dspo commented on code in PR #11597:
URL: https://github.com/apache/apisix/pull/11597#discussion_r1774665146
##########
apisix/plugins/jwt-auth.lua:
##########
@@ -387,52 +287,88 @@ function _M.rewrite(conf, ctx)
end
-local function gen_token()
- local args = core.request.get_uri_args()
- if not args or not args.key then
- return core.response.exit(400)
- end
-
- local key = args.key
- local payload = args.payload
+local function get_real_payload(key, exp, payload)
+ local real_payload = {
+ key = key,
+ exp = ngx_time() + exp
+ }
if payload then
- payload = ngx.unescape_uri(payload)
+ local extra_payload = core.json.decode(payload)
+ core.table.merge(extra_payload, real_payload)
+ return extra_payload
end
+ return real_payload
+end
- local consumer_conf = consumer_mod.plugin(plugin_name)
- if not consumer_conf then
- return core.response.exit(404)
+local function sign_jwt_with_HS(key, auth_conf, payload)
+ local auth_secret, err = get_secret(auth_conf)
+ if not auth_secret then
+ core.log.error("failed to sign jwt, err: ", err)
+ return nil, "failed to sign jwt: failed to get auth_secret"
end
-
- local consumers = consumer_mod.consumers_kv(plugin_name, consumer_conf,
"key")
-
- core.log.info("consumers: ", core.json.delay_encode(consumers))
- local consumer = consumers[key]
- if not consumer then
- return core.response.exit(404)
+ local ok, jwt_token = pcall(jwt.sign, _M,
+ auth_secret,
+ {
+ header = {
+ typ = "JWT",
+ alg = auth_conf.algorithm
+ },
+ payload = get_real_payload(key, auth_conf.exp, payload)
+ }
+ )
+ if not ok then
+ core.log.error("failed to sign jwt, err: ", jwt_token.reason)
+ return nil, "failed to sign jwt"
end
+ return jwt_token
+end
- core.log.info("consumer: ", core.json.delay_encode(consumer))
-
- local sign_handler = algorithm_handler(consumer, true)
- local jwt_token = sign_handler(key, consumer, payload)
- if jwt_token then
- return core.response.exit(200, jwt_token)
+local function sign_jwt_with_RS256_ES256(key, auth_conf, payload)
+ local ok, jwt_token = pcall(jwt.sign, _M,
+ auth_conf.private_key,
+ {
+ header = {
+ typ = "JWT",
+ alg = auth_conf.algorithm,
+ x5c = {
+ auth_conf.public_key,
+ }
+ },
+ payload = get_real_payload(key, auth_conf.exp, payload)
+ }
+ )
+ if not ok then
+ core.log.warn("failed to sign jwt, err: ", jwt_token.reason)
+ return nil, "failed to sign jwt"
end
-
- return core.response.exit(404)
+ return jwt_token
end
+local function get_sign_handler(algorithm)
+ if not algorithm or algorithm == "HS256" or algorithm == "HS512" then
+ return sign_jwt_with_HS
+ elseif algorithm == "RS256" or algorithm == "ES256" then
+ return sign_jwt_with_RS256_ES256
+ end
+end
-function _M.api()
- return {
- {
- methods = {"GET"},
- uri = "/apisix/plugin/jwt/sign",
- handler = gen_token,
- }
- }
+local function gen_token(auth_conf, payload)
+ if not auth_conf.exp then
+ auth_conf.exp = 86400
+ end
+ if not auth_conf.lifetime_grace_period then
+ auth_conf.lifetime_grace_period = 0
+ end
+ if not auth_conf.algorithm then
+ auth_conf.algorithm = "HS256"
+ end
+ local sign_handler = get_sign_handler(auth_conf.algorithm)
+ local jwt_token, err = sign_handler(auth_conf.key, auth_conf, payload)
+ return jwt_token, err
end
+-- only for test
+_M.gen_token = gen_token
Review Comment:
`_M.gen_token` is only for test. It is often necessary to generate jwt
tokens for requests in tests. `_M.gen_token` can be introduced in tests (`local
gen_token = require(‘apisix.plugins.jwt-auth’).gen_token`). This function is
completely separate from the gateway authentication jwt.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
