Slide 386
Slide 386 text
sub jwt {
var.set("key",std.fileread("/etc/varnish/jwt.key"));
std.log("Ready to perform some JWT magic");
if(cookie.isset("jwt_cookie")) {
var.set("token", cookie.get("jwt_cookie"));
var.set("header", regsub(var.get("token"),"([^\.]+)\.[^\.]+\.[^\.]+","\1"));
var.set("type", regsub(digest.base64url_decode(var.get("header")),{"^.*?"typ"\s*:
\s*"(\w+)".*?$"},"\1"));
var.set("algorithm", regsub(digest.base64url_decode(var.get("header")),
{"^.*?"alg"\s*:\s*"(\w+)".*?$"},"\1"));
if(var.get("type") == "JWT" && var.get("algorithm") == "HS256") {
var.set("rawPayload",regsub(var.get("token"),"[^\.]+\.([^\.]+)\.[^\.]+$","\1"));
var.set("signature",regsub(var.get("token"),"^[^\.]+\.[^\.]+\.([^\.]+)$","\1"));
var.set("currentSignature",digest.base64url_nopad_hex(digest.hmac_sha256(var.get("key"),
var.get("header") + "." + var.get("rawPayload"))));
var.set("payload", digest.base64url_decode(var.get("rawPayload")));
var.set("exp",regsub(var.get("payload"),{"^.*?"exp"\s*:\s*([0-9]+).*?$"},"\1"));
var.set("userId",regsub(var.get("payload"),{"^.*?"uid"\s*:\s*([0-9]+).*?
$"},"\1"));
if(var.get("userId") ~ "^\d+$") {
if(std.time(var.get("exp"),now) >= now) {
if(var.get("signature") == var.get("currentSignature")) {
set req.http.X-Login="true";
} else {
std.log("JWT: signature doesn't match. Received: " +
var.get("signature") + ", expected: " + var.get("currentSignature"));