VEGA-2105 Add JWT verification #minor #54
Conversation
Assumption at present is that the UID for MRLPA will be at least a one character string.
* Add JWT_SECRET_KEY variable to Makefile * Modify api-test/tester to send JWT header * Use X-Jwt-Authorization header for now to avoid clashes with AWS Authorization header (added by signer) * Expose JWT_SECRET_KEY as env var to create lambda * Add method for parsing a value out of an incoming event header * Log incoming JWT, whether verified or error
Hopefully makes it slightly more reusable.
townxelliot
temporarily deployed
to
54vega2105j
GitHub Actions
Inactive
townxelliot
temporarily deployed
to
54vega2105j
GitHub Actions
Inactive
lambda/create/main.go
Outdated
| if err == nil { | ||
| l.logger.Print("Successfully parsed JWT from event header") | ||
| } else { | ||
| l.logger.Print(err) |
There was a problem hiding this comment.
Can we return 401 if the token is invalid? Could potentially also build this into the VerifyHeader return values.
| l.logger.Print(err) | |
| shared.Problem{ | |
| StatusCode: 401, | |
| Code: "UNAUTHORISED", | |
| Detail: "Invalid JWT", | |
| }.Respond() |
There was a problem hiding this comment.
The only reason I didn't is because the ticket doesn't mention enforcing authorisation, only checking. I'm happy to add it though.
NB it might be that this will break the tests in CI, if the environment isn't set up properly or the env var isn't picked up etc., so might turn into a load more work.
There was a problem hiding this comment.
Sorry, poorly worded ticket: by "simply check these claims" it was the claims I meant were simple, I think we might as well enforce it off the bat. A classic of the "don't say 'simple' or 'just' lessons".
We're getting "Successfully parsed JWT from event header" in the lambda logs, so CI should pass enforcement 🤞🏽
Makes it easier to figure out which test failed (if any).
This will parse an X-Jwt-Authorization header out of the incoming request and attempt to verify any JWT token value in it.
At the moment, we then log whether a token was verified, or reject the request with a 401 and log an error.