rename auth_jwt_authorization_type to auth_jwt_location and support pulling JWT from any header (#90)

JoshMcCullough · web-flow · commit b2ec2bb02fbf · 2023-04-25T14:02:47.000-04:00
diff --git a/Dockerfile b/Dockerfile
@@ -36,7 +36,7 @@ MAJ=$(echo ${NGINX_VERSION} | cut -f1 -d.)
 MIN=$(echo ${NGINX_VERSION} | cut -f2 -d.)
 REV=$(echo ${NGINX_VERSION} | cut -f3 -d.)
 
-# NGINX 1.23.0+ changes `cookies` to `cookie` 
+# NGINX 1.23.0+ changes cookies to use a linked list, and renames `cookies` to `cookie`
 if [ "${MAJ}" -gt 1 ] || [ "${MAJ}" -eq 1 -a "${MIN}" -ge 23 ]; then
 	BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
 fi
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ This module requires several new `nginx.conf` directives, which can be specified
 | `auth_jwt_loginurl`                  | The URL to redirect to if `auth_jwt_redirect` is enabled and authentication fails.                                                                   |
 | `auth_jwt_enabled`                   | Set to "on" to enable JWT checking.                                                                                                                  |
 | `auth_jwt_algorithm`                 | The algorithm to use. One of: HS256, HS384, HS512, RS256, RS384, RS512                                                                               |
-| `auth_jwt_validation_type`           | Indicates where the JWT is located in the request -- see below.                                                                                      |
+| `auth_jwt_location`                  | Indicates where the JWT is located in the request -- see below.                                                                                      |
 | `auth_jwt_validate_sub`              | Set to "on" to validate the `sub` claim (e.g. user id) in the JWT.                                                                                   |
 | `auth_jwt_extract_request_claims`    | Set to a space-delimited list of claims to extract from the JWT and set as request headers. These will be accessible via e.g: `$http_jwt_sub`        |
 | `auth_jwt_extract_response_claims`   | Set to a space-delimited list of claims to extract from the JWT and set as response headers. These will be accessible via e.g: `$sent_http_jwt_sub`  |
@@ -67,10 +67,11 @@ auth_jwt_redirect off;
 ```
 ## JWT Locations
 
-By default, the authorization header is used to provide a JWT for validation. However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT:
+By default, the`Authorization` header is used to provide a JWT for validation. However, you may use the `auth_jwt_location` directive to specify the name of the header or cookie which provides the JWT:
 
 ```nginx
-auth_jwt_validation_type COOKIE=jwt;
+auth_jwt_location HEADER=auth-token;  # get the JWT from the "auth-token" header
+auth_jwt_location COOKIE=auth-token;  # get the JWT from the "auth-token" cookie
 ```
 
 ## `sub` Validation
diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -27,7 +27,7 @@ typedef struct
   ngx_str_t key;
   ngx_flag_t enabled;
   ngx_flag_t redirect;
-  ngx_str_t validation_type;
+  ngx_str_t jwt_location;
   ngx_str_t algorithm;
   ngx_flag_t validate_sub;
   ngx_array_t *extract_request_claims;
@@ -51,9 +51,9 @@ static void extract_response_claims(ngx_http_request_t *r, auth_jwt_conf_t *jwtc
 static ngx_int_t free_jwt_and_redirect(ngx_http_request_t *r, auth_jwt_conf_t *jwtcf, jwt_t *jwt);
 static ngx_int_t redirect(ngx_http_request_t *r, auth_jwt_conf_t *jwtcf);
 static ngx_int_t load_public_key(ngx_conf_t *cf, auth_jwt_conf_t *conf);
-static char *get_jwt(ngx_http_request_t *r, ngx_str_t validation_type);
+static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location);
 
-static char *JWT_HEADER_PREFIX = "JWT-";
+static const char *JWT_HEADER_PREFIX = "JWT-";
 
 static ngx_command_t auth_jwt_directives[] = {
     {ngx_string("auth_jwt_loginurl"),
