From d1355109718a0644c053fcb4da7d8c01e9e05e66 Mon Sep 17 00:00:00 2001 From: Patryk Kalinowski Date: Mon, 26 Feb 2024 14:16:27 +0100 Subject: [PATCH] rpc: require JWT nonce to be present --- rpc/identity.go | 7 +++---- rpc/sessions_test.go | 20 +++++++++++++++++--- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/rpc/identity.go b/rpc/identity.go index d8873a51..8e259f68 100644 --- a/rpc/identity.go +++ b/rpc/identity.go @@ -28,15 +28,14 @@ func withIssuer(expectedIss string) jwt.ValidatorFunc { func withSessionHash(expectedSessionHash string) jwt.ValidatorFunc { return func(ctx context.Context, tok jwt.Token) jwt.ValidationError { - sessAddrClaim, ok := tok.Get("sequence:session_hash") - if ok && sessAddrClaim == expectedSessionHash { + sessHashClaim, ok := tok.Get("sequence:session_hash") + if ok && sessHashClaim == expectedSessionHash { return nil } nonceClaim, ok := tok.Get("nonce") if !ok { - // TODO: we might always want to require nonce to be present - return nil + return jwt.NewValidationError(fmt.Errorf("nonce not satisfied")) } nonceVal, _ := nonceClaim.(string) diff --git a/rpc/sessions_test.go b/rpc/sessions_test.go index e8e0ad3b..72442292 100644 --- a/rpc/sessions_test.go +++ b/rpc/sessions_test.go @@ -46,6 +46,9 @@ func TestRPC_RegisterSession(t *testing.T) { intentBuilderFn func(t *testing.T, data intents.IntentDataOpenSession) *proto.Intent }{ "Basic": { + tokBuilderFn: func(b *jwt.Builder, url string) { + b.Claim("sequence:session_hash", sessHash) + }, assertFn: func(t *testing.T, sess *proto.Session, err error, p assertionParams) { require.NoError(t, err) require.NotNil(t, sess) @@ -83,6 +86,12 @@ func TestRPC_RegisterSession(t *testing.T) { require.ErrorContains(t, err, "JWT validation: nonce not satisfied") }, }, + "WithMissingNonce": { + assertFn: func(t *testing.T, sess *proto.Session, err error, p assertionParams) { + require.Nil(t, sess) + require.ErrorContains(t, err, "JWT validation: nonce not satisfied") + }, + }, "WithInvalidNonceButValidSessionAddressClaim": { tokBuilderFn: func(b *jwt.Builder, url string) { b.Claim("nonce", "0x1234567890abcdef"). @@ -97,7 +106,9 @@ func TestRPC_RegisterSession(t *testing.T) { }, "WithVerifiedEmail": { tokBuilderFn: func(b *jwt.Builder, url string) { - b.Claim("email", "user@example.com").Claim("email_verified", "true") + b.Claim("email", "user@example.com"). + Claim("email_verified", "true"). + Claim("sequence:session_hash", sessHash) }, assertFn: func(t *testing.T, sess *proto.Session, err error, p assertionParams) { require.NoError(t, err) @@ -108,7 +119,9 @@ func TestRPC_RegisterSession(t *testing.T) { }, "WithUnverifiedEmail": { tokBuilderFn: func(b *jwt.Builder, url string) { - b.Claim("email", "user@example.com").Claim("email_verified", "false") + b.Claim("email", "user@example.com"). + Claim("email_verified", "false"). + Claim("sequence:session_hash", sessHash) }, assertFn: func(t *testing.T, sess *proto.Session, err error, p assertionParams) { require.NoError(t, err) @@ -134,7 +147,8 @@ func TestRPC_RegisterSession(t *testing.T) { }, "IssuerMissingScheme": { tokBuilderFn: func(b *jwt.Builder, url string) { - b.Issuer(strings.TrimPrefix(url, "http://")) + b.Issuer(strings.TrimPrefix(url, "http://")). + Claim("sequence:session_hash", sessHash) }, assertFn: func(t *testing.T, sess *proto.Session, err error, p assertionParams) { require.NoError(t, err)