#resolve

lmajano · lmajano · commit 51dfe310f9cf · 2020-02-12T12:07:42.000-06:00
* `Feature` : New setting for `jwt` struct: `issuer`, you can now set the issuer of tokens string or if not set, then cbSecurity will use the home page URI as the issuer of authority string.
* `Feature` : All tokens will be validated that the same `iss` (Issuer) has granted the token
diff --git a/ModuleConfig.cfc b/ModuleConfig.cfc
@@ -69,6 +69,8 @@ component {
 			"enableSecurityVisualizer"		: false,
 			// JWT Settings
 			"jwt"                     		: {
+				// The issuer authority for the tokens, placed in the `iss` claim
+				"issuer"				  : "",
 				// The jwt secret encoding key to use
 				"secretKey"               : getSystemSetting( "JWT_SECRET", "" ),
 				// by default it uses the authorization bearer header, but you can also pass a custom one as well or as an rc variable.
diff --git a/changelog.md b/changelog.md
@@ -14,6 +14,8 @@
   * ES512
 * `Feature` : Added a new convenience method on the JWT Service: `isTokenInStorage( token )` to verify if a token still exists in the token storage
 * `Feature` : If no jwt secret is given in the settings, we will dynamically generate one that will last for the duration of the application scope.
+* `Feature` : New setting for `jwt` struct: `issuer`, you can now set the issuer of tokens string or if not set, then cbSecurity will use the home page URI as the issuer of authority string.
+* `Feature` : All tokens will be validated that the same `iss` (Issuer) has granted the token
 * `Improve` : Ability to have defaults for all JWT settings instead of always typing them in the configs
 * `Improve` : More cfformating goodness!
 * `Bug` : Invalidation of tokens was not happening due to not using the actual key for the storage
diff --git a/models/jwt/JwtService.cfc b/models/jwt/JwtService.cfc
@@ -53,32 +53,32 @@ component accessors="true" singleton {
 
 	// Default Settings
 	variables.DEFAULT_SETTINGS = {
+		// The jwt token issuer claim -> iss
+		"issuer"              : "",
 		// The jwt secret encoding key
-		"secretKey"               : "",
+		"secretKey"           : "",
 		// The Custom header to inspect for tokens
-		"customAuthHeader"        : "x-auth-token",
+		"customAuthHeader"    : "x-auth-token",
 		// The expiration in minutes for the jwt tokens
-		"expiration"              : 60,
+		"expiration"          : 60,
 		// If true, enables refresh tokens, longer lived tokens (not implemented yet)
-		"enableRefreshTokens"     : false,
+		"enableRefreshTokens" : false,
 		// The default expiration for refresh tokens, defaults to 30 days
-		"refreshExpiration"       : 43200,
+		"refreshExpiration"   : 43200,
 		// encryption algorithm to use, valid algorithms are: HS256, HS384, and HS512
-		"algorithm"               : "HS512",
+		"algorithm"           : "HS512",
 		// Which claims neds to be present on the jwt token or `TokenInvalidException` upon verification and decoding
-		"requiredClaims"          : [] ,
+		"requiredClaims"      : [],
 		// The token storage settings
-		"tokenStorage"            : {
+		"tokenStorage"        : {
 			// enable or not, default is true
-			"enabled"       : true,
+			"enabled"    : true,
 			// A cache key prefix to use when storing the tokens
-			"keyPrefix"     : "cbjwt_",
+			"keyPrefix"  : "cbjwt_",
 			// The driver to use: db, cachebox or a WireBox ID
-			"driver"        : "cachebox",
+			"driver"     : "cachebox",
 			// Driver specific properties
-			"properties"    : {
-				"cacheName" : "default"
-			}
+			"properties" : { "cacheName" : "default" }
 		}
 	};
 
@@ -98,20 +98,32 @@ component accessors="true" singleton {
 	 */
 	function onDIComplete(){
 		// If no settings defined, use the defaults
-		if( !structKeyExists( variables.settings, "jwt" ) ){
+		if ( !structKeyExists( variables.settings, "jwt" ) ) {
 			variables.settings.jwt = variables.DEFAULT_SETTINGS;
 		}
 
 		// Incorporate defaults into incoming data
-		structAppend( variables.settings.jwt, variables.DEFAULT_SETTINGS, false );
-		structAppend( variables.settings.jwt.tokenStorage, variables.DEFAULT_SETTINGS.tokenStorage, false );
+		structAppend(
+			variables.settings.jwt,
+			variables.DEFAULT_SETTINGS,
+			false
+		);
+		structAppend(
+			variables.settings.jwt.tokenStorage,
+			variables.DEFAULT_SETTINGS.tokenStorage,
+			false
+		);
 
