line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Plack::Middleware::Auth::JWT; |
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
# ABSTRACT: Token-based Auth (aka Bearer Token) using JSON Web Tokens (JWT) |
4
|
|
|
|
|
|
|
our $VERSION = '0.905'; # VERSION |
5
|
|
|
|
|
|
|
|
6
|
2
|
|
|
2
|
|
4200
|
use 5.010; |
|
2
|
|
|
|
|
10
|
|
7
|
2
|
|
|
2
|
|
11
|
use strict; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
40
|
|
8
|
2
|
|
|
2
|
|
10
|
use warnings; |
|
2
|
|
|
|
|
3
|
|
|
2
|
|
|
|
|
59
|
|
9
|
2
|
|
|
2
|
|
11
|
use parent qw(Plack::Middleware); |
|
2
|
|
|
|
|
3
|
|
|
2
|
|
|
|
|
14
|
|
10
|
2
|
|
|
2
|
|
147
|
use Plack::Util; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
85
|
|
11
|
|
|
|
|
|
|
use Plack::Util::Accessor |
12
|
2
|
|
|
2
|
|
14
|
qw(decode_args decode_callback psgix_claims psgix_token token_required ignore_invalid_token token_header_name token_query_name); |
|
2
|
|
|
|
|
3
|
|
|
2
|
|
|
|
|
20
|
|
13
|
2
|
|
|
2
|
|
1274
|
use Plack::Request; |
|
2
|
|
|
|
|
126460
|
|
|
2
|
|
|
|
|
91
|
|
14
|
2
|
|
|
2
|
|
686
|
use Crypt::JWT 0.020 qw(decode_jwt); |
|
2
|
|
|
|
|
55403
|
|
|
2
|
|
|
|
|
1162
|
|
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
sub prepare_app { |
17
|
10
|
|
|
10
|
1
|
39826
|
my $self = shift; |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
# some defaults |
20
|
10
|
100
|
|
|
|
42
|
$self->psgix_claims('claims') unless $self->psgix_claims; |
21
|
10
|
100
|
|
|
|
235
|
$self->psgix_token('token') unless $self->psgix_token; |
22
|
|
|
|
|
|
|
|
23
|
10
|
100
|
|
|
|
116
|
$self->token_header_name('bearer') |
24
|
|
|
|
|
|
|
unless defined $self->token_header_name; |
25
|
10
|
100
|
|
|
|
95
|
$self->token_header_name(undef) unless $self->token_header_name; |
26
|
10
|
100
|
|
|
|
67
|
$self->token_query_name('token') unless defined $self->token_query_name; |
27
|
10
|
100
|
|
|
|
107
|
$self->token_query_name(undef) unless $self->token_query_name; |
28
|
10
|
100
|
|
|
|
72
|
$self->token_required(0) unless defined $self->token_required; |
29
|
10
|
100
|
|
|
|
117
|
$self->ignore_invalid_token(0) unless defined $self->ignore_invalid_token; |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
# either decode_args or decode_callback is required |
32
|
10
|
100
|
|
|
|
120
|
if ( my $cb = $self->decode_callback ) { |
|
|
50
|
|
|
|
|
|
33
|
5
|
50
|
|
|
|
50
|
die "decode_callback must be a code reference" |
34
|
|
|
|
|
|
|
unless ref($cb) eq 'CODE'; |
35
|
|
|
|
|
|
|
} |
36
|
|
|
|
|
|
|
elsif ( my $args = $self->decode_args ) { |
37
|
5
|
|
|
|
|
58
|
$args->{decode_payload} = 1; |
38
|
5
|
|
|
|
|
18
|
$args->{decode_header} = 0; |
39
|
5
|
100
|
|
|
|
16
|
$args->{verify_exp} = 1 unless exists $args->{verify_exp}; |
40
|
5
|
50
|
|
|
|
21
|
$args->{leeway} = 5 unless exists $args->{leeway}; |
41
|
|
|
|
|
|
|
} |
42
|
|
|
|
|
|
|
else { |
43
|
0
|
|
|
|
|
0
|
die |
44
|
|
|
|
|
|
|
"Either decode_callback or decode_args has to be defined when loading this Middleware"; |
45
|
|
|
|
|
|
|
} |
46
|
|
|
|
|
|
|
} |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
sub call { |
49
|
30
|
|
|
30
|
1
|
158549
|
my ( $self, $env ) = @_; |
50
|
|
|
|
|
|
|
|
51
|
30
|
|
|
|
|
53
|
my $token; |
52
|
|
|
|
|
|
|
|
53
|
30
|
100
|
100
|
|
|
97
|
if ( $self->token_header_name && $env->{HTTP_AUTHORIZATION} ) { |
|
|
100
|
|
|
|
|
|
54
|
15
|
|
|
|
|
151
|
my $name = $self->token_header_name; |
55
|
15
|
|
|
|
|
74
|
my $auth = $env->{HTTP_AUTHORIZATION}; |
56
