From 376de282f26a113b9d7d19eef34e5944b159f0ee Mon Sep 17 00:00:00 2001 From: leandrofars Date: Sat, 23 Dec 2023 11:23:20 -0300 Subject: [PATCH 1/2] fix(security): jwt package --- backend/services/controller/go.mod | 6 ++-- backend/services/controller/go.sum | 5 ++-- .../controller/internal/api/auth/auth.go | 28 ++++++++++++------- 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/backend/services/controller/go.mod b/backend/services/controller/go.mod index 9841213..792664d 100755 --- a/backend/services/controller/go.mod +++ b/backend/services/controller/go.mod @@ -3,8 +3,9 @@ module github.com/leandrofars/oktopus go 1.18 require ( - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/eclipse/paho.golang v0.10.0 + github.com/go-stomp/stomp v2.1.4+incompatible + github.com/golang-jwt/jwt/v5 v5.2.0 github.com/google/uuid v1.3.0 github.com/googollee/go-socket.io v1.7.0 github.com/gorilla/mux v1.8.0 @@ -13,11 +14,11 @@ require ( go.mongodb.org/mongo-driver v1.11.3 golang.org/x/crypto v0.14.0 golang.org/x/net v0.17.0 + golang.org/x/sys v0.13.0 google.golang.org/protobuf v1.28.1 ) require ( - github.com/go-stomp/stomp v2.1.4+incompatible // indirect github.com/gofrs/uuid v4.0.0+incompatible // indirect github.com/golang/snappy v0.0.1 // indirect github.com/gomodule/redigo v1.8.4 // indirect @@ -30,6 +31,5 @@ require ( github.com/xdg-go/stringprep v1.0.3 // indirect github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect - golang.org/x/sys v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect ) diff --git a/backend/services/controller/go.sum b/backend/services/controller/go.sum index c6c36ac..c4ef347 100644 --- a/backend/services/controller/go.sum +++ b/backend/services/controller/go.sum @@ -1,14 +1,14 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/eclipse/paho.golang v0.10.0 h1:oUGPjRwWcZQRgDD9wVDV7y7i7yBSxts3vcvcNJo8B4Q= github.com/eclipse/paho.golang v0.10.0/go.mod h1:rhrV37IEwauUyx8FHrvmXOKo+QRKng5ncoN1vJiJMcs= github.com/go-stomp/stomp v2.1.4+incompatible h1:D3SheUVDOz9RsjVWkoh/1iCOwD0qWjyeTZMUZ0EXg2Y= github.com/go-stomp/stomp v2.1.4+incompatible/go.mod h1:VqCtqNZv1226A1/79yh+rMiFUcfY3R109np+7ke4n0c= github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= @@ -85,6 +85,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/backend/services/controller/internal/api/auth/auth.go b/backend/services/controller/internal/api/auth/auth.go index e1a2712..d93eeda 100644 --- a/backend/services/controller/internal/api/auth/auth.go +++ b/backend/services/controller/internal/api/auth/auth.go @@ -2,9 +2,12 @@ package auth import ( "errors" - "github.com/dgrijalva/jwt-go" + "fmt" + "log" "os" "time" + + "github.com/golang-jwt/jwt/v5" ) func getJwtKey() []byte { @@ -18,16 +21,17 @@ func getJwtKey() []byte { type JWTClaim struct { Username string `json:"username"` Email string `json:"email"` - jwt.StandardClaims + jwt.RegisteredClaims } func GenerateJWT(email string, username string) (tokenString string, err error) { expirationTime := time.Now().Add(4 * time.Hour) claims := &JWTClaim{ - Email: email, - Username: username, - StandardClaims: jwt.StandardClaims{ - ExpiresAt: expirationTime.Unix(), + username, + email, + jwt.RegisteredClaims{ + ExpiresAt: jwt.NewNumericDate(expirationTime), + Issuer: "Oktopus", }, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) @@ -40,21 +44,25 @@ func ValidateToken(signedToken string) (email string, err error) { signedToken, &JWTClaim{}, func(token *jwt.Token) (interface{}, error) { + // Don't forget to validate the alg is what you expect: + if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) + } + + // hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key") return getJwtKey(), nil }, ) if err != nil { + log.Println(err) return } + claims, ok := token.Claims.(*JWTClaim) if !ok { err = errors.New("couldn't parse claims") return } - if claims.ExpiresAt < time.Now().Local().Unix() { - err = errors.New("token expired") - return - } email = claims.Email From b15ab6b5f0ad7c9bcd7bcffec8cef4f7f6b31828 Mon Sep 17 00:00:00 2001 From: leandrofars Date: Sat, 23 Dec 2023 11:23:54 -0300 Subject: [PATCH 2/2] feat: nginx config for landing site --- devops/nginx/nginx.conf | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/devops/nginx/nginx.conf b/devops/nginx/nginx.conf index 597e147..c548171 100644 --- a/devops/nginx/nginx.conf +++ b/devops/nginx/nginx.conf @@ -34,6 +34,44 @@ http { # for more information. include /etc/nginx/conf.d/*.conf; + server { + if ($host = oktopus.app.br) { + return 301 https://$host$request_uri; + } + listen 80; + listen [::]:80; + server_name oktopus.app.br; + return 404; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name oktopus.app.br; + root /usr/share/nginx/html; + + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + + ssl_certificate "/etc/letsencrypt/live/oktopus.app.br/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/oktopus.app.br/privkey.pem"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + error_page 404 /404.html; + location = /404.html { + } + + location / { + proxy_pass http://127.0.0.1:3001; + proxy_read_timeout 60; + proxy_connect_timeout 60; + proxy_redirect off; + } + } + server { if ($host = oktopustr369.com) { return 301 https://$host$request_uri;