allow configurability of JWT claims that require a value #2888
Conversation
src/couch/src/couch_httpd_auth.erl
Outdated
| "" -> | ||
| []; | ||
| Claims -> | ||
| {ok, Parsed} = couch_util:parse_term("[" ++ Claims ++ "]"), |
There was a problem hiding this comment.
Not sure how much you care, but we don't usually mutate the value that we pass to parse_term (i.e., we require useres to add the square brackets in the config. Not sure if we care or not?
There was a problem hiding this comment.
the problem is 3.1.0 released with it being a comma-separate list of strings.
There was a problem hiding this comment.
I switched to a better format.
07854fa
to
459ef27
Compare
459ef27
to
0da9a0a
Compare
| [list_to_existing_atom(C) || C <- List] | ||
| Re = "((?<key1>[a-z]+)|{(?<key2>[a-z]+)\s*,\s*\"(?<val>[^\"]+)\"})", | ||
| case re:run(Claims, Re, [global, {capture, [key1, key2, val], binary}]) of | ||
| nomatch -> |
There was a problem hiding this comment.
Seems like it'd be a good idea here to have a clause that notices when we are unable to match a configured value that's non-empty. Just something like nomatch when Claims /= "" -> log thing.
There was a problem hiding this comment.
Why not mention claims in the http response? Seems odd to require folks to look in two places.
There was a problem hiding this comment.
the user gets the http response, the admin gets the log message (who might also be the user). I didn't want to point at the specific misconfiguration to the user (who in this situation could be anyone, they might not have valid credentials). But I did want to mention that it's specific to JWT in case the user can use a different method, and so the admin has something more meaningful to report to user@ / github / etc.
caaafb6
to
ac5436d
Compare
e.g;
[jwt]
required_claims = {iss, "https://example.com/issuer"}
ac5436d
to
4f7d1d9
Compare
|
Hey guys, in which version of couchdb will you release this fix or when will I be able to use it? |
e.g;
[jwt]
required_claims = {iss, "hello"}
fixes #2886