gofiber / keyauth Goto Github PK
View Code? Open in Web Editor NEW🧬 Key Authentication for Fiber
Home Page: https://github.com/gofiber/fiber
License: MIT License
🧬 Key Authentication for Fiber
Home Page: https://github.com/gofiber/fiber
License: MIT License
Hello, first of all nice work with the gofiber library and all of the middlewares. My issue is only a suggestions to better guide developers which may not be familiar with security issues. My suggestion is to update the examples to follow the best practices regarding security, because many developers may copy/paste the examples and not adjust the security sensitive aspects of it.
** Unsafe Example of URL Filtering**
Creates a map with the paths that should be verified and uses c.OriginalURL() to get the path from the request. However, this is not safe. By simple changing the case of the path or adding additional bars at the end of the uri, it can be bypassed. I'm not sure how to solve this one in Go.
** Unsafe URL passing**
Keys should not be passed through the URL as that may cause the token to be saved in the server logs. Simply use an authentication header.
** All examples vulnerable to timing attacks **
It may not be viable to perform in all scenarios, however there may be timing differences during the comparison of the submitted client token and the backend response, which may allow an attacker to recover the token from the backend.
This can be solved by first hashing with at least SHA256 the user entry and the apikey itself, and then comparing both of them using the subtle.ConstantTimeCompare function.
I am new to GO and gofiber, so please forgive me when this is trivial or wrong.
I am using keyauth to have authentication via an API key in the header but it seems that keyauth does not accept the key - even worse, it seems to accept all keys.
For example, when I want to secure the API with the key CORRECT-KEY
, I would use the following
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/keyauth/v2"
)
func main() {
app := fiber.New()
app.Use(keyauth.New(keyauth.Config{
KeyLookup: "header:key",
ContextKey: "CORRECT-KEY",
}))
app.Get("/ping", func(c *fiber.Ctx) error {
return c.SendString("OK")
})
app.Listen(":3000")
}
When I run the following commands from curl, I get the following results
# expected result as no API Key was specified
❯ curl localhost:3000/ping
missing or malformed API Key
# expected result 2: API key was specified and is correct
❯ curl -H "key: CORRECT-KEY" localhost:3000/ping
OK
# This is the unexpected part: the wrong key is specified, yet the result is still returned.
❯ curl -H "key: CLEARLY A WRONG KEY" localhost:3000/ping
OK
Did I misunderstood the way keyauth is supposed to be used (ie I misconfigured it) or is this a bug?
The same thing happens when I use "cookie:access_token"
, it also accepts all tokens/keys.
Currently, if the key is missing, the ErrorHandler will be called.
In some cases, I want to apply this middleware globally, so with this behaviour, some public endpoint that does not need authentication will be failed.
I think it would be better if we can skip this middleware if the client does not submit the key (only call error handler if the key is malformed).
While preparing the tests for #90 , I found that the c.AllParams()
or c.Params(param)
do not return any values from within keyauth.
To replicate this issue, consider this example
package main
import (
"fmt"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/keyauth/v2"
)
var (
APIKey = "password1"
)
func main() {
app := fiber.New()
app.Use(keyauth.New(keyauth.Config{
KeyLookup: "param:access_token",
Validator: func(c *fiber.Ctx, key string) (bool, error) {
if key == APIKey {
return true, nil
}
return false, keyauth.ErrMissingOrMalformedAPIKey
},
}))
app.Get("/:access_token", func(c *fiber.Ctx) error {
return c.SendString(fmt.Sprintf("Found Parameters: %+v\n", c.AllParams()))
})
app.Listen(":3000")
}
When accessing the app with curl http://localhost:3000/password1
it returns 200 - missing or malformed API Key
(not expected as the access_token
is given the correct key).
When I remove the keyauth part and query the API again with the above command, I receive Found Parameters: map[access_token:password1]
(expected).
While debugging this, I injected the following print statement in func keyFromParam
fmt.Printf("Found Parameters: '%v'", c.AllParams())
and for the above request, it printed: Found Parameters: 'map[]'
, meaning there is no key found when extracting the password, hence this issue.
@Fenny Since the jwt middleware supports <source>:<name>
,how it is necessary to have a separate key auth middleware ?
or are you trying to replicate all the types of middleware that echo has
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.