fix: jwt token nonce and expiration time (#3967)

cristaloleg · renaynay · vgonkivs · web-flow · commit 28897c82617e · 2024-11-27T20:47:34.000+01:00
Co-authored-by: rene &lt;41963722+renaynay@users.noreply.github.com&gt;
Co-authored-by: Viacheslav &lt;viacheslavgonkivskyi@gmail.com&gt;
diff --git a/api/rpc/perms/permissions.go b/api/rpc/perms/permissions.go
@@ -1,7 +1,9 @@
 package perms
 
 import (
+	"crypto/rand"
 	"encoding/json"
+	"time"
 
 	"github.com/cristalhq/jwt/v5"
 	"github.com/filecoin-project/go-jsonrpc/auth"
@@ -19,7 +21,9 @@ var AuthKey = "Authorization"
 // JWTPayload is a utility struct for marshaling/unmarshalling
 // permissions into for token signing/verifying.
 type JWTPayload struct {
-	Allow []auth.Permission
+	Allow     []auth.Permission
+	Nonce     []byte
+	ExpiresAt time.Time
 }
 
 func (j *JWTPayload) MarshalBinary() (data []byte, err error) {
@@ -29,8 +33,26 @@ func (j *JWTPayload) MarshalBinary() (data []byte, err error) {
 // NewTokenWithPerms generates and signs a new JWT token with the given secret
 // and given permissions.
 func NewTokenWithPerms(signer jwt.Signer, perms []auth.Permission) ([]byte, error) {
+	return NewTokenWithTTL(signer, perms, 0)
+}
+
+// NewTokenWithTTL generates and signs a new JWT token with the given secret
+// and given permissions and TTL.
+func NewTokenWithTTL(signer jwt.Signer, perms []auth.Permission, ttl time.Duration) ([]byte, error) {
+	nonce := make([]byte, 32)
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, err
+	}
+
+	var expiresAt time.Time
+	if ttl != 0 {
+		expiresAt = time.Now().UTC().Add(ttl)
+	}
+
 	p := &JWTPayload{
-		Allow: perms,
+		Allow:     perms,
+		Nonce:     nonce,
+		ExpiresAt: expiresAt,
 	}
 	token, err := jwt.NewBuilder(signer).Build(p)
 	if err != nil {
diff --git a/api/rpc_test.go b/api/rpc_test.go
@@ -89,6 +89,42 @@ func TestRPCCallsUnderlyingNode(t *testing.T) {
 	require.Equal(t, expectedBalance, balance)
 }
 
+func TestRPCCallsTokenExpired(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	// generate dummy signer and sign admin perms token with it
+	key := make([]byte, 32)
+
+	signer, err := jwt.NewSignerHS(jwt.HS256, key)
+	require.NoError(t, err)
+
+	verifier, err := jwt.NewVerifierHS(jwt.HS256, key)
+	require.NoError(t, err)
+
+	nd, _ := setupNodeWithAuthedRPC(t, signer, verifier)
+	url := nd.RPCServer.ListenAddr()
+
+	adminToken, err := perms.NewTokenWithTTL(signer, perms.AllPerms, time.Millisecond)
+	require.NoError(t, err)
+
+	// we need to run this a few times to prevent the race where the server is not yet started
+	var rpcClient *client.Client
+	for i := 0; i < 3; i++ {
+		time.Sleep(time.Second * 1)
+		rpcClient, err = client.NewClient(ctx, "http://"+url, string(adminToken))
+		if err == nil {
+			t.Cleanup(rpcClient.Close)
+			break
+		}
+	}
+	require.NotNil(t, rpcClient)
+	require.NoError(t, err)
+
+	_, err = rpcClient.State.Balance(ctx)
+	require.ErrorContains(t, err, "request failed, http status 401 Unauthorized")
+}
+
 // api contains all modules that are made available as the node's
 // public API surface
 type api struct {
diff --git a/cmd/auth.go b/cmd/auth.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"path/filepath"
+	"time"
 
 	"github.com/cristalhq/jwt/v5"
 	"github.com/filecoin-project/go-jsonrpc/auth"
@@ -19,6 +20,8 @@ import (
 	nodemod "github.com/celestiaorg/celestia-node/nodebuilder/node"
 )
 
+var ttlFlagName = "ttl"
+
 func AuthCmd(fsets ...*flag.FlagSet) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "auth [permission-level (e.g. read || write || admin)]",
@@ -34,6 +37,11 @@ func AuthCmd(fsets ...*flag.FlagSet) *cobra.Command {
 				return err
 			}
 