 		// If no secret is defined, then let's create one dynamically
 		if ( isNull( variables.settings.jwt.secretKey ) || !len( variables.settings.jwt.secretKey ) ) {
 			variables.settings.jwt.secretKey = generateSecretKey( "blowfish", 448 );
 			variables.log.warn( "No jwt secret key setting found, automatically generating one" );
 		}
 
+		// Check if issuer is set, if not, default to the home page URI
+		if ( !len( variables.settings.jwt.issuer ) ) {
+			variables.settings.jwt.issuer = requestService.getContext().buildLink( "" );
+		}
 	}
 
 	/************************************************************************************/
@@ -170,11 +182,10 @@ component accessors="true" singleton {
 	 * @customClaims A struct of custom claims to add to the jwt token if successful.
 	 */
 	string function fromUser( required user, struct customClaims = {} ){
-		var event     = variables.requestService.getContext();
 		var timestamp = now();
 		var payload   = {
 			// Issuing authority
-			"iss" : event.getHTMLBaseURL(),
+			"iss" : variables.settings.jwt.issuer,
 			// Token creation
 			"iat" : toEpoch( timestamp ),
 			// The subject identifier
@@ -381,12 +392,7 @@ component accessors="true" singleton {
 
 
 		// Verify Expiration first
-		if (
-			dateCompare(
-				( isDate( decodedToken.exp ) ? decodedToken.exp : fromEpoch( decodedToken.exp ) ),
-				now()
-			) < 0
-		) {
+		if ( dateCompare( ( isDate( decodedToken.exp ) ? decodedToken.exp : fromEpoch( decodedToken.exp ) ), now() ) < 0 ) {
 			if ( variables.log.canWarn() ) {
 				variables.log.warn( "Token rejected, it has expired", decodedToken );
 			}
@@ -531,20 +537,21 @@ component accessors="true" singleton {
 	}
 
 	/**
-	 * Verify an incoming token against our jwt library to check if it is valid.
+	 * Verify an incoming token against our jwt library to check if it is valid token only
+	 * No expiration or claim verification
 	 *
 	 * @token The token to validate
 	 */
 	boolean function verify( required token ){
-		try{
+		try {
 			variables.jwt.decode(
-				token = arguments.token,
-				key = variables.settings.jwt.secretKey,
+				token      = arguments.token,
+				key        = variables.settings.jwt.secretKey,
 				algorithms = variables.settings.jwt.algorithm,
-				verify = false
+				verify     = false
 			);
 			return true;
-		} catch( Any e ){
+		} catch ( Any e ) {
 			return false;
 		}
 	}
@@ -559,9 +566,10 @@ component accessors="true" singleton {
 	struct function decode( required token ){
 		try {
 			return variables.jwt.decode(
-				token = arguments.token,
-				key = variables.settings.jwt.secretKey,
-				algorithms = variables.settings.jwt.algorithm
+				token      = arguments.token,
+				key        = variables.settings.jwt.secretKey,
+				algorithms = variables.settings.jwt.algorithm,
+				claims     = { "iss" : variables.settings.jwt.issuer }
 			);
 		} catch ( any e ) {
 			throw(
@@ -792,4 +800,4 @@ component accessors="true" singleton {
 			.len();
 	}
 
-}
+}
diff --git a/readme.md b/readme.md
@@ -87,6 +87,8 @@ cbsecurity = {
 	"enableSecurityVisualizer"		: false,
 	// JWT Settings
 	"jwt"                     		: {
+		// The issuer authority for the tokens, placed in the `iss` claim
+		"issuer"				  : "",
 		// The jwt secret encoding key, defaults to getSystemEnv( "JWT_SECRET", "" )
 		"secretKey"               : getSystemSetting( "JWT_SECRET", "" ),
 		// by default it uses the authorization bearer header, but you can also pass a custom one as well.
diff --git a/test-harness/tests/specs/integration/JWTSpec.cfc b/test-harness/tests/specs/integration/JWTSpec.cfc
@@ -57,7 +57,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 				} );
 			} );
 
-			given( "an valid jwt token with no required claims and accessing a secure api call", function(){
+			given( "a valid jwt token with no required claims and accessing a secure api call", function(){
 				then( "it should block with no authorization", function(){
 					getRequestContext().setValue(
 						"x-auth-token",
@@ -72,7 +72,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 				} );
 			} );
 
-			given( "an valid jwt token that's expired", function(){
+			given( "a valid jwt token that's expired", function(){
 				then( "it should block with no authorization", function(){
 					getRequestContext().setValue(
 						"x-auth-token",
@@ -146,7 +146,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 		var service   = getInstance( "jwtService@cbsecurity" );
 		var payload   = {
 			// Issuing authority
-			"iss"    : getRequestContext().getHTMLBaseURL(),
+			"iss"    : service.getSettings().jwt.issuer,
 			// Token creation
 			"iat"    : service.toEpoch( timestamp ),
 			// The subject identifier
