cmd/geth, node, rpc: implement jwt tokens (#24364)

* rpc, node: refactor request validation and add jwt validation * node, rpc: fix error message, ignore engine api in RegisterAPIs * node: make authenticated port configurable * eth/catalyst: enable unauthenticated version of engine api * node: rework obtainjwtsecret (backport later) * cmd/geth: added auth port flag * node: happy lint, happy life * node: refactor authenticated api Modifies the authentication mechanism to use default values * node: trim spaces and newline away from secret Co-authored-by: Marius van der Wijden <m.vanderwijden@live.de>
2022-03-07 08:30:27 +01:00
parent 37f9d25ba0
commit 4860e50e05
21 changed files with 422 additions and 62 deletions
--- a/node/jwt_handler.go
+++ b/node/jwt_handler.go
@ -0,0 +1,78 @@
+// Copyright 2022 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+package node
+
+import (
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+type jwtHandler struct {
+	keyFunc func(token *jwt.Token) (interface{}, error)
+	next    http.Handler
+}
+
+// newJWTHandler creates a http.Handler with jwt authentication support.
+func newJWTHandler(secret []byte, next http.Handler) http.Handler {
+	return &jwtHandler{
+		keyFunc: func(token *jwt.Token) (interface{}, error) {
+			return secret, nil
+		},
+		next: next,
+	}
+}
+
+// ServeHTTP implements http.Handler
+func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) {
+	var (
+		strToken string
+		claims   jwt.RegisteredClaims
+	)
+	if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "Bearer ") {
+		strToken = strings.TrimPrefix(auth, "Bearer ")
+	}
+	if len(strToken) == 0 {
+		http.Error(out, "missing token", http.StatusForbidden)
+		return
+	}
+	// We explicitly set only HS256 allowed, and also disables the
+	// claim-check: the RegisteredClaims internally requires 'iat' to
+	// be no later than 'now', but we allow for a bit of drift.
+	token, err := jwt.ParseWithClaims(strToken, &claims, handler.keyFunc,
+		jwt.WithValidMethods([]string{"HS256"}),
+		jwt.WithoutClaimsValidation())
+
+	switch {
+	case err != nil:
+		http.Error(out, err.Error(), http.StatusForbidden)
+	case !token.Valid:
+		http.Error(out, "invalid token", http.StatusForbidden)
+	case !claims.VerifyExpiresAt(time.Now(), false): // optional
+		http.Error(out, "token is expired", http.StatusForbidden)
+	case claims.IssuedAt == nil:
+		http.Error(out, "missing issued-at", http.StatusForbidden)
+	case time.Since(claims.IssuedAt.Time) > 5*time.Second:
+		http.Error(out, "stale token", http.StatusForbidden)
+	case time.Until(claims.IssuedAt.Time) > 5*time.Second:
+		http.Error(out, "future token", http.StatusForbidden)
+	default:
+		handler.next.ServeHTTP(out, r)
+	}
+}