From 32206d9f0b7f9f7820a87ccd22385def4222a89a Mon Sep 17 00:00:00 2001 From: devMls Date: Fri, 20 Jan 2017 18:17:18 +0100 Subject: [PATCH 1/3] Update nginx-jwt.lua --- nginx-jwt.lua | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/nginx-jwt.lua b/nginx-jwt.lua index 482765a..2ce8c17 100644 --- a/nginx-jwt.lua +++ b/nginx-jwt.lua @@ -26,21 +26,40 @@ function M.auth(claim_specs) -- require Authorization request header local auth_header = ngx.var.http_Authorization - if auth_header == nil then - ngx.log(ngx.WARN, "No Authorization header") - ngx.exit(ngx.HTTP_UNAUTHORIZED) + token_site = os.getenv("NGINX_JWT_TOKEN_SITE") + + if token_site == nil then + ngx.log(ngx.WARN, "No token site found, use default: HEADER") + token_site = "HEADER" end + + if token_site == "HEADER" then + if auth_header == nil then + ngx.log(ngx.WARN, "No Authorization header") + ngx.exit(ngx.HTTP_UNAUTHORIZED) + end - ngx.log(ngx.INFO, "Authorization: " .. auth_header) + ngx.log(ngx.INFO, "Authorization: " .. auth_header) -- require Bearer token - local _, _, token = string.find(auth_header, "Bearer%s+(.+)") + local _, _, token = string.find(auth_header, "Bearer%s+(.+)") - if token == nil then - ngx.log(ngx.WARN, "Missing token") - ngx.exit(ngx.HTTP_UNAUTHORIZED) end - + + if token_site == "COOKIE" then + token = ngx.var.cookie_bearer + end + + if token_site == "REQUEST" then + token = ngx.var.arg_bearer + end + + if token == nil then + ngx.log(ngx.WARN, "Missing token") + ngx.exit(ngx.HTTP_UNAUTHORIZED) + end + + ngx.log(ngx.INFO, "Token: " .. token) -- require valid JWT From a2bc61c675f1bff3e67112dd3b4d6851b05f0768 Mon Sep 17 00:00:00 2001 From: devMls Date: Fri, 20 Jan 2017 18:22:30 +0100 Subject: [PATCH 2/3] Update README.md add explanation about how to use coockie or request token --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a0ffc96..317f353 100644 --- a/README.md +++ b/README.md @@ -49,13 +49,23 @@ Install steps: env JWT_SECRET; ``` -1. If your JWT secret is Base64 (URL-safe) encoded, export the `JWT_SECRET_IS_BASE64_ENCODED` environment variable on the Nginx host, setting it equal to `true`. Then expose it to Nginx server: +2. If your JWT secret is Base64 (URL-safe) encoded, export the `JWT_SECRET_IS_BASE64_ENCODED` environment variable on the Nginx host, setting it equal to `true`. Then expose it to Nginx server: ```lua # nginx.conf: env JWT_SECRET_IS_BASE64_ENCODED; ``` +3. If you want specify where this script should looking for the token, export the `NGINX_JWT_TOKEN_SITE` environment variable on the Nginx host, setting it equal to `HEADER`, `COOKIE` , `REQUEST`. Then expose it to Nginx server: + ```lua + # nginx.conf: + + env NGINX_JWT_TOKEN_SITE; + ``` + In case that you choose COOKIE or HEADER, this script try to found a "bearer" cookie or request parameter. + + + ## Usage Now we can start using the script in reverse-proxy scenarios to secure our backing service. This is done by using the [access_by_lua](https://github.com/openresty/lua-nginx-module#access_by_lua) directive to call the `nginx-jwt` script's [`auth()`](#auth) function before executing any [proxy_* directives](http://nginx.org/en/docs/http/ngx_http_proxy_module.html): From 4c1ee7e38f66252b06b323ebb837b3e94e0019a7 Mon Sep 17 00:00:00 2001 From: devMls Date: Fri, 20 Jan 2017 18:23:54 +0100 Subject: [PATCH 3/3] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 317f353..731c944 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ * Secure an existing HTTP service (ex: REST API) using Nginx reverse-proxy and this script * Authenticate an HTTP request with the verified identity contained with in a JWT * Optionally, authorize the same request using helper functions for asserting required JWT claims +* Optionally, specify if the token is in the request param (bearer param) or in a cookie (bearer cookie). ## Install