@@ -84,11 +84,11 @@ static ngx_command_t auth_jwt_directives[] = {
      offsetof(auth_jwt_conf_t, redirect),
      NULL},
 
-    {ngx_string("auth_jwt_validation_type"),
+    {ngx_string("auth_jwt_location"),
      NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_CONF_TAKE1,
      ngx_conf_set_str_slot,
      NGX_HTTP_LOC_CONF_OFFSET,
-     offsetof(auth_jwt_conf_t, validation_type),
+     offsetof(auth_jwt_conf_t, jwt_location),
      NULL},
 
     {ngx_string("auth_jwt_algorithm"),
@@ -208,7 +208,7 @@ static char *merge_conf(ngx_conf_t *cf, void *parent, void *child)
 
   ngx_conf_merge_str_value(conf->loginurl, prev->loginurl, "");
   ngx_conf_merge_str_value(conf->key, prev->key, "");
-  ngx_conf_merge_str_value(conf->validation_type, prev->validation_type, "");
+  ngx_conf_merge_str_value(conf->jwt_location, prev->jwt_location, "HEADER=Authorization");
   ngx_conf_merge_str_value(conf->algorithm, prev->algorithm, "HS256");
   ngx_conf_merge_str_value(conf->keyfile_path, prev->keyfile_path, "");
   ngx_conf_merge_off_value(conf->validate_sub, prev->validate_sub, 0);
@@ -311,7 +311,7 @@ static ngx_int_t handle_request(ngx_http_request_t *r)
     }
     else
     {
-      char *jwtPtr = get_jwt(r, jwtcf->validation_type);
+      char *jwtPtr = get_jwt(r, jwtcf->jwt_location);
 
       if (jwtPtr == NULL)
       {
@@ -608,51 +608,50 @@ static ngx_int_t load_public_key(ngx_conf_t *cf, auth_jwt_conf_t *conf)
   }
 }
 
-static char *get_jwt(ngx_http_request_t *r, ngx_str_t validation_type)
+static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location)
 {
+  static const char *HEADER_PREFIX = "HEADER=";
+  static const char *BEARER_PREFIX = "Bearer ";
+  static const char *COOKIE_PREFIX = "COOKIE=";
   char *jwtPtr = NULL;
 
-  ngx_log_debug(NGX_LOG_DEBUG, r->connection->log, 0, "validation_type.len %d", validation_type.len);
+  ngx_log_debug(NGX_LOG_DEBUG, r->connection->log, 0, "jwt_location.len %d", jwt_location.len);
 
-  if (validation_type.len == 0 || (validation_type.len == sizeof("AUTHORIZATION") - 1 && ngx_strncmp(validation_type.data, "AUTHORIZATION", sizeof("AUTHORIZATION") - 1) == 0))
+  if (jwt_location.len > sizeof(HEADER_PREFIX) && ngx_strncmp(jwt_location.data, HEADER_PREFIX, sizeof(HEADER_PREFIX) - 1) == 0)
   {
-    static const ngx_str_t authorizationHeaderName = ngx_string("Authorization");
-    const ngx_table_elt_t *authorizationHeader = search_headers_in(r, authorizationHeaderName.data, authorizationHeaderName.len);
+    ngx_table_elt_t *jwtHeaderVal;
 
-    if (authorizationHeader != NULL)
-    {
-      ngx_int_t bearer_length = authorizationHeader->value.len - (sizeof("Bearer ") - 1);
+    jwt_location.data += sizeof(HEADER_PREFIX) - 1;
+    jwt_location.len -= sizeof(HEADER_PREFIX) - 1;
 
-      ngx_log_debug(NGX_LOG_DEBUG, r->connection->log, 0, "Found authorization header len %d", authorizationHeader->value.len);
+    jwtHeaderVal = search_headers_in(r, jwt_location.data, jwt_location.len);
 
-      if (bearer_length > 0)
+    if (jwtHeaderVal != NULL)
+    {
+      if (ngx_strncmp(jwtHeaderVal->value.data, BEARER_PREFIX, sizeof(BEARER_PREFIX) - 1) == 0)
       {
-        ngx_str_t authorizationHeaderStr;
-
-        authorizationHeaderStr.data = authorizationHeader->value.data + sizeof("Bearer ") - 1;
-        authorizationHeaderStr.len = bearer_length;
-
-        jwtPtr = ngx_str_t_to_char_ptr(r->pool, authorizationHeaderStr);
-
-        ngx_log_debug(NGX_LOG_DEBUG, r->connection->log, 0, "Authorization header: %s", jwtPtr);
+        jwtHeaderVal->value.data += sizeof(BEARER_PREFIX) - 1;
+        jwtHeaderVal->value.len -= sizeof(BEARER_PREFIX) - 1;
       }
+
+      jwtPtr = ngx_str_t_to_char_ptr(r->pool, jwtHeaderVal->value);
     }
   }
-  else if (validation_type.len > sizeof("COOKIE=") && ngx_strncmp(validation_type.data, "COOKIE=", sizeof("COOKIE=") - 1) == 0)
+  else if (jwt_location.len > sizeof(COOKIE_PREFIX) && ngx_strncmp(jwt_location.data, COOKIE_PREFIX, sizeof(COOKIE_PREFIX) - 1) == 0)
