Skip to content
This repository has been archived by the owner on Feb 14, 2018. It is now read-only.

Added a convenience function to pull a desired claim value out of the token #28

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Added a convenience function to pull a desired claim value out of the token #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d028a26
Added a convenience function to pull a desired claim value out of the…
ChrisWhiten May 29, 2015
147aaae
Merge branch 'master' of https://github.com/auth0/nginx-jwt
ChrisWhiten Dec 23, 2015
27520b7
Refactor out a function to pull the JWT out of the headers + add some…
ChrisWhiten Dec 24, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions hosts/proxy/default/nginx/conf/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,22 @@ http {
proxy_pass http://backend:5000/secure;
}

location /secure/secretUser {
access_by_lua '
-- this endpoint will only allow users whose jwt contains a claim
-- of "customerId" with a value of "customer1"
local jwt = require("nginx-jwt")
jwt.auth()

local customerId = jwt.get_claim("customerId")
if customerId == nil or customerId ~= "customer1" then
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
';

proxy_pass http://backend:5000/secure;
}

location /secure/admin {
access_by_lua '
local jwt = require("nginx-jwt")
Expand Down
17 changes: 14 additions & 3 deletions nginx-jwt.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,7 @@ if os.getenv("JWT_SECRET_IS_BASE64_ENCODED") == 'true' then
secret = basexx.from_base64(secret)
end

local M = {}

function M.auth(claim_specs)
function getJwt()
-- require Authorization request header
local auth_header = ngx.var.http_Authorization

Expand All @@ -35,6 +33,13 @@ function M.auth(claim_specs)

-- require Bearer token
local _, _, token = string.find(auth_header, "Bearer%s+(.+)")
return token
end

local M = {}

function M.auth(claim_specs)
local token = getJwt()

if token == nil then
ngx.log(ngx.WARN, "Missing token")
Expand Down Expand Up @@ -121,4 +126,10 @@ function M.table_contains(table, item)
return false
end

function M.get_claim(claim)
local jwt_obj = jwt:verify(secret, getJwt())

return jwt_obj.payload[claim]
end

return M
26 changes: 26 additions & 0 deletions test/test_integration.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,32 @@ describe('proxy', function () {
});
});

describe("GET /secure/secretUser", function() {
it("should return a 401 for a a user with the wrong customerId value", function() {
var token = jwt.sign(
{ customerId: 'customer2' },
secret);

return request(url)
.get('/secure/secretUser')
.headers({'Authorization': 'Bearer ' + token})
.expect(401)
.end();
});

it("should return a 200 for a user with the correct customerId value", function() {
var token = jwt.sign(
{ customerId: 'customer1' },
secret);

return request(url)
.get('/secure/secretUser')
.headers({'Authorization': 'Bearer ' + token})
.expect(200)
.end();
});
});

describe("GET /secure/admin", function () {
it("should return 401 when an authenticated user is missing a required claim", function () {
var token = jwt.sign(
Expand Down