From 69a28faccf46339e9e56b807a1c3b172a78363e9 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Sat, 11 May 2019 22:03:02 -0600 Subject: [PATCH] use jwt or jws for all requests --- bin/telebitd.js | 4 ++++ lib/admin/js/app.js | 36 +++++++++++++++++++++++------------- lib/admin/js/telebit.js | 35 +++++++++++++++++++++++++++++++---- 3 files changed, 58 insertions(+), 17 deletions(-) diff --git a/bin/telebitd.js b/bin/telebitd.js index 6bbbdfd..fe5c70e 100755 --- a/bin/telebitd.js +++ b/bin/telebitd.js @@ -587,6 +587,10 @@ function jwtEggspress(req, res, next) { } catch(e) { // ignore } + if (!req.jwk.kid) { + res.send({ error: { message: "JWT must include a SHA thumbprint as the 'kid' (key id)" } }); + return; + } // TODO verify if possible console.warn("[warn] JWT is not verified yet"); diff --git a/lib/admin/js/app.js b/lib/admin/js/app.js index 1a06d3e..82705d4 100644 --- a/lib/admin/js/app.js +++ b/lib/admin/js/app.js @@ -25,8 +25,9 @@ function safeFetch(url, opts) { api.config = function apiConfig() { return Telebit.reqLocalAsync({ - url: "/api/config" - , method: "GET" + method: "GET" + , url: "/api/config" + , key: api._key }).then(function (resp) { var json = resp.body; appData.config = json; @@ -34,17 +35,22 @@ api.config = function apiConfig() { }); }; api.status = function apiStatus() { - return Telebit.reqLocalAsync({ url: "/api/status", method: "GET" }).then(function (resp) { + return Telebit.reqLocalAsync({ + method: "GET" + , url: "/api/status" + , key: api._key + }).then(function (resp) { var json = resp.body; return json; }); }; api.http = function apiHttp(o) { var opts = { - url: "/api/http" - , method: "POST" + method: "POST" + , url: "/api/http" , headers: { 'Content-Type': 'application/json' } , json: { name: o.name, handler: o.handler, indexes: o.indexes } + , key: api._key }; return Telebit.reqLocalAsync(opts).then(function (resp) { var json = resp.body; @@ -56,10 +62,11 @@ api.http = function apiHttp(o) { }; api.ssh = function apiSsh(port) { var opts = { - url: "/api/ssh" - , method: "POST" + method: "POST" + , url: "/api/ssh" , headers: { 'Content-Type': 'application/json' } , json: { port: port } + , key: api._key }; return Telebit.reqLocalAsync(opts).then(function (resp) { var json = resp.body; @@ -71,9 +78,10 @@ api.ssh = function apiSsh(port) { }; api.enable = function apiEnable() { var opts = { - url: "/api/enable" - , method: "POST" + method: "POST" + , url: "/api/enable" //, headers: { 'Content-Type': 'application/json' } + , key: api._key }; return Telebit.reqLocalAsync(opts).then(function (resp) { var json = resp.body; @@ -85,9 +93,10 @@ api.enable = function apiEnable() { }; api.disable = function apiDisable() { var opts = { - url: "/api/disable" - , method: "POST" + method: "POST" + , url: "/api/disable" //, headers: { 'Content-Type': 'application/json' } + , key: api._key }; return Telebit.reqLocalAsync(opts).then(function (resp) { var json = resp.body; @@ -465,8 +474,9 @@ new Vue({ }); function run(key) { - // 1. Get ACME directory - // 2. Fetch ACME account + api._key = key; + // 😁 1. Get ACME directory + // 😁 2. Fetch ACME account // 3. Test if account has access // 4. Show command line auth instructions to auth // 5. Sign requests / use JWT diff --git a/lib/admin/js/telebit.js b/lib/admin/js/telebit.js index f4379df..4908f46 100644 --- a/lib/admin/js/telebit.js +++ b/lib/admin/js/telebit.js @@ -1,6 +1,7 @@ ;(function (exports) { 'use strict'; +var Keypairs = window.Keypairs; var common = exports.TELEBIT = {}; common.debug = true; @@ -14,7 +15,7 @@ if ('undefined' !== typeof Promise) { /*globals AbortController*/ if ('undefined' !== typeof fetch) { - common.requestAsync = function (opts) { + common._requestAsync = function (opts) { // funnel requests through the local server // (avoid CORS, for now) var relayOpts = { @@ -44,7 +45,7 @@ if ('undefined' !== typeof fetch) { }); }); }; - common.reqLocalAsync = function (opts) { + common._reqLocalAsync = function (opts) { if (!opts) { opts = {}; } if (opts.json && true !== opts.json) { opts.body = opts.json; @@ -78,9 +79,35 @@ if ('undefined' !== typeof fetch) { }); }; } else { - common.requestAsync = require('util').promisify(require('@root/request')); - common.reqLocalAsync = require('util').promisify(require('@root/request')); + common._requestAsync = require('util').promisify(require('@root/request')); + common._reqLocalAsync = require('util').promisify(require('@root/request')); } +common._sign = function (opts) { + var p; + if ('POST' === opts.method || opts.json) { + p = Keypairs.signJws({ jwk: opts.key, payload: opts.json || {} }).then(function (jws) { + opts.json = jws; + }); + } else { + p = Keypairs.signJwt({ jwk: opts.key , claims: { iss: false, exp: '60s' } }).then(function (jwt) { + if (!opts.headers) { opts.headers = {}; } + opts.headers.Authorization = 'Bearer ' + jwt; + }); + } + return p.then(function () { + return opts; + }); +}; +common.requestAsync = function (opts) { + return common._sign(opts).then(function (opts) { + return common._requestAsync(opts); + }); +}; +common.reqLocalAsync = function (opts) { + return common._sign(opts).then(function (opts) { + return common._reqLocalAsync(opts); + }); +}; common.parseUrl = function (hostname) { // add scheme, if missing