only skip signature check

centrifugal · Sep 26, 2023 · ffa1926 · ffa1926
1 parent dbd7ab8
commit ffa1926
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 44 deletions.
diff --git a/internal/client/handler.go b/internal/client/handler.go
@@ -286,7 +286,7 @@ func (h *Handler) OnClientConnecting(
 	storage := map[string]any{}
 
 	if e.Token != "" {
-		token, err := h.tokenVerifier.VerifyConnectToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenVerify)
+		token, err := h.tokenVerifier.VerifyConnectToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenSignatureVerify)
 		if err != nil {
 			if err == jwtverify.ErrTokenExpired {
 				return centrifuge.ConnectReply{}, centrifuge.ErrorTokenExpired
@@ -473,7 +473,7 @@ func (h *Handler) OnRefresh(c Client, e centrifuge.RefreshEvent, refreshProxyHan
 		}
 		return r, RefreshExtra{}, err
 	}
-	token, err := h.tokenVerifier.VerifyConnectToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenVerify)
+	token, err := h.tokenVerifier.VerifyConnectToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenSignatureVerify)
 	if err != nil {
 		if err == jwtverify.ErrTokenExpired {
 			return centrifuge.RefreshReply{Expired: true}, RefreshExtra{}, nil
@@ -531,7 +531,7 @@ func (h *Handler) OnSubRefresh(c Client, subRefreshProxyHandler proxy.SubRefresh
 	if h.subTokenVerifier != nil {
 		tokenVerifier = h.subTokenVerifier
 	}
-	token, err := tokenVerifier.VerifySubscribeToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenVerify)
+	token, err := tokenVerifier.VerifySubscribeToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenSignatureVerify)
 	if err != nil {
 		if err == jwtverify.ErrTokenExpired {
 			return centrifuge.SubRefreshReply{Expired: true}, SubRefreshExtra{}, nil
@@ -648,7 +648,7 @@ func (h *Handler) OnSubscribe(c Client, e centrifuge.SubscribeEvent, subscribePr
 		if h.subTokenVerifier != nil {
 			tokenVerifier = h.subTokenVerifier
 		}
-		token, err := tokenVerifier.VerifySubscribeToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenVerify)
+		token, err := tokenVerifier.VerifySubscribeToken(e.Token, h.ruleContainer.Config().ClientInsecureSkipTokenSignatureVerify)
 		if err != nil {
 			if err == jwtverify.ErrTokenExpired {
 				return centrifuge.SubscribeReply{}, SubscribeExtra{}, centrifuge.ErrorTokenExpired

diff --git a/internal/jwtverify/token_verifier_jwt.go b/internal/jwtverify/token_verifier_jwt.go
@@ -436,11 +436,9 @@ func (verifier *VerifierJWT) VerifyConnectToken(t string, skipVerify bool) (Conn
 		return ConnectToken{}, ErrInvalidToken
 	}
 
-	if !skipVerify {
-		now := time.Now()
-		if !claims.IsValidExpiresAt(now) || !claims.IsValidNotBefore(now) {
-			return ConnectToken{}, ErrTokenExpired
-		}
+	now := time.Now()
+	if !claims.IsValidExpiresAt(now) || !claims.IsValidNotBefore(now) {
+		return ConnectToken{}, ErrTokenExpired
 	}
 
 	subs := map[string]centrifuge.SubscribeOptions{}
@@ -624,11 +622,9 @@ func (verifier *VerifierJWT) VerifySubscribeToken(t string, skipVerify bool) (Su
 		}
 	}
 
-	if !skipVerify {
-		now := time.Now()
-		if !claims.IsValidExpiresAt(now) || !claims.IsValidNotBefore(now) {
-			return SubscribeToken{}, ErrTokenExpired
-		}
+	now := time.Now()
+	if !claims.IsValidExpiresAt(now) || !claims.IsValidNotBefore(now) {
+		return SubscribeToken{}, ErrTokenExpired
 	}
 
 	if claims.Channel == "" {

diff --git a/internal/jwtverify/token_verifier_jwt_test.go b/internal/jwtverify/token_verifier_jwt_test.go
@@ -322,7 +322,18 @@ func Test_tokenVerifierJWT_InvalidSignature(t *testing.T) {
 	require.Error(t, err)
 