|
15
|
50
|
|
|
|
236
|
$token = $1 if $auth =~ /^\s*$name\s+(.+)/i; |
57
|
|
|
|
|
|
|
} |
58
|
|
|
|
|
|
|
elsif ( my $name = $self->token_query_name ) { |
59
|
13
|
|
|
|
|
228
|
my $req = Plack::Request->new($env); |
60
|
13
|
|
|
|
|
140
|
$token = $req->query_parameters->get($name); |
61
|
|
|
|
|
|
|
} |
62
|
|
|
|
|
|
|
|
63
|
30
|
100
|
|
|
|
1267
|
unless ($token) { |
64
|
8
|
100
|
|
|
|
24
|
return $self->unauthorized if $self->token_required; |
65
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
# no token found, but non required, so just call the app |
67
|
2
|
|
|
|
|
17
|
return $self->app->($env); |
68
|
|
|
|
|
|
|
} |
69
|
|
|
|
|
|
|
|
70
|
22
|
|
|
|
|
38
|
my $claims = eval { |
71
|
22
|
100
|
|
|
|
63
|
if ( my $cb = $self->decode_callback ) { |
72
|
8
|
|
|
|
|
56
|
return $cb->( $token, $env ); |
73
|
|
|
|
|
|
|
} |
74
|
|
|
|
|
|
|
else { |
75
|
14
|
|
|
|
|
69
|
return decode_jwt( token => $token, %{ $self->decode_args } ); |
|
14
|
|
|
|
|
36
|
|
76
|
|
|
|
|
|
|
} |
77
|
|
|
|
|
|
|
}; |
78
|
22
|
100
|
|
|
|
3496
|
if ($@) { |
79
|
9
|
100
|
|
|
|
34
|
if ($self->ignore_invalid_token) { |
80
|
1
|
|
|
|
|
9
|
return $self->app->($env); |
81
|
|
|
|
|
|
|
} |
82
|
|
|
|
|
|
|
else { |
83
|
|
|
|
|
|
|
# TODO hm, if token cannot be decoded: 401 or 400? |
84
|
8
|
|
|
|
|
63
|
return $self->unauthorized( 'Cannot decode JWT: ' . $@ ); |
85
|
|
|
|
|
|
|
} |
86
|
|
|
|
|
|
|
} |
87
|
|
|
|
|
|
|
else { |
88
|
13
|
|
|
|
|
45
|
$env->{ 'psgix.' . $self->psgix_token } = $token; |
89
|
13
|
|
|
|
|
94
|
$env->{ 'psgix.' . $self->psgix_claims } = $claims; |
90
|
13
|
|
|
|
|
93
|
return $self->app->($env); |
91
|
|
|
|
|
|
|
} |
92
|
|
|
|
|
|
|
|
93
|
|
|
|
|
|
|
# should never be reached, but just to make sure... |
94
|
0
|
|
|
|
|
0
|
return $self->unauthorized; |
95
|
|
|
|
|
|
|
} |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
sub unauthorized { |
98
|
14
|
|
|
14
|
0
|
57
|
my $self = shift; |
99
|
14
|
|
100
|
|
|
49
|
my $body = shift || 'Authorization required'; |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
return [ |
102
|
14
|
|
|
|
|
117
|
401, |
103
|
|
|
|
|
|
|
[ 'Content-Type' => 'text/plain', |
104
|
|
|
|
|
|
|
'Content-Length' => length $body |
105
|
|
|
|
|
|
|
], |
106
|
|
|
|
|
|
|
[$body] |
107
|
|
|
|
|
|
|
]; |
108
|
|
|
|
|
|
|
} |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
1; |
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
__END__ |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
=pod |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
=encoding UTF-8 |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
=head1 NAME |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
Plack::Middleware::Auth::JWT - Token-based Auth (aka Bearer Token) using JSON Web Tokens (JWT) |
121
|
|
|
|
|
|
|
|
122
|
|
|
|
|
|
|
=head1 VERSION |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
version 0.905 |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
=head1 SYNOPSIS |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
# use Crypt::JWT to decode the JWT |
129
|
|
|
|
|
|
|
use Plack::Builder; |
130
|
|
|
|
|
|
|
builder { |
131
|
|
|
|
|
|
|
enable "Plack::Middleware::Auth::JWT", |
132
|
|
|
|
|
|
|
decode_args => { key => '12345' }, |
133
|
|
|
|
|
|
|
; |
134
|
|
|
|
|
|
|
$app; |
135
|
|
|
|
|
|
|
}; |
136
|
|
|
|
|
|
|
|
137
|
|
|
|
|
|
|
# or provide your own decoder in a callback |
138
|
|
|
|
|
|
|
use Plack::Builder; |
139
|
|
|
|
|
|
|
builder { |
