From 398fd803caa725ac635e4ebab79688cd3f64d7c9 Mon Sep 17 00:00:00 2001 From: Subreptivus Date: Mon, 5 Apr 2021 10:39:56 +0300 Subject: [PATCH 1/3] Show injected headers in 'info' log level --- src/header/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/header/index.js b/src/header/index.js index 610da8b..efb1d7e 100644 --- a/src/header/index.js +++ b/src/header/index.js @@ -115,7 +115,7 @@ class HeaderInjector { if (value === undefined) { value = ""; } - logger.debug("injecting header: %s with value: %s", headerName, value); + logger.info("injecting header: %s with value: %s", headerName, value); res.setHeader(headerName, value); } } From 06b1d5ad06f1d51bf7713c459926b455c527e2cd Mon Sep 17 00:00:00 2001 From: Subreptivus Date: Sun, 17 Oct 2021 13:00:48 +0300 Subject: [PATCH 2/3] Prefer X headers for verify param and port --- src/server.js | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/server.js b/src/server.js index a55ea1c..65c0509 100644 --- a/src/server.js +++ b/src/server.js @@ -706,8 +706,11 @@ grpcServer.addService( req.headers = call.request.attributes.request.http.headers; // headers from parent req.body = call.request.attributes.request.http.body; // body from parent //req.query.redirect_http_code? really only exists to workaround nginx shortcomings, likely not needed here - req.headers["x-eas-verify-params"] = + // prefer x-eas-verify-params header from context_extensions if available + if (call.request.attributes.context_extensions["x-eas-verify-params"]) { + req.headers["x-eas-verify-params"] = call.request.attributes.context_extensions["x-eas-verify-params"]; + } let destination_port = ""; let scheme; @@ -735,7 +738,10 @@ grpcServer.addService( if (!call.request.attributes.request.http.host.includes(":")) { switch (scheme) { case "http": - if ( + // prefer x-forwarded-port if available + if (req.headers["x-forwarded-port"] && req.headers["x-forwarded-port"] !== 80) { + destination_port = `:${req.headers["x-forwarded-port"]}`; + } else if ( call.request.attributes.destination.address.socket_address .port_value !== 80 ) { @@ -743,7 +749,9 @@ grpcServer.addService( } break; case "https": - if ( + if (req.headers["x-forwarded-port"] && req.headers["x-forwarded-port"] !== 443) { + destination_port = `:${req.headers["x-forwarded-port"]}`; + } else if ( call.request.attributes.destination.address.socket_address .port_value !== 443 ) { From 70b266382a09cdca6f8e3dbd8d9ede38db67f281 Mon Sep 17 00:00:00 2001 From: Yurii Komar Date: Thu, 14 Sep 2023 12:40:40 +0300 Subject: [PATCH 3/3] Fix stringify token issue --- src/config_token_store/adapter/env/index.js | 2 +- src/config_token_store/adapter/file/index.js | 2 +- src/server.js | 64 ++++++++++---------- src/utils.js | 6 +- 4 files changed, 37 insertions(+), 37 deletions(-) diff --git a/src/config_token_store/adapter/env/index.js b/src/config_token_store/adapter/env/index.js index 43953e7..0f85507 100644 --- a/src/config_token_store/adapter/env/index.js +++ b/src/config_token_store/adapter/env/index.js @@ -27,7 +27,7 @@ class EnvConfigTokenStoreAdapter extends BaseConfigTokenStoreAdapter { let token; token = data[id]; - return JSON.stringify(token); + return typeof token !== "string" ? JSON.stringify(token) : token; } catch (e) { throw e; } diff --git a/src/config_token_store/adapter/file/index.js b/src/config_token_store/adapter/file/index.js index e166811..e7846d1 100644 --- a/src/config_token_store/adapter/file/index.js +++ b/src/config_token_store/adapter/file/index.js @@ -28,7 +28,7 @@ class FileConfigTokenStoreAdapter extends BaseConfigTokenStoreAdapter { let token; token = data[id]; - return JSON.stringify(token); + return typeof token !== "string" ? JSON.stringify(token) : token; } catch (e) { throw e; } diff --git a/src/server.js b/src/server.js index a6e2c33..ee5b43f 100644 --- a/src/server.js +++ b/src/server.js @@ -736,11 +736,6 @@ grpcServer.addService( req.headers = call.request.attributes.request.http.headers; // headers from parent req.body = call.request.attributes.request.http.body; // body from parent //req.query.redirect_http_code? really only exists to workaround nginx shortcomings, likely not needed here - // prefer x-eas-verify-params header from context_extensions if available - if (call.request.attributes.context_extensions["x-eas-verify-params"]) { - req.headers["x-eas-verify-params"] = - call.request.attributes.context_extensions["x-eas-verify-params"]; - } // c-based grpc metadata is present at this attribute let metadata = _.get(call, "metadata._internal_repr"); @@ -836,33 +831,38 @@ grpcServer.addService( throw new Error("unknown request scheme"); } - // only detect port if not present in the host - if (!call.request.attributes.request.http.host.includes(":")) { - switch (scheme) { - case "http": - // prefer x-forwarded-port if available - if (req.headers["x-forwarded-port"] && req.headers["x-forwarded-port"] !== 80) { - destination_port = `:${req.headers["x-forwarded-port"]}`; - } else if ( - call.request.attributes.destination.address.socket_address - .port_value !== 80 - ) { - destination_port = `:${call.request.attributes.destination.address.socket_address.port_value}`; - } - break; - case "https": - if (req.headers["x-forwarded-port"] && req.headers["x-forwarded-port"] !== 443) { - destination_port = `:${req.headers["x-forwarded-port"]}`; - } else if ( - call.request.attributes.destination.address.socket_address - .port_value !== 443 - ) { - destination_port = `:${call.request.attributes.destination.address.socket_address.port_value}`; - } - break; - default: - throw new Error("unknown request scheme"); - break; + if (host.includes(":")) { + host = host.split(":", 1)[0]; + } + + // header + // by default this CANNOT be trusted + //if (!port) { + // port = _.get(req.headers, "x-forwarded-port"); + //} + + // filter_metadata + if (!port) { + port = getFilterMetadataValue(filter_metadata, "x-forwarded-port"); + } + + // initial_metadata + if (!port) { + port = _.last(_.get(metadata, "x-forwarded-port")); + } + + // context + if (!port) { + port = _.get( + call.request.attributes.context_extensions, + "x-forwarded-port" + ); + } + + // request host + if (!port) { + if (call.request.attributes.request.http.host.includes(":")) { + port = call.request.attributes.request.http.host.split(":", 2)[1]; } } diff --git a/src/utils.js b/src/utils.js index ab62e1b..f53aa8a 100644 --- a/src/utils.js +++ b/src/utils.js @@ -126,11 +126,11 @@ function generate_csrf_id() { function toBoolean(input) { //return !!(dataStr?.toLowerCase?.() === 'true' || dataStr === true || Number.parseInt(dataStr, 10) === 0); //return !!(dataStr?.toLowerCase?.() === 'true' || dataStr === true); - + if (typeof input == "undefined" || input === null) { return false; } - + if (typeof input == "boolean") { return input; } @@ -158,7 +158,7 @@ function toBoolean(input) { function is_jwt(jwtString) { const re = new RegExp( - /^[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$/ + /^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.([a-zA-Z0-9\-_]+)?$/ ); return re.test(jwtString); }