gofiber / keyauth Goto Github PK

Hello, first of all nice work with the gofiber library and all of the middlewares. My issue is only a suggestions to better guide developers which may not be familiar with security issues. My suggestion is to update the examples to follow the best practices regarding security, because many developers may copy/paste the examples and not adjust the security sensitive aspects of it.

** Unsafe Example of URL Filtering**
Creates a map with the paths that should be verified and uses c.OriginalURL() to get the path from the request. However, this is not safe. By simple changing the case of the path or adding additional bars at the end of the uri, it can be bypassed. I'm not sure how to solve this one in Go.

** Unsafe URL passing**
Keys should not be passed through the URL as that may cause the token to be saved in the server logs. Simply use an authentication header.

** All examples vulnerable to timing attacks **
It may not be viable to perform in all scenarios, however there may be timing differences during the comparison of the submitted client token and the backend response, which may allow an attacker to recover the token from the backend.
This can be solved by first hashing with at least SHA256 the user entry and the apikey itself, and then comparing both of them using the subtle.ConstantTimeCompare function.

I am new to GO and gofiber, so please forgive me when this is trivial or wrong.

I am using keyauth to have authentication via an API key in the header but it seems that keyauth does not accept the key - even worse, it seems to accept all keys.

For example, when I want to secure the API with the key CORRECT-KEY, I would use the following

package main

import (
	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/keyauth/v2"
)

func main() {
	app := fiber.New()
	app.Use(keyauth.New(keyauth.Config{
		KeyLookup:  "header:key",
		ContextKey: "CORRECT-KEY",
	}))

	app.Get("/ping", func(c *fiber.Ctx) error {
		return c.SendString("OK")
	})
	app.Listen(":3000")
}

When I run the following commands from curl, I get the following results

# expected result as no API Key was specified
❯ curl localhost:3000/ping
missing or malformed API Key

# expected result 2: API key was specified and is correct
❯ curl -H "key: CORRECT-KEY" localhost:3000/ping                                                                                                                                
OK

# This is the unexpected part: the wrong key is specified, yet the result is still returned.
❯ curl -H "key: CLEARLY A WRONG KEY" localhost:3000/ping                                                                                                                        
OK

Did I misunderstood the way keyauth is supposed to be used (ie I misconfigured it) or is this a bug?

The same thing happens when I use "cookie:access_token", it also accepts all tokens/keys.

Currently, if the key is missing, the ErrorHandler will be called.

In some cases, I want to apply this middleware globally, so with this behaviour, some public endpoint that does not need authentication will be failed.

I think it would be better if we can skip this middleware if the client does not submit the key (only call error handler if the key is malformed).

While preparing the tests for #90 , I found that the c.AllParams() or c.Params(param) do not return any values from within keyauth.

To replicate this issue, consider this example

package main

import (
  "fmt"

  "github.com/gofiber/fiber/v2"
  "github.com/gofiber/keyauth/v2"
)

var (
  APIKey = "password1"
)

func main() {
  app := fiber.New()

  app.Use(keyauth.New(keyauth.Config{
    KeyLookup:  "param:access_token",
    Validator:  func(c *fiber.Ctx, key string) (bool, error) {
      if key == APIKey {
        return true, nil
      }
      return false, keyauth.ErrMissingOrMalformedAPIKey
    },
  }))

  app.Get("/:access_token", func(c *fiber.Ctx) error {
    return c.SendString(fmt.Sprintf("Found Parameters: %+v\n", c.AllParams()))
  })

  app.Listen(":3000")
}

When accessing the app with curl http://localhost:3000/password1 it returns 200 - missing or malformed API Key (not expected as the access_token is given the correct key).

When I remove the keyauth part and query the API again with the above command, I receive Found Parameters: map[access_token:password1] (expected).

While debugging this, I injected the following print statement in func keyFromParam

fmt.Printf("Found Parameters: '%v'", c.AllParams())

and for the above request, it printed: Found Parameters: 'map[]', meaning there is no key found when extracting the password, hence this issue.

@Fenny Since the jwt middleware supports <source>:<name> ,how it is necessary to have a separate key auth middleware ?

or are you trying to replicate all the types of middleware that echo has