140
|
|
|
|
|
|
|
enable "Plack::Middleware::Auth::JWT", |
141
|
|
|
|
|
|
|
decode_callback => sub { |
142
|
|
|
|
|
|
|
my $token = shift; |
143
|
|
|
|
|
|
|
.... |
144
|
|
|
|
|
|
|
}, |
145
|
|
|
|
|
|
|
; |
146
|
|
|
|
|
|
|
$app; |
147
|
|
|
|
|
|
|
}; |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
|
150
|
|
|
|
|
|
|
# curl -H 'Authorization: Bearer eyJhbG...' |
151
|
|
|
|
|
|
|
# if the JWT is valid, two keys will be added to $env->{psgix} |
152
|
|
|
|
|
|
|
# $env->{'psgix.token'} = 'original_token' |
153
|
|
|
|
|
|
|
# $env->{'psgix.claims'} = { sub => 'bart' } # claims as hashref |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
=head1 DESCRIPTION |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
C<Plack::Middleware::Auth::JWT> helps you to use L<JSON Web |
158
|
|
|
|
|
|
|
Tokens|https://en.wikipedia.org/wiki/JSON_Web_Token> (or JWT) for |
159
|
|
|
|
|
|
|
authentificating HTTP requests. Tokens can be provided in the |
160
|
|
|
|
|
|
|
C<Authorization> HTTP Header, or as a query parameter (though passing |
161
|
|
|
|
|
|
|
the JWT via the header is the prefered method). |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
=head2 Configuration |
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
TODO |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
=head3 decode_args |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
See L<Crypt::JWT/decode_jwt> |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
Please note that C<key> might has to be passed as a string-ref or an object, see L<Crypt::JWT> |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
It is B<very much recommended> that you only allow the algorithms you are actually using by setting C<accepted_alg>! Per default, 'none' is B<not> allowed. |
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
Hardcoded: |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
decode_payload = 1 |
178
|
|
|
|
|
|
|
decode_header = 0 |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
Different defaults: |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
verify_exp = 1 |
183
|
|
|
|
|
|
|
leeway = 5 |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
You either have to use C<decode_args>, or provide a L<decode_callback>. |
186
|
|
|
|
|
|
|
|
187
|
|
|
|
|
|
|
=head3 decode_callback |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
Callback to decode the token. Gets the token as a string and the psgi-env, has to return a hashref with claims. |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
You have to either provide a callback, or use L<decode_args>. |
192
|
|
|
|
|
|
|
|
193
|
|
|
|
|
|
|
=head3 psgix_claims |
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
Default: C<claims> |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
Name of the entry in C<psgix> were the claims are stored, so you can get the (for example) C<sub> claim via |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
$env->{'psgix.claims'}->{sub} |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
=head3 psgix_token |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
Default: C<token> |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
Name of the entry in C<psgix> were the raw token is stored. |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
=head3 token_required |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
Default: C<false> |
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
