safer implem for #2023

MAIF · Nov 6, 2024 · 5d31e58 · 5d31e58
1 parent e56ba8f
commit 5d31e58
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/otoroshi/app/env/Env.scala b/otoroshi/app/env/Env.scala
@@ -1153,6 +1153,12 @@ class Env(
     .getOptionalWithFileSupport[Int]("app.exposed-ports.https")
     .getOrElse(httpsPort)
 
+  lazy val bestExposedPort: String = if (exposedRootSchemeIsHttps) {
+    exposedHttpsPort
+  } else {
+    exposedHttpPort
+  }
+
   lazy val proxyState = new NgProxyState(this)
 
   lazy val http2ClientProxyEnabled = configuration

diff --git a/otoroshi/app/gateway/handlers.scala b/otoroshi/app/gateway/handlers.scala
@@ -857,8 +857,8 @@ class GatewayRequestHandler(
             Results.Unauthorized(Json.obj("error" -> "unauthorized")).vfuture
           }
           case Success(token) => {
-            if (rnd == Option(token.getClaim("r").asString()).getOrElse("--")) {
-              val id = Option(token.getClaim("i").asString()).getOrElse("--")
+            if (rnd == Option(token.getClaim("r").asString()).map(v => env.aesDecrypt(v)).getOrElse("--")) {
+              val id = Option(token.getClaim("i").asString()).map(v => env.aesDecrypt(v)).getOrElse("--")
               Option(token.getClaim("k").asString()).getOrElse("--") match {
                 case "apikey" => {
                   env.proxyState.apikey(id) match {

diff --git a/otoroshi/app/utils/infotoken.scala b/otoroshi/app/utils/infotoken.scala
@@ -41,8 +41,8 @@ object InfoTokenHelper {
         val rnd = IdGenerator.token(16)
         val token: String = JWT.create()
           .withClaim("k", kind)
-          .withClaim("i", id)
-          .withClaim("r", rnd)
+          .withClaim("i",  env.aesEncrypt(id))
+          .withClaim("r", env.aesEncrypt(rnd))
           .withIssuedAt(DateTime.now().toDate)
           .withExpiresAt(DateTime.now().plus(secComTtl.toMillis).toDate)
           .sign(env.sha256Alg)
@@ -53,7 +53,7 @@ object InfoTokenHelper {
           exp = DateTime.now().plus(secComTtl.toMillis).toDate.getTime,
           iat = DateTime.now().toDate.getTime,
           jti = IdGenerator.uuid
-        ).withClaim("url", s"${env.rootScheme}${env.adminApiExposedHost}/.well-known/otoroshi/consumers/${rnd}?t=${token}")
+        ).withClaim("url", s"${env.rootScheme}${env.adminApiExposedHost}${env.bestExposedPort}/.well-known/otoroshi/consumers/${rnd}?t=${token}")
       }
       case SecComInfoTokenVersion.Legacy => {
         OtoroshiClaim(