Skip to content
Permalink
Browse files

Uniformize the default JWT key with the Symfony recipe

  • Loading branch information...
dunglas committed Aug 27, 2019
1 parent fdc313b commit 3ed2ba5ebec0e420ff823bd90706868e5f5fcee2
2 .env
@@ -8,7 +8,7 @@ CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8000
DB_PATH=
DEBUG=1
DEMO=
JWT_KEY=!UnsecureChangeMe!
JWT_KEY=!ChangeMe!
LOG_FORMAT=JSON
PUBLISH_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8000
PUBLISHER_JWT_KEY=
@@ -21,7 +21,7 @@ class LoadTest extends Simulation {
/** The hub URL */
val HubUrl = Properties.envOrElse("HUB_URL", "http://localhost:3001/hub" )
/** JWT to use to publish */
val Jwt = Properties.envOrElse("JWT", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.LRLvirgONK13JgacQ_VbcjySbVhkSmHy3IznH3tA9PM")
val Jwt = Properties.envOrElse("JWT", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.afLx2f2ut3YgNVFStCx95Zm_UND1mZJ69OenXaDuZL8")
/** Number of concurrent subscribers to connect */
val ConcurrentSubscribers = Properties.envOrElse("SUBSCRIBERS", "10000").toInt
/** Number of concurent publishers */
@@ -108,7 +108,7 @@ req.end();
// but any HTTP client, written in any language, will be just fine.
```

The JWT must contain a `publish` property containing an array of targets. This array can be empty to allow publishing anonymous updates only. [Example publisher JWT](https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.LRLvirgONK13JgacQ_VbcjySbVhkSmHy3IznH3tA9PM) (demo key: `!UnsecureChangeMe!`).
The JWT must contain a `publish` property containing an array of targets. This array can be empty to allow publishing anonymous updates only. [Example publisher JWT](https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.afLx2f2ut3YgNVFStCx95Zm_UND1mZJ69OenXaDuZL8) (demo key: `!ChangeMe!`).

### Other Examples

@@ -174,8 +174,8 @@ To run it in production mode, and generate automatically a Let's Encrypt TLS cer
JWT_KEY='myJWTKey' ACME_HOSTS='example.com' ./mercure

The value of the `ACME_HOSTS` environment variable must be updated to match your domain name(s).
A Let's Enctypt TLS certificate will be automatically generated.
If you omit this variable, the server will be exposed on an (unsecure) HTTP connection.
A Let's Encrypt TLS certificate will be automatically generated.
If you omit this variable, the server will be exposed using a not encrypted HTTP connection.

When the server is up and running, the following endpoints are available:

@@ -35,7 +35,7 @@ def chat():
targets = [os.environ.get('TARGET', 'chan')]
token = jwt.encode(
{'mercure': {'subscribe': targets, 'publish': targets}},
os.environ.get('JWT_KEY', '!UnsecureChangeMe!'),
os.environ.get('JWT_KEY', '!ChangeMe!'),
algorithm='HS256'
)

@@ -1,7 +1,8 @@
const http = require('http');
const querystring = require('querystring');

const demoJwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.LRLvirgONK13JgacQ_VbcjySbVhkSmHy3IznH3tA9PM';

const demoJwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.afLx2f2ut3YgNVFStCx95Zm_UND1mZJ69OenXaDuZL8';

const postData = querystring.stringify({
'topic': 'http://localhost:3000/demo/books/1.jsonld',
@@ -1,6 +1,6 @@
<?php
define('DEMO_JWT', 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.LRLvirgONK13JgacQ_VbcjySbVhkSmHy3IznH3tA9PM');
define('DEMO_JWT', 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.afLx2f2ut3YgNVFStCx95Zm_UND1mZJ69OenXaDuZL8');
$postData = http_build_query([
'topic' => 'http://localhost:3000/demo/books/1.jsonld',
@@ -1,7 +1,7 @@
require 'json'
require 'net/http'

token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.LRLvirgONK13JgacQ_VbcjySbVhkSmHy3IznH3tA9PM'
token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.afLx2f2ut3YgNVFStCx95Zm_UND1mZJ69OenXaDuZL8'

Net::HTTP.start('localhost', 3000) do |http|
req = Net::HTTP::Post.new('/hub')
@@ -7,8 +7,8 @@ import (
"github.com/stretchr/testify/assert"
)

const validEmptyHeader = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.gciTwpaT-wC-s73qBP7OQ_BMp9Oosm8YXvIpqYWddzY"
const validFullHeader = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InB1Ymxpc2giOlsiZm9vIiwiYmFyIl0sInN1YnNjcmliZSI6WyJmb28iLCJiYXoiXX19.pylpKeHDlAN2HHBayzufKYc6VqDfhjCuzlH72r1W6Nw"
const validEmptyHeader = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30._esyynAyo2Z6PyGe0mM_SuQ3c-C7sMQJ1YxVLvlj80A"
const validFullHeader = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InB1Ymxpc2giOlsiZm9vIiwiYmFyIl0sInN1YnNjcmliZSI6WyJmb28iLCJiYXoiXX19.e7USPnr2YHHqLYSu9-jEVsynuTXGtAQUDAZuzoR8lxQ"

func TestAuthorizeMultipleAuthorizationHeader(t *testing.T) {
r, _ := http.NewRequest("GET", "http://example.com/hub", nil)
@@ -60,7 +60,7 @@ func TestAuthorizeAuthorizationHeaderNoContent(t *testing.T) {
r, _ := http.NewRequest("GET", "http://example.com/hub", nil)
r.Header.Add("Authorization", "Bearer "+validEmptyHeader)

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{})
