fixed #2240 secondary ext-jwt processing would fail...

...if ext-jwt primary wasn't enabled. - fixes extra JWT processing on authentication endpoints (that would never pass) - updates error message for missing NamedIndexStore implementations - fixes ext-jwt store error stating that a named index is not present
openziti · Jul 16, 2024 · 54c9f82 · 54c9f82
1 parent fbc8b50
commit 54c9f82
Show file tree

Hide file tree

Showing 4 changed files with 223 additions and 168 deletions.
diff --git a/controller/db/external_jwt_signer_store.go b/controller/db/external_jwt_signer_store.go
@@ -74,6 +74,7 @@ func (entity *ExternalJwtSigner) GetEntityType() string {
 var _ ExternalJwtSignerStore = (*externalJwtSignerStoreImpl)(nil)
 
 type ExternalJwtSignerStore interface {
+	NameIndexed
 	Store[*ExternalJwtSigner]
 }
 
@@ -96,6 +97,10 @@ type externalJwtSignerStoreImpl struct {
 	issuerIndex        boltz.ReadIndex
 }
 
+func (store *externalJwtSignerStoreImpl) GetNameIndex() boltz.ReadIndex {
+	return store.indexName
+}
+
 func (store *externalJwtSignerStoreImpl) initializeLocal() {
 	store.AddExtEntitySymbols()
 	store.indexName = store.addUniqueNameField()

diff --git a/controller/env/appenv.go b/controller/env/appenv.go
@@ -573,6 +573,11 @@ func (ae *AppEnv) ProcessJwt(rc *response.RequestContext, token *jwt.Token) erro
 }
 
 func (ae *AppEnv) FillRequestContext(rc *response.RequestContext) error {
+	// do no process auth headers on authenticate request
+	if strings.HasSuffix(rc.Request.URL.Path, "/v1/authenticate") && !strings.HasSuffix(rc.Request.URL.Path, "/authenticate/mfa") {
+		return nil
+	}
+
 	ztSession := ae.getZtSessionFromRequest(rc.Request)
 
 	if ztSession != "" {