jwt - 如何在配置 Fastly CDN 时修复 Varnish VCL 中未终止的短字符串错误
问题描述
我正在尝试使用 Varnish VCL 在 Fastly CDN 上设置基于令牌的身份验证,并使用此示例 VCL 片段在此处生成和验证 JWT 令牌 -
sub vcl_recv {
#FASTLY recv
if (req.request != "HEAD" && req.request != "GET" && req.request != "FASTLYPURGE") {
return(pass);
}
// Generate synth
if(req.url ~ "generate") {
error 901;
}
// Validate token
if(req.url ~ "validate") {
// Ensure token exists and parse into regex
if (req.http.X-JWT !~ "^([a-zA-Z0-9\-_]+)?\.([a-zA-Z0-9\-_]+)?\.([a-zA-Z0-9\-_]+)?$") {
// Forbidden
error 403 "Forbidden";
}
// Extract token header, payload and signature
set req.http.X-JWT-Header = re.group.1;
set req.http.X-JWT-Payload = re.group.2;
set req.http.X-JWT-Signature = digest.base64url_nopad_decode(re.group.3);
set req.http.X-JWT-Valid-Signature = digest.hmac_sha256("SupSecretStr",
req.http.X-JWT-Header "." req.http.X-JWT-Payload);
// Validate signature
if(digest.secure_is_equal(req.http.X-JWT-Signature, req.http.X-JWT-Valid-Signature)) {
// Decode payload
set req.http.X-JWT-Payload = digest.base64url_nopad_decode(req.http.X-JWT-Payload);
set req.http.X-JWT-Expires = regsub(req.http.X-JWT-Payload, {"^.*?"exp"\s*?:\s*?([0-9]+).*?$"}, "\1");
// Validate expiration
if (time.is_after(now, std.integer2time(std.atoi(req.http.X-JWT-Expires)))) {
// Unauthorized
synthetic {"{"sign":""} req.http.X-JWT-Signature {"","header":""} req.http.X-JWT-Header {"","payload":""} req.http.X-JWT-Payload {"","valid": ""} req.http.X-JWT-Valid-Signature {""}"};
return(deliver);
}
// OK
synthetic {"{"header2":""} req.http.X-JWT-Header {"","payload":""} req.http.X-JWT-Payload {"","sign":""} req.http.X-JWT-Signature {"","valid": ""} req.http.X-JWT-Valid-Signature {""}"};
return(deliver);
} else {
// Forbidden
synthetic {"{"header3":""} req.http.X-JWT-Header {"","payload":""} req.http.X-JWT-Payload {"","sign":""} req.http.X-JWT-Signature {"","valid": ""} req.http.X-JWT-Valid-Signature {""}"};
return(deliver);
}
}
return(lookup);
}
sub vcl_error {
#FASTLY error
// Generate JWT token
if (obj.status == 901) {
set obj.status = 200;
set obj.response = "OK";
set obj.http.Content-Type = "application/json";
set obj.http.X-UUID = randomstr(8, "0123456789abcdef") "-" randomstr(4, "0123456789abcdef") "-4" randomstr(3, "0123456789abcdef") "-" randomstr(1, "89ab") randomstr(3, "0123456789abcdef") "-" randomstr(12, "0123456789abcdef");
set obj.http.X-JWT-Issued = now.sec;
set obj.http.X-JWT-Expires = strftime({"%s"}, time.add(now, 3600s));
set obj.http.X-JWT-Header = digest.base64url_nopad({"{"alg":"HS256","typ":"JWT""}{"}"});
set obj.http.X-JWT-Payload = digest.base64url_nopad({"{"sub":""} obj.http.X-UUID {"","exp":"} obj.http.X-JWT-Expires {","iat":"} obj.http.X-JWT-Issued {","iss":"Fastly""}{"}"});
set obj.http.X-JWT-Signature = digest.base64url_nopad(digest.hmac_sha256("SupSecretStr", obj.http.X-JWT-Header "." obj.http.X-JWT-Payload));
set obj.http.X-JWT = obj.http.X-JWT-Header "." obj.http.X-JWT-Payload "." obj.http.X-JWT-Signature;
unset obj.http.X-UUID;
unset obj.http.X-JWT-Issued;
unset obj.http.X-JWT-Expires;
unset obj.http.X-JWT-Header;
unset obj.http.X-JWT-payload;
unset obj.http.X-JWT-Signature;
synthetic {"{"payload":""} obj.http.X-JWT-Payload {"","header":""} obj.http.X-JWT-Header {"","sign":""} obj.http.X-JWT-Signatre {"","token": ""} obj.http.X-JWT {""}"};
return(deliver);
}
// Valid token
if (obj.status == 902) {
set obj.status = 200;
set obj.response = "OK";
set obj.http.Content-Type = "application/json";
synthetic {"{ "token": ""} req.http.X-JWT {"" }"};
return(deliver);
}
}
现在,当我尝试编译它时,它会返回 -
Syntax error: Unterminated _short-string_
at: (input Line 106 Pos 197)
synthetic {"{"sign":""} req.http.X-JWT-Signature {"","header":""} req.http.X-JWT-Header {"","payload":""} req.http.X-JWT-Payload {"","valid": ""} req.http.X-JWT-Valid-Signature {""}"};
看起来我在合成块期间没有以某种方式正确地转义这些值。
我尝试在 vcl_recv 子例程中添加此合成块的唯一原因是因为我想测试摘要如何生成 JWT 令牌并对其进行验证,并且我想在 Node.Js 的服务器端创建类似的 JWT 令牌所以我试图输出令牌的不同中间部分进行调试。
我对 Varnish 的语法和语义不太熟悉,但我仍然寻求帮助来查找有关此调度子例程的任何文档,但到目前为止还没有找到。
那么,任何人都可以帮助解决这个问题,并让 vcl_recv、vcl_error 在 json 响应中插入不同的中间值。
我尝试使用一些基于 Node.Js 的 base64 url 解码库来解码返回的令牌部分,并且能够解码标头和有效负载部分,但我无法从 Node.Js 生成签名部分。那么,任何人都可以建议 node.js 或任何 javascript 库中 base64url_nopad() 的等价物吗?
对于 hmac_256 加密部分,我们正在尝试使用加密库并创建一个 hmac,例如 crypto.createHmac('sha256', 'SupSecretStr').update().digest('hex'); 但是我认为js中的所有base64编码url库都会返回填充url,这就是为什么这个hmac 256摘要的base64编码部分与用清漆生成的不匹配的原因
解决方案
我的语法着色工具告诉我的信息与错误消息几乎相同:你搞砸了你的引号:-)
你的最后一个块{""}"};是打开引号({"),立即关闭它们("}),然后你打开简单的引号",换行符在你关闭它们之前到达。
要解决此问题,只需在 json 的最后引用之后放置一个空格:{"" }"};
推荐阅读
- node.js - 如何在 Node 中管理对 Postgresql 的大量调用
- reactjs - 如何在打字稿中正确使用区分联合,因此当一个属性为真时,需要另外两个属性
- arrays - 为什么 AbstractArray 的子类型会导致 Julia 中的矩阵运算不精确?
- amazon-web-services - API 网关 SQS 响应以 UnknownOperationException 结束
- android - 如何从布局创建位图并增加大小?
- reactjs - 在节点打开的情况下反应树组件
- python - 多维 numpy 数组中矩阵向量乘积的快速迭代
- python-2.7 - conda 构建失败并显示 need_source_download 消息
- node.js - 即使从后端重定向后页面也不会刷新
- python - 如何让我的输出以单个字符串而不是单独的字母打印?