Use JWT secret for JWT, operator secret for JWS

biilmann · biilmann · commit 4c7c5423848c · 2017-09-02T16:46:56.000-07:00
diff --git a/api/auth.go b/api/auth.go
@@ -35,9 +35,10 @@ func (a *API) extractBearerToken(w http.ResponseWriter, r *http.Request) (string
 }
 
 func (a *API) parseJWTClaims(bearer string, r *http.Request) (context.Context, error) {
+	config := getConfig(r.Context())
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
 	token, err := p.ParseWithClaims(bearer, &GatewayClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return []byte(a.config.OperatorToken), nil
+		return []byte(config.JWT.Secret), nil
 	})
 	if err != nil {
 		return nil, unauthorizedError("Invalid token: %v", err)
diff --git a/api/middleware.go b/api/middleware.go
@@ -5,7 +5,6 @@ import (
 	"net/http"
 
 	"github.com/dgrijalva/jwt-go"
-	"github.com/netlify/git-gateway/conf"
 	"github.com/netlify/git-gateway/models"
 )
 
@@ -31,41 +30,39 @@ func (a *API) loadJWSSignatureHeader(w http.ResponseWriter, r *http.Request) (co
 
 func (a *API) loadInstanceConfig(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	ctx := r.Context()
+
 	signature := getSignature(ctx)
 	if signature == "" {
 		return nil, badRequestError("Operator signature missing")
 	}
 
-	var config *conf.Configuration
-	var instanceID string
-
 	claims := NetlifyMicroserviceClaims{}
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
 	_, err := p.ParseWithClaims(signature, &claims, func(token *jwt.Token) (interface{}, error) {
-		instanceID = claims.InstanceID
-		if instanceID == "" {
-			return nil, badRequestError("Instance ID is missing")
-		}
+		return []byte(a.config.OperatorToken), nil
+	})
+	if err != nil {
+		return nil, badRequestError("Operator microservice signature is invalid: %v", err)
+	}
 
-		logEntrySetField(r, "instance_id", instanceID)
-		logEntrySetField(r, "netlify_id", claims.NetlifyID)
-		instance, err := a.db.GetInstance(instanceID)
-		if err != nil {
-			if models.IsNotFoundError(err) {
-				return nil, notFoundError("Unable to locate site configuration")
-			}
-			return nil, internalServerError("Database error loading instance").WithInternalError(err)
-		}
+	instanceID := claims.InstanceID
+	if instanceID == "" {
+		return nil, badRequestError("Instance ID is missing")
+	}
 
-		config, err = instance.Config()
-		if err != nil {
-			return nil, internalServerError("Error loading environment config").WithInternalError(err)
+	logEntrySetField(r, "instance_id", instanceID)
+	logEntrySetField(r, "netlify_id", claims.NetlifyID)
+	instance, err := a.db.GetInstance(instanceID)
+	if err != nil {
+		if models.IsNotFoundError(err) {
+			return nil, notFoundError("Unable to locate site configuration")
 		}
+		return nil, internalServerError("Database error loading instance").WithInternalError(err)
+	}
 
-		return []byte(config.JWT.Secret), nil
-	})
+	config, err := instance.Config()
 	if err != nil {
-		return nil, badRequestError("Operator microservice signature is invalid: %v", err)
+		return nil, internalServerError("Error loading environment config").WithInternalError(err)
 	}
 
 	ctx = withNetlifyID(ctx, claims.NetlifyID)
