From 5d31e583d261d28e0608d39bcb6dfadb5617c0cb Mon Sep 17 00:00:00 2001
From: Mathieu Ancelin <mathieu.ancelin@gmail.com>
Date: Wed, 6 Nov 2024 16:24:15 +0100
Subject: [PATCH] safer implem for  #2023

---
 otoroshi/app/env/Env.scala          | 6 ++++++
 otoroshi/app/gateway/handlers.scala | 4 ++--
 otoroshi/app/utils/infotoken.scala  | 6 +++---
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/otoroshi/app/env/Env.scala b/otoroshi/app/env/Env.scala
index 891f8cd37..16eddbff8 100644
--- a/otoroshi/app/env/Env.scala
+++ b/otoroshi/app/env/Env.scala
@@ -1153,6 +1153,12 @@ class Env(
     .getOptionalWithFileSupport[Int]("app.exposed-ports.https")
     .getOrElse(httpsPort)
 
+  lazy val bestExposedPort: String = if (exposedRootSchemeIsHttps) {
+    exposedHttpsPort
+  } else {
+    exposedHttpPort
+  }
+
   lazy val proxyState = new NgProxyState(this)
 
   lazy val http2ClientProxyEnabled = configuration
diff --git a/otoroshi/app/gateway/handlers.scala b/otoroshi/app/gateway/handlers.scala
index 98f01c665..cf10c1ac1 100644
--- a/otoroshi/app/gateway/handlers.scala
+++ b/otoroshi/app/gateway/handlers.scala
@@ -857,8 +857,8 @@ class GatewayRequestHandler(
             Results.Unauthorized(Json.obj("error" -> "unauthorized")).vfuture
           }
           case Success(token) => {
-            if (rnd == Option(token.getClaim("r").asString()).getOrElse("--")) {
-              val id = Option(token.getClaim("i").asString()).getOrElse("--")
+            if (rnd == Option(token.getClaim("r").asString()).map(v => env.aesDecrypt(v)).getOrElse("--")) {
+              val id = Option(token.getClaim("i").asString()).map(v => env.aesDecrypt(v)).getOrElse("--")
               Option(token.getClaim("k").asString()).getOrElse("--") match {
                 case "apikey" => {
                   env.proxyState.apikey(id) match {
diff --git a/otoroshi/app/utils/infotoken.scala b/otoroshi/app/utils/infotoken.scala
index 338a7bb70..d39c76443 100644
--- a/otoroshi/app/utils/infotoken.scala
+++ b/otoroshi/app/utils/infotoken.scala
@@ -41,8 +41,8 @@ object InfoTokenHelper {
         val rnd = IdGenerator.token(16)
         val token: String = JWT.create()
           .withClaim("k", kind)
-          .withClaim("i", id)
-          .withClaim("r", rnd)
+          .withClaim("i",  env.aesEncrypt(id))
+          .withClaim("r", env.aesEncrypt(rnd))
           .withIssuedAt(DateTime.now().toDate)
           .withExpiresAt(DateTime.now().plus(secComTtl.toMillis).toDate)
           .sign(env.sha256Alg)
@@ -53,7 +53,7 @@ object InfoTokenHelper {
           exp = DateTime.now().plus(secComTtl.toMillis).toDate.getTime,
           iat = DateTime.now().toDate.getTime,
           jti = IdGenerator.uuid
-        ).withClaim("url", s"${env.rootScheme}${env.adminApiExposedHost}/.well-known/otoroshi/consumers/${rnd}?t=${token}")
+        ).withClaim("url", s"${env.rootScheme}${env.adminApiExposedHost}${env.bestExposedPort}/.well-known/otoroshi/consumers/${rnd}?t=${token}")
       }
       case SecComInfoTokenVersion.Legacy => {
         OtoroshiClaim(