Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support HttpRequest as a method parameter in JWTClaimsValidator #381

Closed
arunapi opened this issue Sep 18, 2020 · 0 comments · Fixed by #396
Closed

Support HttpRequest as a method parameter in JWTClaimsValidator #381

arunapi opened this issue Sep 18, 2020 · 0 comments · Fixed by #396
Assignees
@sdelamo
Labels
status: pr submitted A pull request has been submitted for the issue

Comments

@arunapi
Copy link

arunapi commented Sep 18, 2020

In order to reduce the (bot)attack surface of my endpoint, I want to tie down a JWT token to the user agent (HTTP request header) and session (an HTTP Cookie).
I want to validate if the HTTP request made with a JWT token (Authorization header) has the user_agent and session claims and it matches the user-agent header and session cookie in the HTTP request.

As per the documentation, I have an easy way to create JWT token claims from HttpRequest headers or Cookie values
https://micronaut-projects.github.io/micronaut-security/latest/guide/#claimsGeneration

It would be nice, if the JwtClaimsValidator also supports HttpRequest object as a parameter, in order to perform claims validation.

The solution recommended to work around the limitation is to use

Optional<HttpRequest<Object>> httpRequestOptional = ServerRequestContext.currentRequest();

Since the above line of code is not very common in other places of the project, please advise if using the above code has any performance implications.

Example Application

I've created a sample application with the above feature and the recommended solution.
https://github.com/arunapi/micronaut-jwt-sec-app

I am reporting this issue as per the request from @jameskleeh in order to describe my use case.
https://gitter.im/micronautfw/questions?at=5f621df2a9c2c8511e9bb040
@sdelamo sdelamo self-assigned this Sep 24, 2020
sdelamo added a commit that referenced this issue Sep 24, 2020
@sdelamo
refactor: add request to jwt claims validator
0976560 
Close: #381
sdelamo added a commit that referenced this issue Sep 24, 2020
@sdelamo
refactor: add request to jwt claims validator
c6e3f2e 
Close: #381
@sdelamo sdelamo mentioned this issue Sep 24, 2020
Merged
@sdelamo sdelamo added the status: pr submitted A pull request has been submitted for the issue label Sep 24, 2020
sdelamo added a commit that referenced this issue Sep 24, 2020
@sdelamo
refactor: add request to jwt claims validator
781727b 
Close: #381

remove default from TokenValidator

revert as before

leave implementation in validate(String)

don't override request

don't override request

remove unused imports

remove unused imports

you have to opt-in to pass httprequest

make it configurable pass-http-request

add boolean value

remove ugly pass http request
sdelamo added a commit that referenced this issue Sep 24, 2020
@sdelamo
refactor: add request to jwt claims validator
60292a7 
Close: #381
jameskleeh pushed a commit that referenced this issue Sep 25, 2020
@sdelamo
refactor: add request to jwt claims validator (#396)
797decf 
Close: #381
sdelamo added a commit that referenced this issue Sep 26, 2020
@sdelamo
refactor: add request to jwt claims validator (#396)
7635eb7 
Close: #381
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sdelamo sdelamo

Labels
status: pr submitted A pull request has been submitted for the issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: add request to jwt claims validator micronaut-projects/micronaut-security
2 participants
@sdelamo @arunapi