forked from ubergarm/openresty-nginx-jwt
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbearer.lua
65 lines (56 loc) · 2.27 KB
/
bearer.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
local jwt = require "resty.jwt"
-- a helper function to response HTTP 401
local function unauthorized(response_body)
ngx.status = ngx.HTTP_UNAUTHORIZED
ngx.header.content_type = "application/json; charset=utf-8"
ngx.say(response_body)
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
-- first try to find JWT token as url parameter e.g. ?token=BLAH
local token = ngx.var.arg_token
-- next try to find JWT token as Cookie e.g. token=BLAH
if token == nil then
token = ngx.var.cookie_token
end
-- try to find JWT token in Authorization header Bearer string
if token == nil then
local auth_header = ngx.var.http_Authorization
if auth_header then
local _, _, token_header = string.find(auth_header, "Bearer%s+(.+)")
token = token_header
end
end
-- finally, if still no JWT token, kick out an error and exit
if token == nil then
return unauthorized("{\"error\": \"missing JWT token or Authorization header\"}")
end
-- make sure to set and put "env JWT_SECRET;" in nginx.conf
-- make sure to set and put "env JWT_ISS;" in nginx.conf
local jwt_secret = os.getenv("JWT_SECRET")
local jwt_iss = os.getenv("JWT_ISS")
if not jwt_secret or not jwt_iss then
return unauthorized("{\"error\": \"missing enviroment variables\"}")
end
-- validate any specific claims you need here
-- https://github.com/SkyLothar/lua-resty-jwt#jwt-validators
local validators = require "resty.jwt-validators"
local claim_spec = {
validators.set_system_leeway(15), -- time in seconds
exp = validators.is_not_expired(),
iat = validators.is_not_before(),
iss = validators.equals(jwt_iss),
sub = validators.required(),
r = validators.required() -- roles, ex: viewer,editor,owner,admin
}
local jwt_obj = jwt:verify(jwt_secret, token, claim_spec)
if not jwt_obj["verified"] then
ngx.status = ngx.HTTP_UNAUTHORIZED
ngx.log(ngx.WARN, jwt_obj.reason)
ngx.header.content_type = "application/json; charset=utf-8"
ngx.say("{\"error\": \"" .. jwt_obj.reason .. "\"}")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
-- optionally set Authorization header Bearer token style regardless of how token received
-- if you want to forward it by setting your nginx.conf something like:
-- proxy_set_header Authorization $http_authorization;`
ngx.req.set_header("Authorization", "Bearer " .. token)