |
umputun
reviewed
Jan 3, 2025
|
|
||
| path, err := url.PathUnescape(name) | ||
| if err != nil || path != name { | ||
| formatForbidden(name) |
There was a problem hiding this comment.
small thing: in debug mode, this function's redirect for logging will lose the source line information. I'd suggest creating an error message instead and logging it directly.
umputun
reviewed
Jan 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The problem occurs when the provider name contains underscore characters
_.If provider name is like
provider_prodand fullclaims.User.IDin the JWT token looks likeprovider_prod_user1,then Authenticator.isProviderAllowed() check fails and provider with such name cannot be used.
This was initially discovered in #201 (comment).
It might be better to add an explicit provider name into the JWT token claims,
and avoid parsing already serialized string back to tokens.
Provider name passed into
Service.AddProvider()also becomes a part ofhttps://host:port/auth/provider_prod/loginURL, and therefore it requires special handling.One solution is to url-encode it, but then it will be still possible to use names containing spaces or special characters (by accident or with purpose).
Another solution is to forbid all provider names which require url-encoding.
It might be better to forbid empty names as well.
_underscore has been mentioned in the README examples for some time now, i am not sure about it.But those names may be even more strict and contain only ASCII alphanumeric symbols.
What do you think?
It is not possible to return errors from
Service.AddProvider(), therefore invalid providers are just ignored andERRORlevel message is logged.