If set to a true value, all requests need to include a valid JWT. Default false, so you have to check in your application code if a token was submitted. |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
=head3 ignore_invalid_token |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
Default: C<false> |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
If set to a true value, passing an invalid JWT will not abort the |
218
|
|
|
|
|
|
|
requerst with status 401. Instead the app will be called as if no |
219
|
|
|
|
|
|
|
token was passed at all. |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
You can use this to implement another token check in a later |
222
|
|
|
|
|
|
|
middleware, or even in your app. Of course you will then have to check |
223
|
|
|
|
|
|
|
for C<< $env->{psgix.token} >> in your controller actions. |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
=head3 token_header_name |
226
|
|
|
|
|
|
|
|
227
|
|
|
|
|
|
|
Default: C<Bearer> |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
Name of the token in the HTTP C<Authorization> header. If you set it to C<0>, headers will be ignored. |
230
|
|
|
|
|
|
|
|
231
|
|
|
|
|
|
|
=head3 token_query_name |
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
Default: C<token> |
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
Name of the HTTP query param that contains the token. If you set it to C<0>, tokens in the query will be ignored. |
236
|
|
|
|
|
|
|
|
237
|
|
|
|
|
|
|
=head2 Example |
238
|
|
|
|
|
|
|
|
239
|
|
|
|
|
|
|
TODO, in the meantime you can take a look at the tests. |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
=head1 SEE ALSO |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
=over |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
=item * L<Cryp::JWT|https://metacpan.org/pod/Crypt::JWT> - encode / decode JWTs using various algorithms. Very complete! |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
=item * L<Introduction to JSON Web Tokens|https://jwt.io/introduction> - good overview. |
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
=item * L<Plack::Middleware::Auth::AccessToken|https://metacpan.org/pod/Plack::Middleware::Auth::AccessToken> - a more generic solution handling any kind of token. Does not handle token payload (C<claims>). |
250
|
|
|
|
|
|
|
|
251
|
|
|
|
|
|
|
=back |
252
|
|
|
|
|
|
|
|
253
|
|
|
|
|
|
|
=head1 THANKS |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
Thanks to |
256
|
|
|
|
|
|
|
|
257
|
|
|
|
|
|
|
=over |
258
|
|
|
|
|
|
|
|
259
|
|
|
|
|
|
|
=item * |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
L<validad.com|https://www.validad.com/> for supporting Open Source. |
262
|
|
|
|
|
|
|
|
263
|
|
|
|
|
|
|
=item * L<jwright|https://github.com/jwrightecs> for fixing a |
264
|
|
|
|
|
|
|
regression in the tests caused by an update in L<Crypt::JWT> error |
265
|
|
|
|
|
|
|
messages. The same issue was also reported by SREZIC. |
266
|
|
|
|
|
|
|
|
267
|
|
|
|
|
|
|
=back |
268
|
|
|
|
|
|
|
|
269
|
|
|
|
|
|
|
=head1 AUTHOR |
270
|
|
|
|
|
|
|
|
271
|
|
|
|
|
|
|
Thomas Klausner <domm@plix.at> |
272
|
|
|
|
|
|
|
|
273
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
274
|
|
|
|
|
|
|
|
275
|
|
|
|
|
|
|
This software is copyright (c) 2017 - 2021 by Thomas Klausner. |
276
|
|
|
|
|
|
|
|
277
|
|
|
|
|
|
|
This is free software; you can redistribute it and/or modify it under |
278
|
|
|
|
|
|
|
the same terms as the Perl 5 programming language system itself. |
279
|
|
|
|
|
|
|
|
280
|
|
|
|
|
|
|
=cut |