+			ttl, err := cmd.Flags().GetDuration(ttlFlagName)
+			if err != nil {
+				return err
+			}
+
 			ks, err := newKeystore(StorePath(cmd.Context()))
 			if err != nil {
 				return err
@@ -50,7 +58,7 @@ func AuthCmd(fsets ...*flag.FlagSet) *cobra.Command {
 				}
 			}
 
-			token, err := buildJWTToken(key.Body, permissions)
+			token, err := buildJWTToken(key.Body, permissions, ttl)
 			if err != nil {
 				return err
 			}
@@ -62,6 +70,8 @@ func AuthCmd(fsets ...*flag.FlagSet) *cobra.Command {
 	for _, set := range fsets {
 		cmd.Flags().AddFlagSet(set)
 	}
+	cmd.Flags().Duration(ttlFlagName, 0, "Set a Time-to-live (TTL) for the token")
+
 	return cmd
 }
 
@@ -73,12 +83,12 @@ func newKeystore(path string) (keystore.Keystore, error) {
 	return keystore.NewFSKeystore(filepath.Join(expanded, "keys"), nil)
 }
 
-func buildJWTToken(body []byte, permissions []auth.Permission) (string, error) {
+func buildJWTToken(body []byte, permissions []auth.Permission, ttl time.Duration) (string, error) {
 	signer, err := jwt.NewSignerHS(jwt.HS256, body)
 	if err != nil {
 		return "", err
 	}
-	return authtoken.NewSignedJWT(signer, permissions)
+	return authtoken.NewSignedJWT(signer, permissions, ttl)
 }
 
 func generateNewKey(ks keystore.Keystore) (keystore.PrivKey, error) {
diff --git a/cmd/rpc.go b/cmd/rpc.go
@@ -128,7 +128,7 @@ func getToken(path string) (string, error) {
 		fmt.Printf("error getting the JWT secret: %v", err)
 		return "", err
 	}
-	return buildJWTToken(key.Body, perms.AllPerms)
+	return buildJWTToken(key.Body, perms.AllPerms, 0)
 }
 
 type rpcClientKey struct{}
diff --git a/libs/authtoken/authtoken.go b/libs/authtoken/authtoken.go
@@ -1,7 +1,10 @@
 package authtoken
 
 import (
+	"crypto/rand"
 	"encoding/json"
+	"fmt"
+	"time"
 
 	"github.com/cristalhq/jwt/v5"
 	"github.com/filecoin-project/go-jsonrpc/auth"
@@ -17,17 +20,32 @@ func ExtractSignedPermissions(verifier jwt.Verifier, token string) ([]auth.Permi
 		return nil, err
 	}
 	p := new(perms.JWTPayload)
-	err = json.Unmarshal(tk.Claims(), p)
-	if err != nil {
+
+	if err := json.Unmarshal(tk.Claims(), p); err != nil {
 		return nil, err
 	}
+	if !p.ExpiresAt.IsZero() && p.ExpiresAt.Before(time.Now().UTC()) {
+		return nil, fmt.Errorf("token expired %s ago", time.Since(p.ExpiresAt))
+	}
 	return p.Allow, nil
 }
 
 // NewSignedJWT returns a signed JWT token with the passed permissions and signer.
-func NewSignedJWT(signer jwt.Signer, permissions []auth.Permission) (string, error) {
+func NewSignedJWT(signer jwt.Signer, permissions []auth.Permission, ttl time.Duration) (string, error) {
+	nonce := make([]byte, 32)
+	if _, err := rand.Read(nonce); err != nil {
+		return "", err
+	}
+
+	var expiresAt time.Time
+	if ttl != 0 {
+		expiresAt = time.Now().UTC().Add(ttl)
+	}
+
 	token, err := jwt.NewBuilder(signer).Build(&perms.JWTPayload{
-		Allow: permissions,
+		Allow:     permissions,
+		Nonce:     nonce,
+		ExpiresAt: expiresAt,
 	})
 	if err != nil {
 		return "", err
diff --git a/nodebuilder/node/admin.go b/nodebuilder/node/admin.go
@@ -2,6 +2,7 @@ package node
 
 import (
 	"context"
+	"time"
 
