You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After an authenticated user has logged out, a malicious user can continue accessing his account if the malicious user gets his jwt token. To do so, instead of passing the jwt token in the HTTP header, the malicious user can just pass the token as a query argument "access_token".
request.OAuth2Extractor would retrieve jwt token from either HTTP header or "access_token" argument therefore a previously logged out token will be still validated. authBackend.IsInBlacklist() wouldn't block the access because req.Header.Get("Authorization") doesn't have the token.
After an authenticated user has logged out, a malicious user can continue accessing his account if the malicious user gets his jwt token. To do so, instead of passing the jwt token in the HTTP header, the malicious user can just pass the token as a query argument "access_token".
request.OAuth2Extractor would retrieve jwt token from either HTTP header or "access_token" argument therefore a previously logged out token will be still validated. authBackend.IsInBlacklist() wouldn't block the access because req.Header.Get("Authorization") doesn't have the token.
func RequireTokenAuthentication(rw http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
authBackend := InitJWTAuthenticationBackend()
** token, err := request.ParseFromRequest(req, request.OAuth2Extractor, func(token *jwt.Token) (interface{}, error) { **
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} else {
return authBackend.PublicKey, nil
}
})
** if err == nil && token.Valid && !authBackend.**IsInBlacklist(req.Header.Get("Authorization")) { **
next(rw, req)
} else {
rw.WriteHeader(http.StatusUnauthorized)
}
}
The text was updated successfully, but these errors were encountered: