Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT, KeyAuth, CSRF multivalue extractors #2060

Merged
merged 4 commits into from Jan 24, 2022

Conversation

aldas
Copy link
Contributor

@aldas aldas commented Jan 4, 2022

  • Adds to JWT, KeyAuth, CSRF support for multivalue extractor - This is mostly useful with headers but this PR adds this other variants also. Usecase - You are using JWT middleware and expect Authentication header with value Bearer xxxx but your intracture has upstream proxy that adds Basic authentication also. Now even if you fill basic auth in browser and your application sends requests with JWT token you would be in trouble as previously JWT middleware knows only to extract first Authentication header value - which could be JWT token but could be also Basic Auth. This change allows extractor to return all those header values and run JWT token checks or validation for Keyauth on them.
  • Add flag NoErrorContinuesExecution to JWT and KeyAuth middleware to allow continuing execution next(c) when error handler decides to swallow the error (returns nil). Usecase: This is useful in cases when portion of your site/api is publicly accessible and has extra features for authorized users. In that case you can use ErrorHandlerWithContext to set default public JWT token value to request and continue with handler chain. Note: this is similar to Allow JWT middleware to gracefully fail #2048

p.s. there are ugly error handling parts just to preserve similar/same errors that those middlewares previously returned. Unfortunately all these 3 are quite inconsistent how they do error handling - JWT has 2 generic types. Keyauth has specific error values.

@codecov
Copy link

codecov bot commented Jan 4, 2022

Codecov Report

Merging #2060 (c3edf89) into master (6f6befe) will increase coverage by 0.44%.
The diff coverage is 94.76%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2060      +/-   ##
==========================================
+ Coverage   91.57%   92.02%   +0.44%     
==========================================
  Files          33       34       +1     
  Lines        2921     2972      +51     
==========================================
+ Hits         2675     2735      +60     
+ Misses        157      149       -8     
+ Partials       89       88       -1     
Impacted Files Coverage Δ
echo.go 94.20% <ø> (ø)
middleware/middleware.go 94.44% <ø> (ø)
middleware/csrf.go 88.88% <87.09%> (+8.60%) ⬆️
middleware/key_auth.go 94.91% <92.85%> (-2.01%) ⬇️
middleware/jwt.go 92.77% <93.75%> (+2.50%) ⬆️
middleware/extractor.go 98.83% <98.83%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6f6befe...c3edf89. Read the comment docs.

@aldas aldas requested review from lammel and pafuent January 4, 2022 17:48
@aldas aldas requested a review from lammel January 5, 2022 09:58
@aldas
Copy link
Contributor Author

aldas commented Jan 5, 2022

@lammel if you have time could you review. I like to include it in next release.

@lammel
Copy link
Contributor

lammel commented Jan 7, 2022

@lammel if you have time could you review. I like to include it in next release.

Will look into it today.

Copy link
Contributor

@lammel lammel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.
When comments from the review are resolved we should merge.

middleware/jwt.go Outdated Show resolved Hide resolved
middleware/jwt.go Outdated Show resolved Hide resolved
middleware/csrf_test.go Show resolved Hide resolved
@aldas aldas requested a review from lammel January 10, 2022 19:41
Copy link
Contributor

@lammel lammel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guess that looks pretty good now. Cool stuff @aldas

@aldas aldas merged commit 4a1ccdf into labstack:master Jan 24, 2022
@aldas aldas deleted the multivalue_extractors branch July 12, 2022 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants