feat: make jwt optional (#513)

* feat: make jwt optional * tests: print test descriptions * tests: fix expected result
filecoin-saturn · Nov 8, 2023 · e87d53c · e87d53c
1 parent 1c08018
commit e87d53c
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 10 deletions.
diff --git a/container/nginx/conf.d/shared.conf b/container/nginx/conf.d/shared.conf
@@ -10,7 +10,11 @@ location = / {
 }
 
 location / {
-    js_set        $jwt auth.findJWT;
+    js_var      $jwt;
+    js_content  auth.routeRequest;
+}
+
+location @auth_node_backend {
     js_content    auth.isAllowedRequest;
 
     auth_jwt      $jwt;

diff --git a/container/nginx/njs/auth.js b/container/nginx/njs/auth.js
@@ -2,6 +2,16 @@ import crypto from "crypto";
 
 const ipfsRegex = /^\/ipfs\/(\w+)(\/?.*)/;
 
+function routeRequest(req) {
+  const jwt = findJWT(req);
+  if (jwt) {
+    req.variables.jwt = jwt;
+    return req.internalRedirect("@auth_node_backend");
+  } else {
+    return req.internalRedirect("@node_backend");
+  }
+}
+
 function isAllowedRequest(req) {
   const matches = req.uri.match(ipfsRegex);
   if (!matches) {
@@ -75,4 +85,4 @@ function findJWT(req) {
   return jwtQuery || jwtHeader;
 }
 
-export default { isAllowedRequest, findJWT };
+export default { routeRequest, isAllowedRequest, findJWT };
diff --git a/scripts/integration_tests.sh b/scripts/integration_tests.sh
@@ -65,30 +65,30 @@ authorization_err=403 # jwt doesn't allow request origin
 cid="bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG"
 url="${base_url}/ipfs/${cid}?format=car"
 
-# Requests fail without a jwt
+echo Requests succeed without a jwt
 code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")"
-test "$code" -eq "$authentication_err" || exit 1
+test "$code" -eq 200 || exit 1
 
-# Requests fail with explicit allow_list but without an origin header
+echo Requests fail with explicit allow_list but without an origin header
 code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowExplicit}")"
 test "$code" -eq "$authorization_err" || exit 1
 
-# Requests fail with explicit allow_list but not allowed origin
+echo Requests fail with explicit allow_list but not allowed origin
 code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowExplicit}")"
 test "$code" -eq "$authorization_err" || exit 1
 
-# Requests succeed with a jwt query param
+echo Requests succeed with a jwt query param
 code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowAll}")"
 test "$code" -eq 200 || exit 1
 
-# Requests succeed with a jwt auth header
+echo Requests succeed with a jwt auth header
 code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" -H "Authorization: Bearer ${jwtAllowAll}" "${url}")"
 test "$code" -eq 200 || exit 1
 
-# Requests succeed with explicit allow_list and allowed origin
+echo Requests succeed with explicit allow_list and allowed origin
 code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://google.com" "${url}&jwt=${jwtAllowExplicit}")"
 test "$code" -eq 200 || exit 1
 
-# Requests succeed with allow_list == [*] and without an origin header
+echo Requests succeed with allow_list == [*] and without an origin header
 code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowAll}")"
 test "$code" -eq 200 || exit 1