-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
if auth_opt_jwt_skip_user_expiration
enabled, in case of receive bad token the code crashes. also README descriptions added.
#337
base: master
Are you sure you want to change the base?
Conversation
ACL in MySQL local mode configuration had some problems, added some explanation for using ACL using MySQL database in local mode.
issue: When `auth_opt_jwt_skip_user_expiration` is enabled in config file and the wrong JWT token is sent by client to server (with a few or completely wrong segments), the code crashes. Workaround: modify the code structure by moving the checking of token expiration conditions
README.md
Outdated
| Option | default | Mandatory | Meaning | | ||
| ----------------------------- | --------- | :-------: | -------------------------------------------------------- | | ||
| auth_opt_jwt_db | postgres | N | The DB backend to be used, either `postgres` or `mysql` | | ||
| auth_opt_jwt_userquery | | Y | SQL query for users | | ||
| auth_opt_jwt_mysql_dbname | | Y/N | must set if auth_opt_jwt_db set is `mysql` | | ||
| auth_opt_jwt_mysql_user | | Y/N | must set if auth_opt_jwt_db set is `mysql` | | ||
| auth_opt_jwt_mysql_password | | Y/N | must set if auth_opt_jwt_db set is `mysql` | | ||
| auth_opt_jwt_mysql_aclquery | | Y/N | ACL query must set if auth_opt_jwt_db set is `mysql` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree the explanation could be a bit better, but it's all stated in https://github.com/iegomez/mosquitto-go-auth?tab=readme-ov-file#local-mode.
My nitpick here is that this table doesn't include all the rest of the options that are still valid, albeit not mandatory, but doing so for both PG and MySQL is a bit repetitive.
So maybe just change a bit the wording instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, but I suggest that the tables should be completed in order to explicitly specify which items are mandatory for a particular situation. In this case, to use MySQL in JWT mode, the fields I wrote seem mandatory
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I was just saying that besides the user query, which becomes irrelevant, all the options still follow the same mandatoriness that's spelled on PG and MySQL sections.
That said, I'm not really against being super clear, so if you want to throw in exhaustive tables for both DBs in the JWT case, all the better.
README.md
Outdated
@@ -1022,7 +1025,7 @@ auth_opt_jwt_userquery select count(*) from "user" where username = $1 and is_ac | |||
For mysql: | |||
|
|||
``` | |||
auth_opt_jwt_userquery select count(*) from "user" where username = ? and is_active = true limit 1 | |||
auth_opt_jwt_mysql_aclquery select count(*) from "user" where username = ? and is_active = true limit 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need to remove the valid auth_opt_jwt_userquery
.
In fact, this is showing the difference between PG and MySQL params, i.e. $1
versus ?
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, but you wrote an example for PG in a few lines earlier. This line is an example for MySQL, however, this is similar to the previous topic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'm not against the addition but the replacement.
backends/jwt.go
Outdated
if err != nil { | ||
if v, ok := err.(*jwtGo.ValidationError); ok && v.Errors == jwtGo.ValidationErrorExpired { | ||
expirationError = true | ||
} | ||
log.Debugf("token expired: %s", err) | ||
if skipExpiration { | ||
expirationError = true | ||
}else{ | ||
log.Debugf("jwt parse error: %s", err) | ||
return nil, err | ||
} | ||
}else{ | ||
log.Debugf("jwt parse error: %s", err) | ||
return nil, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The format is a bit weird, Go's formatter should have caught missing spaces.
Also, I'd structure it like this instead to skip the inner else
clause by returning early on !skipExpiration
:
if err != nil {
if v, ok := err.(*jwtGo.ValidationError); ok && v.Errors == jwtGo.ValidationErrorExpired {
log.Debugf("jwt token expired: %s", err)
if !skipExpiration {
return nil, err
}
expirationError = true
} else {
log.Debugf("jwt parse error: %s", err)
return nil, err
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On another note, I'd also add a test with some wrong token that previously would crash and now doesn't.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great good job
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mahdizadsar let me know if you plan on adding that test and addressing other concerns so we may merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on your intention, I changed a few things:
In the README.md file:
Changes in the local mode section in the JWT sub-set:
1- I linked the words Postgres and Mysql to their own section.
2- added an example for Mysql similar to Postgres.
3- reverted the options table to its previous state.
4- reverted the changes related to the userquery section to its previous state.
6- In the Important note section, I put the keywords in back ticks.
5- I added only one example for connecting to the Mysql database at the end.
In the jwt.go file:
I changed the file similar to what you wrote so that the "if else" condition becomes more readable as you said.
"If condition" format changed for better readability.
Example for local mode in JWT section added, some change reverted according to author intent.
Option table updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@iegomez
I reviewed the changes and added an improvement to the README.md file.
Of course, if you agree with me.
issue 1: In README.md ACL in MySQL local mode configuration had some problems,
Workaround: I realized that it should be explained to the user what parts are required to use the mysql database in JWT mode. Also to use ACL In JWT mode,
auth_opt_jwt_mysql_aclquery
must be set with the correct query. this fields are:auth_opt_jwt_mysql_dbname
,auth_opt_jwt_mysql_user
,auth_opt_jwt_mysql_password
,auth_opt_jwt_mysql_aclquery
issue 2: When
auth_opt_jwt_skip_user_expiration
is enabled in config file and the wrong JWT token is sent by client to server (with a few or completely wrong segments), the code crashes.Workaround: modify the code structure by moving the checking of token expiration conditions.