 	"github.com/cristalhq/jwt/v5"
 	"github.com/filecoin-project/go-jsonrpc/auth"
@@ -57,5 +58,11 @@ func (m *module) AuthVerify(_ context.Context, token string) ([]auth.Permission,
 }
 
 func (m *module) AuthNew(_ context.Context, permissions []auth.Permission) (string, error) {
-	return authtoken.NewSignedJWT(m.signer, permissions)
+	return authtoken.NewSignedJWT(m.signer, permissions, 0)
+}
+
+func (m *module) AuthNewWithExpiry(_ context.Context,
+	permissions []auth.Permission, ttl time.Duration,
+) (string, error) {
+	return authtoken.NewSignedJWT(m.signer, permissions, ttl)
 }
diff --git a/nodebuilder/node/cmd/node.go b/nodebuilder/node/cmd/node.go
@@ -87,8 +87,8 @@ var authCmd = &cobra.Command{
 	Use:   "set-permissions",
 	Args:  cobra.MinimumNArgs(1),
 	Short: "Signs and returns a new token with the given permissions.",
-	RunE: func(c *cobra.Command, args []string) error {
-		client, err := cmdnode.ParseClientFromCtx(c.Context())
+	RunE: func(cmd *cobra.Command, args []string) error {
+		client, err := cmdnode.ParseClientFromCtx(cmd.Context())
 		if err != nil {
 			return err
 		}
@@ -99,7 +99,13 @@ var authCmd = &cobra.Command{
 			perms[i] = (auth.Permission)(p)
 		}
 
-		result, err := client.Node.AuthNew(c.Context(), perms)
+		ttl, _ := cmd.Flags().GetDuration("ttl")
+		if ttl != 0 {
+			result, err := client.Node.AuthNewWithExpiry(cmd.Context(), perms, ttl)
+			return cmdnode.PrintOutput(result, err, nil)
+		}
+
+		result, err := client.Node.AuthNew(cmd.Context(), perms)
 		return cmdnode.PrintOutput(result, err, nil)
 	},
 }
diff --git a/nodebuilder/node/node.go b/nodebuilder/node/node.go
@@ -2,6 +2,7 @@ package node
 
 import (
 	"context"
+	"time"
 
 	"github.com/filecoin-project/go-jsonrpc/auth"
 )
@@ -24,17 +25,20 @@ type Module interface {
 	AuthVerify(ctx context.Context, token string) ([]auth.Permission, error)
 	// AuthNew signs and returns a new token with the given permissions.
 	AuthNew(ctx context.Context, perms []auth.Permission) (string, error)
+	// AuthNewWithExpiry signs and returns a new token with the given permissions and TTL.
+	AuthNewWithExpiry(ctx context.Context, perms []auth.Permission, ttl time.Duration) (string, error)
 }
 
 var _ Module = (*API)(nil)
 
 type API struct {
 	Internal struct {
-		Info        func(context.Context) (Info, error)                                `perm:"admin"`
-		Ready       func(context.Context) (bool, error)                                `perm:"read"`
-		LogLevelSet func(ctx context.Context, name, level string) error                `perm:"admin"`
-		AuthVerify  func(ctx context.Context, token string) ([]auth.Permission, error) `perm:"admin"`
-		AuthNew     func(ctx context.Context, perms []auth.Permission) (string, error) `perm:"admin"`
+		Info              func(context.Context) (Info, error)                                                   `perm:"admin"`
+		Ready             func(context.Context) (bool, error)                                                   `perm:"read"`
+		LogLevelSet       func(ctx context.Context, name, level string) error                                   `perm:"admin"`
+		AuthVerify        func(ctx context.Context, token string) ([]auth.Permission, error)                    `perm:"admin"`
+		AuthNew           func(ctx context.Context, perms []auth.Permission) (string, error)                    `perm:"admin"`
+		AuthNewWithExpiry func(ctx context.Context, perms []auth.Permission, ttl time.Duration) (string, error) `perm:"admin"`
 	}
 }
 
@@ -57,3 +61,7 @@ func (api *API) AuthVerify(ctx context.Context, token string) ([]auth.Permission
 func (api *API) AuthNew(ctx context.Context, perms []auth.Permission) (string, error) {
 	return api.Internal.AuthNew(ctx, perms)
 }
+
+func (api *API) AuthNewWithExpiry(ctx context.Context, perms []auth.Permission, ttl time.Duration) (string, error) {
+	return api.Internal.AuthNewWithExpiry(ctx, perms, ttl)
+}
diff --git a/nodebuilder/tests/helpers_test.go b/nodebuilder/tests/helpers_test.go
@@ -20,7 +20,7 @@ func getAdminClient(ctx context.Context, nd *nodebuilder.Node, t *testing.T) *cl
 	signer := nd.AdminSigner
 	listenAddr := "ws://" + nd.RPCServer.ListenAddr()
 
