blackteay/open-im-server
1
0
Fork 0
mirror of https://github.com/openimsdk/open-im-server.git synced 2025-08-15 16:36:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Pr branch (#25)

Browse Source 
* fix update jwt-token version to avoid attackers to bypass intended access restrictions in situations with []string{} for m["aud"]

* del accountAddr
This commit is contained in:
Away 2021-10-22 21:20:31 +08:00 committed by GitHub
parent 0e6432f95a
commit d6ba0a803d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -7,7 +7,6 @@ require (
github.com/Shopify/toxiproxy v2.1.4+incompatible // indirect github.com/Shopify/toxiproxy v2.1.4+incompatible // indirect
github.com/antonfisher/nested-logrus-formatter v1.3.0 github.com/antonfisher/nested-logrus-formatter v1.3.0
github.com/coreos/go-semver v0.3.0 // indirect github.com/coreos/go-semver v0.3.0 // indirect
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/dustin/go-humanize v1.0.0 // indirect github.com/dustin/go-humanize v1.0.0 // indirect
github.com/eapache/go-resiliency v1.2.0 // indirect github.com/eapache/go-resiliency v1.2.0 // indirect
github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect
@ -16,6 +15,7 @@ require (
github.com/garyburd/redigo v1.6.2 github.com/garyburd/redigo v1.6.2
github.com/gin-gonic/gin v1.7.0 github.com/gin-gonic/gin v1.7.0
github.com/go-playground/validator/v10 v10.4.1 github.com/go-playground/validator/v10 v10.4.1
github.com/golang-jwt/jwt/v4 v4.1.0 // indirect
github.com/golang/protobuf v1.5.2 github.com/golang/protobuf v1.5.2
github.com/golang/snappy v0.0.3 // indirect github.com/golang/snappy v0.0.3 // indirect
github.com/gorilla/websocket v1.4.2 github.com/gorilla/websocket v1.4.2

2
go.sum
View File

@ -74,6 +74,8 @@ github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/golang-jwt/jwt/v4 v4.1.0 h1:XUgk2Ex5veyVFVeLm0xhusUTQybEbexJXrvPNOKkSY0=
github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=

2
src/rpc/auth/auth/user_token.go
View File

@ -18,7 +18,7 @@ func (rpc *rpcAuth) UserToken(_ context.Context, pb *pbAuth.UserTokenReq) (*pbAu
} }
log.Info("", "", "rpc user_token call..., im_mysql_model.AppServerFindFromUserByUserID") log.Info("", "", "rpc user_token call..., im_mysql_model.AppServerFindFromUserByUserID")
tokens, expTime, err := utils.CreateToken(pb.UID, "", pb.Platform) tokens, expTime, err := utils.CreateToken(pb.UID, pb.Platform)
if err != nil { if err != nil {
log.Error("", "", "rpc user_token call..., utils.CreateToken fail [uid: %s] [err: %s]", pb.UID, err.Error()) log.Error("", "", "rpc user_token call..., utils.CreateToken fail [uid: %s] [err: %s]", pb.UID, err.Error())
return &pbAuth.UserTokenResp{ErrCode: 500, ErrMsg: err.Error()}, err return &pbAuth.UserTokenResp{ErrCode: 500, ErrMsg: err.Error()}, err

9
src/utils/jwt_token.go
View File

@ -4,9 +4,8 @@ import (
"Open_IM/src/common/config" "Open_IM/src/common/config"
"Open_IM/src/common/db" "Open_IM/src/common/db"
"errors" "errors"
"github.com/golang-jwt/jwt/v4"
"time" "time"
"github.com/dgrijalva/jwt-go"
) )
var ( var (
@ -23,7 +22,7 @@ type Claims struct {
jwt.StandardClaims jwt.StandardClaims
} }
func BuildClaims(uid, accountAddr, platform string, ttl int64) Claims { func BuildClaims(uid, platform string, ttl int64) Claims {
now := time.Now().Unix() now := time.Now().Unix()
//if ttl=-1 Permanent token //if ttl=-1 Permanent token
expiresAt := int64(-1) expiresAt := int64(-1)
@ -41,8 +40,8 @@ func BuildClaims(uid, accountAddr, platform string, ttl int64) Claims {
}} }}
} }
func CreateToken(userID, accountAddr string, platform int32) (string, int64, error) { func CreateToken(userID string, platform int32) (string, int64, error) {
claims := BuildClaims(userID, accountAddr, PlatformIDToName(platform), config.Config.TokenPolicy.AccessExpire) claims := BuildClaims(userID, PlatformIDToName(platform), config.Config.TokenPolicy.AccessExpire)
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte(config.Config.TokenPolicy.AccessSecret)) tokenString, err := token.SignedString([]byte(config.Config.TokenPolicy.AccessSecret))