disable nonce signature checks when the user JWT has bearer token set…

… to true.

go.mod

@@ -2,7 +2,7 @@ module github.com/nats-io/nats-server/v2
 
 require (
 	github.com/golang/protobuf v1.3.2 // indirect
-	github.com/nats-io/jwt v0.3.2
+	github.com/nats-io/jwt v0.3.3-0.20191217183112-d4d149352589
 	github.com/nats-io/nats.go v1.9.1
 	github.com/nats-io/nkeys v0.1.3
 	github.com/nats-io/nuid v1.0.1

go.sum

@@ -3,6 +3,8 @@ github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg=
 github.com/nats-io/jwt v0.3.2 h1:+RB5hMpXUUA2dfxuhBTEkMOrYmM+gKIZYS1KjSostMI=
 github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU=
+github.com/nats-io/jwt v0.3.3-0.20191217183112-d4d149352589 h1:8kHfgmEXFiisfuNPr5rZQCH6lmg6LpKeHKZdvTpHlxg=
+github.com/nats-io/jwt v0.3.3-0.20191217183112-d4d149352589/go.mod h1:93OoI9cfJ13Q42aaXp9Ii1H9kXBFdzcC3skMgDTebj4=
 github.com/nats-io/nats.go v1.9.1 h1:ik3HbLhZ0YABLto7iX80pZLPw/6dx3T+++MZJwLnMrQ=
 github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w=
 github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=

server/auth.go

@@ -416,28 +416,31 @@ func (s *Server) processClientOrLeafAuthentication(c *client) bool {
 			c.Debugf("Account JWT has expired")
 			return false
 		}
-		// Verify the signature against the nonce.
-		if c.opts.Sig == "" {
-			c.Debugf("Signature missing")
-			return false
-		}
-		sig, err := base64.RawURLEncoding.DecodeString(c.opts.Sig)
-		if err != nil {
-			// Allow fallback to normal base64.
-			sig, err = base64.StdEncoding.DecodeString(c.opts.Sig)
+		// skip validation of nonce when presented with a bearer token
+		if !juc.BearerToken {
+			// Verify the signature against the nonce.
+			if c.opts.Sig == "" {
+				c.Debugf("Signature missing")
+				return false
+			}
+			sig, err := base64.RawURLEncoding.DecodeString(c.opts.Sig)
 			if err != nil {
-				c.Debugf("Signature not valid base64")
+				// Allow fallback to normal base64.
+				sig, err = base64.StdEncoding.DecodeString(c.opts.Sig)
+				if err != nil {
+					c.Debugf("Signature not valid base64")
+					return false
+				}
+			}
+			pub, err := nkeys.FromPublicKey(juc.Subject)
+			if err != nil {
+				c.Debugf("User nkey not valid: %v", err)
+				return false
+			}
+			if err := pub.Verify(c.nonce, sig); err != nil {
+				c.Debugf("Signature not verified")
 				return false
 			}
-		}
-		pub, err := nkeys.FromPublicKey(juc.Subject)
-		if err != nil {
-			c.Debugf("User nkey not valid: %v", err)
-			return false
-		}
-		if err := pub.Verify(c.nonce, sig); err != nil {
-			c.Debugf("Signature not verified")
-			return false
 		}
 		if acc.checkUserRevoked(juc.Subject) {
 			c.Debugf("User authentication revoked")

vendor/modules.txt

@@ -1,4 +1,4 @@
-# github.com/nats-io/jwt v0.3.2
+# github.com/nats-io/jwt v0.3.3-0.20191217183112-d4d149352589
 github.com/nats-io/jwt
 # github.com/nats-io/nats.go v1.9.1
 github.com/nats-io/nats.go
@@ -10,12 +10,12 @@ github.com/nats-io/nkeys
 github.com/nats-io/nuid
 # golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 golang.org/x/crypto/bcrypt
-golang.org/x/crypto/ed25519
 golang.org/x/crypto/blowfish
+golang.org/x/crypto/ed25519
 golang.org/x/crypto/ed25519/internal/edwards25519
 # golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e
-golang.org/x/sys/windows/svc/eventlog
-golang.org/x/sys/windows/svc
-golang.org/x/sys/windows/svc/mgr
 golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
+golang.org/x/sys/windows/svc
+golang.org/x/sys/windows/svc/eventlog
+golang.org/x/sys/windows/svc/mgr