   {
     bool has_cookie = false;
     ngx_str_t jwtCookieVal;
 
-    validation_type.data += sizeof("COOKIE=") - 1;
-    validation_type.len -= sizeof("COOKIE=") - 1;
+    jwt_location.data += sizeof(COOKIE_PREFIX) - 1;
+    jwt_location.len -= sizeof(COOKIE_PREFIX) - 1;
 
 #ifndef NGX_LINKED_LIST_COOKIES
-    if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &validation_type, &jwtCookieVal) != NGX_DECLINED)
+    if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &jwt_location, &jwtCookieVal) != NGX_DECLINED)
     {
       has_cookie = true;
     }
 #else
-    if (ngx_http_parse_multi_header_lines(r, r->headers_in.cookie, &validation_type, &jwtCookieVal) != NULL)
+    if (ngx_http_parse_multi_header_lines(r, r->headers_in.cookie, &jwt_location, &jwtCookieVal) != NULL)
     {
       has_cookie = true;
     }
diff --git a/test/etc/nginx/conf.d/test.conf b/test/etc/nginx/conf.d/test.conf
@@ -17,7 +17,7 @@ server {
     location /secure/cookie/default {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type COOKIE=jwt;
+        auth_jwt_location COOKIE=jwt;
         
         alias /usr/share/nginx/html/;
         try_files index.html =404;
@@ -27,7 +27,7 @@ server {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
         auth_jwt_validate_sub on;
-        auth_jwt_validation_type COOKIE=jwt;
+        auth_jwt_location COOKIE=jwt;
         
         alias /usr/share/nginx/html/;
         try_files index.html =404;
@@ -36,7 +36,7 @@ server {
     location /secure/cookie/default/no-redirect {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type COOKIE=jwt;
+        auth_jwt_location COOKIE=jwt;
 
         alias /usr/share/nginx/html/;
         try_files index.html =404;
@@ -45,7 +45,7 @@ server {
     location /secure/cookie/hs256 {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type COOKIE=jwt;
+        auth_jwt_location COOKIE=jwt;
         auth_jwt_algorithm HS256;
 
         alias /usr/share/nginx/html/;
@@ -55,7 +55,7 @@ server {
     location /secure/cookie/hs384 {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type COOKIE=jwt;
+        auth_jwt_location COOKIE=jwt;
         auth_jwt_algorithm HS384;
 
         alias /usr/share/nginx/html/;
@@ -65,7 +65,7 @@ server {
     location /secure/cookie/hs512 {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type COOKIE=jwt;
+        auth_jwt_location COOKIE=jwt;
         auth_jwt_algorithm HS512;
 
         alias /usr/share/nginx/html/;
@@ -75,7 +75,7 @@ server {
     location /secure/auth-header/default {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
 
         alias /usr/share/nginx/html/;
         try_files index.html =404;
@@ -84,7 +84,7 @@ server {
     location /secure/auth-header/default/no-redirect {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
 
         alias /usr/share/nginx/html/;
         try_files index.html =404;
@@ -93,7 +93,7 @@ server {
     location /secure/auth-header/rs256 {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_key "-----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwtpMAM4l1H995oqlqdMh
 uqNuffp4+4aUCwuFE9B5s9MJr63gyf8jW0oDr7Mb1Xb8y9iGkWfhouZqNJbMFry+
@@ -111,7 +111,7 @@ BwIDAQAB
     location /secure/auth-header/rs256/file {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_algorithm RS256;
         auth_jwt_use_keyfile on;
         auth_jwt_keyfile_path "/etc/nginx/rsa-key.conf";
@@ -123,7 +123,7 @@ BwIDAQAB
     location /secure/auth-header/rs384/file {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_algorithm RS384;
         auth_jwt_use_keyfile on;
         auth_jwt_keyfile_path "/etc/nginx/rsa-key.conf";
@@ -135,7 +135,7 @@ BwIDAQAB
     location /secure/auth-header/rs512/file {
         auth_jwt_enabled on;
         auth_jwt_redirect on;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_algorithm RS512;
         auth_jwt_use_keyfile on;
         auth_jwt_keyfile_path "/etc/nginx/rsa-key.conf";
@@ -144,10 +144,20 @@ BwIDAQAB
