pcall

parent e683af83
......@@ -3,44 +3,53 @@ ngx.req.read_body()
local args = ngx.req.get_post_args()
if not args then
ngx.log(ngx.WARN, "no post args")
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
if args.error then
ngx.log(ngx.WARN, "error: " .. args.error)
return ngx.exit(ngx.HTTP_BAD_REQUEST)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local id_token = args.id_token
if not id_token then
ngx.log(ngx.WARN, "missing id_token")
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
local header_b64url, payload_b64url, signature_b64url = id_token:match("^([^.]+)%.([^.]+)%.([^.]+)$")
if not signature_b64url then
ngx.log(ngx.WARN, "id_token invalid")
return ngx.exit(ngx.HTTP_BAD_REQUEST)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local valid, header, payload
valid, header = pcall(function() return json.decode(base64url_decode(header_b64url)) end)
if not valid then
ngx.log(ngx.WARN, "header not valid JSON")
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local header = json.decode(base64url_decode(header_b64url))
if header.alg ~= "RS256" then
ngx.log(ngx.WARN, "unsupported alg '" .. header.alg .. "'")
return ngx.exit(ngx.HTTP_BAD_REQUEST)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local payload = json.decode(base64url_decode(payload_b64url))
valid, payload = pcall(function() return json.decode(base64url_decode(payload_b64url)) end)
if not valid then
ngx.log(ngx.WARN, "payload not valid JSON")
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
if payload.iss ~= broker then
ngx.log(ngx.ERR, "payload iss mismatch, got '" .. payload.iss .. "', expected '" .. broker .. "'")
return ngx.exit(ngx.HTTP_BAD_REQUEST)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local url = ngx.var.scheme .. "://" .. ngx.var.http_host
if payload.aud ~= url then
ngx.log(ngx.WARN, "incorrect aud, got '" .. payload.aud .. "', expected '" .. url .. "'")
return ngx.exit(ngx.HTTP_BAD_REQUEST)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local now = ngx.time()
if now < payload.iat - 10 or now > payload.exp then
ngx.log(ngx.WARN, "expired")
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
-- TODO check nonce matches (requires hmac in the verify postback url)
......@@ -49,19 +58,19 @@ local email = payload.sub
local valid = validemail.validemail(email)
if not valid then
ngx.log(ngx.WARN, "email not valid: " .. email)
return ngx.exit(ngx.HTTP_BAD_REQUEST)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local conf_res = ngx.location.capture(proxy_url(broker .. "/.well-known/openid-configuration"))
if conf_res.status >= 400 or conf_res.truncated then
ngx.log(ngx.ERR, "failed to get /.well-known/openid-configuration")
return ngx.exit(ngx.HTTP_BAD_GATEWAY)
ngx.exit(ngx.HTTP_BAD_GATEWAY)
end
local openid_configuration = json.decode(conf_res.body)
local jwks_res = ngx.location.capture(proxy_url(openid_configuration.jwks_uri))
if jwks_res.status >= 400 or jwks_res.truncated then
ngx.log(ngx.ERR, "failed to get " .. openid_configuration.jwks_uri)
return ngx.exit(ngx.HTTP_BAD_GATEWAY)
ngx.exit(ngx.HTTP_BAD_GATEWAY)
end
local jwks = json.decode(jwks_res.body)
local key
......@@ -73,7 +82,7 @@ for i in pairs(jwks.keys) do
end
if not key then
ngx.log(ngx.ERR, "no matching kid for " .. header.kid)
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
-- https://stackoverflow.com/a/27570866
......@@ -86,7 +95,7 @@ elseif n:len() == 512 then
top_header_b64 = "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA"
else
ngx.log(ngx.ERR, "unable to handle key length of " .. tostring(n:len() * 8))
return ngx.exit(ngx.HTTP_BAD_REQUEST)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
local top_header = ngx.decode_base64(top_header_b64)
local mid_header = "\x02\x03"
......@@ -96,7 +105,7 @@ data:update(header_b64url .. "." .. payload_b64url)
local verified = pub:verify(base64url_decode(signature_b64url), data)
if not verified then
ngx.log(ngx.WARN, "bad signature")
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
local now = ngx.time()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment