spacewander commented on a change in pull request #2594:
URL: https://github.com/apache/apisix/pull/2594#discussion_r517825670
##########
File path: apisix/plugins/jwt-auth.lua
##########
@@ -200,6 +211,51 @@ function _M.rewrite(conf, ctx)
end
+local function sign_jwt_with_HS(key, auth_conf)
+ local auth_secret = get_secret(auth_conf)
+ local jwt_token = jwt:sign(
+ auth_secret,
+ {
+ header = {
+ typ = "JWT",
+ alg = auth_conf.algorithm
+ },
+ payload = {
+ key = key,
+ exp = ngx_time() + auth_conf.exp
+ }
+ }
+ )
+ return jwt_token
+end
+
+
+local function sign_jwt_with_RS256(key, auth_conf)
+ local ok, jwt_token = pcall(jwt.sign, _M,
+ auth_conf.private_key,
+ {
+ header = {
+ typ = "JWT",
+ alg = auth_conf.algorithm,
+ x5c={
+ auth_conf.public_key,
+ }
+ },
+ payload = {
+ key = key,
+ exp = ngx_time() + auth_conf.exp
+ }
+ }
+ )
+ if not ok then
+ core.log.warn("failed to sign jwt, " ..
Review comment:
Use `,` instead of `..` to separate the log.
##########
File path: apisix/plugins/jwt-auth.lua
##########
@@ -200,6 +211,51 @@ function _M.rewrite(conf, ctx)
end
+local function sign_jwt_with_HS(key, auth_conf)
+ local auth_secret = get_secret(auth_conf)
+ local jwt_token = jwt:sign(
+ auth_secret,
+ {
+ header = {
+ typ = "JWT",
+ alg = auth_conf.algorithm
+ },
+ payload = {
+ key = key,
+ exp = ngx_time() + auth_conf.exp
+ }
+ }
+ )
+ return jwt_token
+end
+
+
+local function sign_jwt_with_RS256(key, auth_conf)
+ local ok, jwt_token = pcall(jwt.sign, _M,
+ auth_conf.private_key,
+ {
+ header = {
+ typ = "JWT",
+ alg = auth_conf.algorithm,
+ x5c={
Review comment:
Need spaces around `=`
##########
File path: apisix/plugins/jwt-auth.lua
##########
@@ -186,9 +189,17 @@ function _M.rewrite(conf, ctx)
end
core.log.info("consumer: ", core.json.delay_encode(consumer))
- local auth_secret = get_secret(consumer.auth_conf)
- jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj)
+ if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm ==
"HS256"
+ or consumer.auth_conf.algorithm == "HS512" then
+ local auth_secret = get_secret(consumer.auth_conf)
+ jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj)
+ end
+
+ if consumer.auth_conf.algorithm == "RS256" then
Review comment:
Better to use `elseif`?
##########
File path: doc/zh-cn/plugins/jwt-auth.md
##########
@@ -38,13 +39,15 @@
## 属性
-| 名称 | 类型 | 必选项 | 默认值 | 有效值
| 描述
|
-| ------------- | ------- | ------ | ------- |
--------------------------------------------- |
-------------------------------------------------------------------------------------------------------------
|
-| key | string | 必须 | |
| 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key`
,将会出现请求匹配异常。 |
-| secret | string | 可选 | |
| 加密秘钥。如果您未指定,后台将会自动帮您生成。
|
-| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] |
加密算法
|
-| exp | integer | 可选 | 86400 | [1,...]
| token 的超时时间
|
-| base64_secret | boolean | 可选 | false |
| 密钥是否为 base64 编码
|
+| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述
|
+|:--------------|:--------|:------|:--------|:----------------------------|:-----------------------------------------------------------------------------------------------|
+| key | string | 必须 | | | 不同的
`consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key` ,将会出现请求匹配异常。 |
+| secret | string | 可选 | | |
加密秘钥。如果您未指定,后台将会自动帮您生成。
|
+| public_key | string | 可选 | | |
RSA公钥, `algorithm` 属性选择 `RS256` 算法时必填
|
Review comment:
We need to check this in the `check_schema` method.
##########
File path: apisix/plugins/jwt-auth.lua
##########
@@ -224,22 +280,18 @@ local function gen_token()
core.log.info("consumer: ", core.json.delay_encode(consumer))
- local auth_secret = get_secret(consumer.auth_conf)
- local jwt_token = jwt:sign(
- auth_secret,
- {
- header = {
- typ = "JWT",
- alg = consumer.auth_conf.algorithm
- },
- payload = {
- key = key,
- exp = ngx_time() + consumer.auth_conf.exp
- }
- }
- )
+ if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm ==
"HS256"
+ or consumer.auth_conf.algorithm == "HS512" then
+ local jwt_token = sign_jwt_with_HS(key,consumer.auth_conf)
Review comment:
Need a space after ','
##########
File path: apisix/plugins/jwt-auth.lua
##########
@@ -224,22 +280,18 @@ local function gen_token()
core.log.info("consumer: ", core.json.delay_encode(consumer))
- local auth_secret = get_secret(consumer.auth_conf)
- local jwt_token = jwt:sign(
- auth_secret,
- {
- header = {
- typ = "JWT",
- alg = consumer.auth_conf.algorithm
- },
- payload = {
- key = key,
- exp = ngx_time() + consumer.auth_conf.exp
- }
- }
- )
+ if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm ==
"HS256"
+ or consumer.auth_conf.algorithm == "HS512" then
+ local jwt_token = sign_jwt_with_HS(key,consumer.auth_conf)
+ core.response.exit(200, jwt_token)
+ end
+
+ if consumer.auth_conf.algorithm == "RS256" then
Review comment:
Better to use `elseif`. And we need to move the common code out of the
block.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
