Fixed hashed msg by openssl in auth.sh, the JS client and the docs

2026-01-01 04:25:58 -08:00 · 2018-10-21 22:35:55 -04:00
parent 4f5ad9a01c
commit 2f3097f4fd
5 changed files with 106 additions and 54 deletions
--- a/api_auth_docker/README.md
+++ b/api_auth_docker/README.md
@@ -127,13 +127,13 @@ curl -v -H "Authorization: Bearer hhh.ppp.sss" localhost
 10 seconds request expiration:

 ```shell
-id="001";h64=$(echo "{\"alg\":\"HS256\",\"typ\":\"JWT\"}" | base64);p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64);k="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1);token="$h64.$p64.$s";curl -v -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash
+id="001";h64=$(echo "{\"alg\":\"HS256\",\"typ\":\"JWT\"}" | base64);p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64);k="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1);token="$h64.$p64.$s";curl -v -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash
 ```

 60 seconds request expiration:

 ```shell
-id="001";h64=$(echo "{\"alg\":\"HS256\",\"typ\":\"JWT\"}" | base64);p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+60))}" | base64);k="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1);token="$h64.$p64.$s";curl -v -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash
+id="001";h64=$(echo "{\"alg\":\"HS256\",\"typ\":\"JWT\"}" | base64);p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+60))}" | base64);k="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1);token="$h64.$p64.$s";curl -v -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash
 ```

 ## Technicalities
@@ -142,6 +142,6 @@ id="001";h64=$(echo "{\"alg\":\"HS256\",\"typ\":\"JWT\"}" | base64);p64=$(echo "
 h64=$(echo "{\"alg\":\"HS256\",\"typ\":\"JWT\"}" | base64)
 p64=$(echo "{\"id\":\"001\",\"exp\":$((`date +"%s"`+10))}" | base64)
 k="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36"
-s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
 token="$h64.$p64.$s"
 ```
--- a/api_auth_docker/auth.sh
+++ b/api_auth_docker/auth.sh
@@ -39,14 +39,14 @@ verify_sign()
  if [ ${exp} -gt ${current} ]; then
    trace "[verify_sign] Not expired, let's validate signature"
    local id=$(echo ${payload} | jq ".id" | tr -d '"')
-		trace "[verify_sign] id=${id}"
+  trace "[verify_sign] id=${id}"

-		# Check for code injection
-		# id will usually be an int, but can be alphanum... nothing else
-		case $id in (*[![:alnum:]]*|"")
-			trace "[verify_sign] Potential code injection, exiting"
-			return 1
-		esac
+  # Check for code injection
+  # id will usually be an int, but can be alphanum... nothing else
+  case $id in (*[![:alnum:]]*|"")
+  trace "[verify_sign] Potential code injection, exiting"
+  return 1
+  esac

    # It is so much faster to include the keys here instead of grep'ing the file for key.
    . ./keys.properties
@@ -54,8 +54,11 @@ verify_sign()
    local key
    eval key='$ukey_'$id
    trace "[verify_sign] key=${key}"
-    local comp_sign=$(echo "${header64}.${payload64}" | openssl dgst -hmac "${key}" -sha256 -r | cut -sd ' ' -f1)

+    local msg="${header64}.${payload64}"
+    trace "[verify_sign] msg=${msg}"
+
+    local comp_sign=$(echo -n "${msg}" | openssl dgst -hmac "${key}" -sha256 -r | cut -sd ' ' -f1)
    trace "[verify_sign] comp_sign=${comp_sign}"

    if [ "${comp_sign}" = "${signature}" ]; then
@@ -85,14 +88,14 @@ verify_group()

  local id=${1}
  local action=${REQUEST_URI:1}
-	trace "[verify_group] action=${action}"
+  trace "[verify_group] action=${action}"

-	# Check for code injection
-	# action can be alphanum... nothing else
-	case $action in (*[![:alnum:]]*|"")
-		trace "[verify_group] Potential code injection, exiting"
-		return 1
-	esac
+  # Check for code injection
+  # action can be alphanum... nothing else
+  case $action in (*[![:alnum:]]*|"")
+  trace "[verify_group] Potential code injection, exiting"
+  return 1
+  esac

  # It is so much faster to include the keys here instead of grep'ing the file for key.
  . ./api.properties