 	// Test that skipVerify results into accepted token.
-	ct, err := verifier.VerifyConnectToken(jwtInvalidSignature, true)
+	ct, err := verifier.VerifyConnectToken(jwtValid+"xxx", true)
+	require.NoError(t, err)
+	require.Equal(t, "2694", ct.UserID)
+}
+
+func Test_tokenVerifierJWT_InvalidSignature_SkipVerify(t *testing.T) {
+	ruleConfig := rule.DefaultConfig
+	ruleContainer, err := rule.NewContainer(ruleConfig)
+	require.NoError(t, err)
+	verifier, err := NewTokenVerifierJWT(VerifierConfig{"secret", nil, nil, "", "", "", "", ""}, ruleContainer)
+	require.NoError(t, err)
+	ct, err := verifier.VerifyConnectToken(jwtValid+"xxx", true)
 	require.NoError(t, err)
 	require.Equal(t, "2694", ct.UserID)
 }
@@ -336,10 +347,9 @@ func Test_tokenVerifierJWT_WithNotBefore(t *testing.T) {
 	_, err = verifier.VerifyConnectToken(jwtNotBefore, false)
 	require.Error(t, err)
 
-	// Test that skipVerify results into accepted token.
-	ct, err := verifier.VerifyConnectToken(jwtNotBefore, true)
-	require.NoError(t, err)
-	require.Equal(t, "2694", ct.UserID)
+	// Test that skipVerify still results into unaccepted token if it's expired.
+	_, err = verifier.VerifyConnectToken(jwtNotBefore, true)
+	require.Error(t, err)
 }
 
 func Test_tokenVerifierJWT_StringAudience(t *testing.T) {
@@ -610,23 +620,6 @@ func Test_tokenVerifierJWT_VerifySubscribeToken(t *testing.T) {
 			want:    SubscribeToken{},
 			wantErr: true,
 			expired: true,
-		}, {
-			name:     "Expired JWT but verify skipped",
-			verifier: verifierJWT,
-			args: args{
-				token: getRSASubscribeToken("channel1", "client1", _time.Add(-24*time.Hour).Unix(), nil),
-			},
-			want: SubscribeToken{
-				Client:  "client1",
-				Channel: "channel1",
-				Options: centrifuge.SubscribeOptions{
-					ExpireAt:    _time.Add(-24 * time.Hour).Unix(),
-					ChannelInfo: []byte("{}"),
-				},
-			},
-			wantErr:    false,
-			expired:    false,
-			skipVerify: true,
 		}, {
 			name:     "Valid JWT HS",
 			verifier: verifierJWT,

diff --git a/internal/rule/rule.go b/internal/rule/rule.go
@@ -55,10 +55,10 @@ type Config struct {
 	// anonymous access and publish allowed for all channels, no connection expire
 	// performed. This can be suitable for demonstration or personal usage.
 	ClientInsecure bool
-	// ClientInsecureSkipTokenVerify if on tells Centrifugo to ignore token verification
-	// errors - for both connection and subscription tokens. This is insecure and should
-	// only be used for development and testing purposes.
-	ClientInsecureSkipTokenVerify bool
+	// ClientInsecureSkipTokenSignatureVerify if on tells Centrifugo to ignore token
+	// signature verification errors - for both connection and subscription tokens.
+	// This is insecure and should only be used for development and testing purposes.
+	ClientInsecureSkipTokenSignatureVerify bool
 
 	// AnonymousConnectWithoutToken when set to true, allows connecting without specifying
 	// a connection token or setting Credentials in authentication middleware. The resulting

diff --git a/main.go b/main.go
@@ -100,9 +100,9 @@ var defaults = map[string]any{
 	"opentelemetry":     false,
 	"opentelemetry_api": false,
 
-	"client_insecure":                   false,
-	"client_insecure_skip_token_verify": false,
-	"api_insecure":                      false,
+	"client_insecure": false,
+	"client_insecure_skip_token_signature_verify": false,
+	"api_insecure": false,
 
 	"token_hmac_secret_key":      "",
 	"token_rsa_public_key":       "",
@@ -1624,7 +1624,7 @@ func ruleConfig() rule.Config {
 	cfg.UserPersonalSingleConnection = v.GetBool("user_personal_single_connection")
 	cfg.UserPersonalChannelNamespace = v.GetString("user_personal_channel_namespace")
 	cfg.ClientInsecure = v.GetBool("client_insecure")
-	cfg.ClientInsecureSkipTokenVerify = v.GetBool("client_insecure_skip_token_verify")
+	cfg.ClientInsecureSkipTokenSignatureVerify = v.GetBool("client_insecure_skip_token_signature_verify")
 	cfg.AnonymousConnectWithoutToken = v.GetBool("allow_anonymous_connect_without_token")
 	cfg.DisallowAnonymousConnectionTokens = v.GetBool("disallow_anonymous_connection_tokens")
 	cfg.ClientConcurrency = v.GetInt("client_concurrency")