Skip to content
This repository was archived by the owner on Feb 14, 2018. It is now read-only.

add the option of specify the token in a COOKIE or in a request param #67

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

add the option of specify the token in a COOKIE or in a request param #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
32206d9
Update nginx-jwt.lua
devMls Jan 20, 2017
a2bc61c
Update README.md
devMls Jan 20, 2017
4c1ee7e
Update README.md
devMls Jan 20, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
* Secure an existing HTTP service (ex: REST API) using Nginx reverse-proxy and this script
* Authenticate an HTTP request with the verified identity contained with in a JWT
* Optionally, authorize the same request using helper functions for asserting required JWT claims
* Optionally, specify if the token is in the request param (bearer param) or in a cookie (bearer cookie).

## Install

Expand Down Expand Up @@ -49,13 +50,23 @@ Install steps:

env JWT_SECRET;
```
1. If your JWT secret is Base64 (URL-safe) encoded, export the `JWT_SECRET_IS_BASE64_ENCODED` environment variable on the Nginx host, setting it equal to `true`. Then expose it to Nginx server:
2. If your JWT secret is Base64 (URL-safe) encoded, export the `JWT_SECRET_IS_BASE64_ENCODED` environment variable on the Nginx host, setting it equal to `true`. Then expose it to Nginx server:
```lua
# nginx.conf:

env JWT_SECRET_IS_BASE64_ENCODED;
```

3. If you want specify where this script should looking for the token, export the `NGINX_JWT_TOKEN_SITE` environment variable on the Nginx host, setting it equal to `HEADER`, `COOKIE` , `REQUEST`. Then expose it to Nginx server:
```lua
# nginx.conf:

env NGINX_JWT_TOKEN_SITE;
```
In case that you choose COOKIE or HEADER, this script try to found a "bearer" cookie or request parameter.



## Usage

Now we can start using the script in reverse-proxy scenarios to secure our backing service. This is done by using the [access_by_lua](https://github.com/openresty/lua-nginx-module#access_by_lua) directive to call the `nginx-jwt` script's [`auth()`](#auth) function before executing any [proxy_* directives](http://nginx.org/en/docs/http/ngx_http_proxy_module.html):
Expand Down
37 changes: 28 additions & 9 deletions nginx-jwt.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,21 +26,40 @@ function M.auth(claim_specs)
-- require Authorization request header
local auth_header = ngx.var.http_Authorization

if auth_header == nil then
ngx.log(ngx.WARN, "No Authorization header")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
token_site = os.getenv("NGINX_JWT_TOKEN_SITE")

if token_site == nil then
ngx.log(ngx.WARN, "No token site found, use default: HEADER")
token_site = "HEADER"
end

if token_site == "HEADER" then
if auth_header == nil then
ngx.log(ngx.WARN, "No Authorization header")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end

ngx.log(ngx.INFO, "Authorization: " .. auth_header)
ngx.log(ngx.INFO, "Authorization: " .. auth_header)

-- require Bearer token
local _, _, token = string.find(auth_header, "Bearer%s+(.+)")
local _, _, token = string.find(auth_header, "Bearer%s+(.+)")

if token == nil then
ngx.log(ngx.WARN, "Missing token")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end


if token_site == "COOKIE" then
token = ngx.var.cookie_bearer
end

if token_site == "REQUEST" then
token = ngx.var.arg_bearer
end

if token == nil then
ngx.log(ngx.WARN, "Missing token")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end


ngx.log(ngx.INFO, "Token: " .. token)

-- require valid JWT
Expand Down