-	jwt, err := authtoken.NewSignedJWT(signer, []auth.Permission{"public", "read", "write", "admin"})
+	jwt, err := authtoken.NewSignedJWT(signer, []auth.Permission{"public", "read", "write", "admin"}, time.Minute)
 	require.NoError(t, err)
 
 	client, err := client.NewClient(ctx, listenAddr, jwt)

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import (`
`6`	`6`	`"fmt"`
`7`	`7`	`"io"`
`8`	`8`	`"path/filepath"`
	`9`	`+ "time"`
`9`	`10`
`10`	`11`	`"github.com/cristalhq/jwt/v5"`
`11`	`12`	`"github.com/filecoin-project/go-jsonrpc/auth"`
`@@ -19,6 +20,8 @@ import (`
`19`	`20`	`nodemod "github.com/celestiaorg/celestia-node/nodebuilder/node"`
`20`	`21`	`)`
`21`	`22`
	`23`	`+var ttlFlagName = "ttl"`
	`24`	`+`
`22`	`25`	`func AuthCmd(fsets ...flag.FlagSet) cobra.Command {`
`23`	`26`	`cmd := &cobra.Command{`
`24`	`27`	`Use: "auth [permission-level (e.g. read \|\| write \|\| admin)]",`
`@@ -34,6 +37,11 @@ func AuthCmd(fsets ...flag.FlagSet) cobra.Command {`
`34`	`37`	`return err`
`35`	`38`	`}`
`36`	`39`
	`40`	`+ ttl, err := cmd.Flags().GetDuration(ttlFlagName)`
	`41`	`+ if err != nil {`
	`42`	`+ return err`
	`43`	`+ }`
	`44`	`+`
`37`	`45`	`ks, err := newKeystore(StorePath(cmd.Context()))`
`38`	`46`	`if err != nil {`
`39`	`47`	`return err`
`@@ -50,7 +58,7 @@ func AuthCmd(fsets ...flag.FlagSet) cobra.Command {`
`50`	`58`	`}`
`51`	`59`	`}`
`52`	`60`
`53`		`- token, err := buildJWTToken(key.Body, permissions)`
	`61`	`+ token, err := buildJWTToken(key.Body, permissions, ttl)`
`54`	`62`	`if err != nil {`
`55`	`63`	`return err`
`56`	`64`	`}`
`@@ -62,6 +70,8 @@ func AuthCmd(fsets ...flag.FlagSet) cobra.Command {`
`62`	`70`	`for _, set := range fsets {`
`63`	`71`	`cmd.Flags().AddFlagSet(set)`
`64`	`72`	`}`
	`73`	`+ cmd.Flags().Duration(ttlFlagName, 0, "Set a Time-to-live (TTL) for the token")`
	`74`	`+`
`65`	`75`	`return cmd`
`66`	`76`	`}`
`67`	`77`
`@@ -73,12 +83,12 @@ func newKeystore(path string) (keystore.Keystore, error) {`
`73`	`83`	`return keystore.NewFSKeystore(filepath.Join(expanded, "keys"), nil)`
`74`	`84`	`}`
`75`	`85`
`76`		`-func buildJWTToken(body []byte, permissions []auth.Permission) (string, error) {`
	`86`	`+func buildJWTToken(body []byte, permissions []auth.Permission, ttl time.Duration) (string, error) {`
`77`	`87`	`signer, err := jwt.NewSignerHS(jwt.HS256, body)`
`78`	`88`	`if err != nil {`
`79`	`89`	`return "", err`
`80`	`90`	`}`
`81`		`- return authtoken.NewSignedJWT(signer, permissions)`
	`91`	`+ return authtoken.NewSignedJWT(signer, permissions, ttl)`
`82`	`92`	`}`
`83`	`93`
`84`	`94`	`func generateNewKey(ks keystore.Keystore) (keystore.PrivKey, error) {`
Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,7 @@ func getToken(path string) (string, error) {`
`128`	`128`	`fmt.Printf("error getting the JWT secret: %v", err)`
`129`	`129`	`return "", err`
`130`	`130`	`}`
`131`		`- return buildJWTToken(key.Body, perms.AllPerms)`
	`131`	`+ return buildJWTToken(key.Body, perms.AllPerms, 0)`
`132`	`132`	`}`
`133`	`133`
`134`	`134`	`type rpcClientKey struct{}`