assert.Nil(t, claims.Mercure.Publish)
assert.Nil(t, claims.Mercure.Subscribe)
assert.Nil(t, err)
@@ -70,7 +70,7 @@ func TestAuthorizeAuthorizationHeader(t *testing.T) {
r, _ := http.NewRequest("GET", "http://example.com/hub", nil)
r.Header.Add("Authorization", "Bearer "+validFullHeader)

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{})
assert.Equal(t, []string{"foo", "bar"}, claims.Mercure.Publish)
assert.Equal(t, []string{"foo", "baz"}, claims.Mercure.Subscribe)
assert.Nil(t, err)
@@ -98,7 +98,7 @@ func TestAuthorizeCookieNoContent(t *testing.T) {
r, _ := http.NewRequest("GET", "http://example.com/hub", nil)
r.AddCookie(&http.Cookie{Name: "mercureAuthorization", Value: validEmptyHeader})

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{})
assert.Nil(t, claims.Mercure.Publish)
assert.Nil(t, claims.Mercure.Subscribe)
assert.Nil(t, err)
@@ -108,7 +108,7 @@ func TestAuthorizeCookie(t *testing.T) {
r, _ := http.NewRequest("GET", "http://example.com/hub", nil)
r.AddCookie(&http.Cookie{Name: "mercureAuthorization", Value: validFullHeader})

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{})
assert.Equal(t, []string{"foo", "bar"}, claims.Mercure.Publish)
assert.Equal(t, []string{"foo", "baz"}, claims.Mercure.Subscribe)
assert.Nil(t, err)
@@ -118,7 +118,7 @@ func TestAuthorizeCookieNoOriginNoReferer(t *testing.T) {
r, _ := http.NewRequest("POST", "http://example.com/hub", nil)
r.AddCookie(&http.Cookie{Name: "mercureAuthorization", Value: validFullHeader})

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{})
assert.EqualError(t, err, "An \"Origin\" or a \"Referer\" HTTP header must be present to use the cookie-based authorization mechanism")
assert.Nil(t, claims)
}
@@ -128,7 +128,7 @@ func TestAuthorizeCookieOriginNotAllowed(t *testing.T) {
r.Header.Add("Origin", "http://example.com")
r.AddCookie(&http.Cookie{Name: "mercureAuthorization", Value: validFullHeader})

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{"http://example.net"})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{"http://example.net"})
assert.EqualError(t, err, "The origin \"http://example.com\" is not allowed to post updates")
assert.Nil(t, claims)
}
@@ -138,7 +138,7 @@ func TestAuthorizeCookieRefererNotAllowed(t *testing.T) {
r.Header.Add("Referer", "http://example.com/foo/bar")
r.AddCookie(&http.Cookie{Name: "mercureAuthorization", Value: validFullHeader})

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{"http://example.net"})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{"http://example.net"})
assert.EqualError(t, err, "The origin \"http://example.com\" is not allowed to post updates")
assert.Nil(t, claims)
}
@@ -148,7 +148,7 @@ func TestAuthorizeCookieInvalidReferer(t *testing.T) {
r.Header.Add("Referer", "http://192.168.0.%31/")
r.AddCookie(&http.Cookie{Name: "mercureAuthorization", Value: validFullHeader})

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{"http://example.net"})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{"http://example.net"})
assert.EqualError(t, err, "parse http://192.168.0.%31/: invalid URL escape \"%31\"")
assert.Nil(t, claims)
}
@@ -159,7 +159,7 @@ func TestAuthorizeCookieOriginHasPriority(t *testing.T) {
r.Header.Add("Referer", "http://example.com")
r.AddCookie(&http.Cookie{Name: "mercureAuthorization", Value: validFullHeader})

claims, err := authorize(r, []byte("!UnsecureChangeMe!"), []string{"http://example.net"})
claims, err := authorize(r, []byte("!ChangeMe!"), []string{"http://example.net"})
assert.Equal(t, []string{"foo", "bar"}, claims.Mercure.Publish)
assert.Equal(t, []string{"foo", "baz"}, claims.Mercure.Subscribe)
assert.Nil(t, err)
@@ -3,7 +3,7 @@
(function () {
const origin = window.location.origin;
const defaultTopic = origin + '/demo/books/1.jsonld';
const defaultJwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.LRLvirgONK13JgacQ_VbcjySbVhkSmHy3IznH3tA9PM';
const defaultJwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.afLx2f2ut3YgNVFStCx95Zm_UND1mZJ69OenXaDuZL8';

const settingsForm = document.forms.settings;
const discoverForm = document.forms.discover;
@@ -63,8 +63,8 @@ <h1 class="title is-2">Settings</h1>
"publish": ["list of authorized targets, * for all, omit to not allow to publish"]
}
}</code></pre><br>
<a href="https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.LRLvirgONK13JgacQ_VbcjySbVhkSmHy3IznH3tA9PM" target="_blank" class="button is-link is-small">Create a token</a>
(demo key: <code>!UnsecureChangeMe!</code>)
<a href="https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJmb28iLCJiYXIiXSwicHVibGlzaCI6WyJmb28iXX19.afLx2f2ut3YgNVFStCx95Zm_UND1mZJ69OenXaDuZL8" target="_blank" class="button is-link is-small">Create a token</a>
(demo key: <code>!ChangeMe!</code>)
</p>
</div>
</form>

0 comments on commit 3ed2ba5

Please sign in to comment.
You can’t perform that action at this time.