         try_files index.html =404;
     }
 
+    location /secure/custom-header/hs256 {
+        auth_jwt_enabled on;
+        auth_jwt_redirect on;
+        auth_jwt_location HEADER=Auth-Token;
+        auth_jwt_algorithm HS256;
+
+        alias /usr/share/nginx/html/;
+        try_files index.html =404;
+    }
+
     location /secure/extract-claim/request/sub {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_extract_request_claims sub;
 
         add_header "Test" "sub=$http_jwt_sub";
@@ -159,7 +169,7 @@ BwIDAQAB
     location /secure/extract-claim/request/name-1 {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_extract_request_claims firstName lastName;
 
         add_header "Test" "$http_jwt_firstname $http_jwt_lastname";
@@ -171,7 +181,7 @@ BwIDAQAB
     location /secure/extract-claim/request/name-2 {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_extract_request_claims firstName;
         auth_jwt_extract_request_claims lastName;
 
@@ -184,7 +194,7 @@ BwIDAQAB
     location /secure/extract-claim/response/sub {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_extract_response_claims sub;
 
         add_header "Test" "sub=$sent_http_jwt_sub";
@@ -196,7 +206,7 @@ BwIDAQAB
     location /secure/extract-claim/response/name-1 {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_extract_response_claims firstName lastName;
 
         add_header "Test" "$sent_http_jwt_firstname $sent_http_jwt_lastname";
@@ -208,7 +218,7 @@ BwIDAQAB
     location /secure/extract-claim/response/name-2 {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
-        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_location HEADER=Authorization;
         auth_jwt_extract_response_claims firstName;
         auth_jwt_extract_response_claims lastName;
 
diff --git a/test/test.sh b/test/test.sh
@@ -109,10 +109,15 @@ main() {
            -p '/secure/auth-header/default' \
            -c '302'
 
-  run_test -n 'when auth enabled with default algorithm with no redirect and Authorization header missing Bearer, should return 401' \
+  run_test -n 'when auth enabled with default algorithm with no redirect and Authorization header missing Bearer, should return 200' \
            -p '/secure/auth-header/default/no-redirect' \
-           -c '401' \
-           -x '--header "Authorization: X"'
+           -c '200' \
+           -x "--header \"Authorization: ${JWT_HS256_VALID}\""
+
+  run_test -n 'when auth enabled with default algorithm with no redirect and Authorization header with Bearer, should return 200' \
+           -p '/secure/auth-header/default/no-redirect' \
+           -c '200' \
+           -x "--header \"Authorization: Bearer ${JWT_HS256_VALID}\""
 
   run_test -n 'when auth enabled with default algorithm and no JWT cookie, returns 302' \
            -p '/secure/cookie/default' \
@@ -143,7 +148,7 @@ main() {
            -x ' --cookie "jwt=${JWT_HS256_MISSING_EMAIL}"'
 
   run_test -n 'when auth enabled with HS256 algorithm and valid JWT cookie, returns 200' \
-           -p '/secure/cookie/hs256/' \
+           -p '/secure/cookie/hs256' \
            -c '200' \
            -x '--cookie "jwt=${JWT_HS256_VALID}"'
 
@@ -182,6 +187,16 @@ main() {
            -c '200' \
            -x '--header "Authorization: Bearer ${JWT_RS256_VALID}"'
 
+  run_test -n 'when auth enabled with HS256 algorithm and valid JWT in custom header without bearer, returns 200' \
+           -p '/secure/custom-header/hs256/' \
+           -c '200' \
+           -x '--header "Auth-Token: ${JWT_HS256_VALID}"'
+
+  run_test -n 'when auth enabled with HS256 algorithm and valid JWT in custom header with bearer, returns 200' \
+           -p '/secure/custom-header/hs256/' \
+           -c '200' \
+           -x '--header "Auth-Token: Bearer ${JWT_HS256_VALID}"'
+
   run_test -n 'extracts single claim to request header' \
            -p '/secure/extract-claim/request/sub' \
            -r '^Test: sub=some-long-uuid$' \
