Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Bug fix 3.3/jwt base64url encoded (#7905) 

* Use base64url encoding and decoding for jwt header and body as specified in the rfc.

* Update changelog.
This commit is contained in:
Lars Maier 2019-01-08 16:56:07 +01:00 committed by Max Neunhöffer
parent 02c7250ebf
commit c0fa42e0cc
2 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CHANGELOG
View File

@ -1,6 +1,8 @@
v3.3.22 (XXXX-XX-XX)
--------------------
* Use base64url to encode and decode JWT parts.
* added AQL function `CHECK_DOCUMENT` for document validity checks
* added arangorestore option `--cleanup-duplicate-attributes` to clean up input documents
@ -18,7 +20,7 @@ v3.3.22 (XXXX-XX-XX)
default values for the number of shards and the replication factor, resp. for all
restored collections. If specified, these default values will be used regardless
of whether the number of shards or the replication factor values are already present
in the metadata of the dumped collections.
in the metadata of the dumped collections.
It is also possible to override the values on a per-collection level by specifying
the options multiple times, e.g.
@ -34,7 +36,7 @@ v3.3.22 (XXXX-XX-XX)
--number-of-shards mycollection=3 --number-of-shards test=4
This will use the number of shards as specified in the dump, except for the collections
"mycollection" and "test".
"mycollection" and "test".
The `--replication-factor` option works similarly.
@ -49,9 +51,9 @@ v3.3.22 (XXXX-XX-XX)
This resulted in a document having two "a" attributes, which is obviously
undesired. Now, when an attribute value is used multiple times, only the first
assigned value will be used for that attribute in AQL. It is not possible to
assigned value will be used for that attribute in AQL. It is not possible to
specify the same attribute multiple times and overwrite the attribute's value
with by that. That means in the above example, the value of "a" will be 1,
with by that. That means in the above example, the value of "a" will be 1,
and not 2.
This changes the behavior for overriding attribute values in AQL compared to
previous versions of ArangoDB, as previous versions in some cases allowed
@ -60,7 +62,7 @@ v3.3.22 (XXXX-XX-XX)
value. In order to explicitly override a value in an existing object, use the
AQL MERGE function.
To avoid all these issues, users are encouraged to use unambiguous attribute
To avoid all these issues, users are encouraged to use unambiguous attribute
names in objects/documents in AQL. Outside of AQL, specifying the same attribute
multiple times may even result in a parse error, e.g. when sending such data
to ArangoDB's HTTP REST API.
@ -69,10 +71,10 @@ v3.3.22 (XXXX-XX-XX)
abort with a proper error containing the problem description instead of aborting
but hiding there was a problem.
* remove Swagger map files from the build to reduce package sizes
* remove Swagger map files from the build to reduce package sizes
* do not respond with an internal error in case of JSON parse errors detected
in incoming HTTP requests
in incoming HTTP requests
* fixed issue #7834: AQL Query crashes instance

8
arangod/Auth/TokenCache.cpp
View File

@ -244,7 +244,7 @@ std::shared_ptr<VPackBuilder> auth::TokenCache::parseJson(std::string const& str
bool auth::TokenCache::validateJwtHeader(std::string const& header) {
std::shared_ptr<VPackBuilder> headerBuilder =
parseJson(StringUtils::decodeBase64(header), "jwt header");
parseJson(StringUtils::decodeBase64U(header), "jwt header");
if (headerBuilder.get() == nullptr) {
return false;
}
@ -279,7 +279,7 @@ bool auth::TokenCache::validateJwtHeader(std::string const& header) {
auth::TokenCache::Entry auth::TokenCache::validateJwtBody(std::string const& body) {
std::shared_ptr<VPackBuilder> bodyBuilder =
parseJson(StringUtils::decodeBase64(body), "jwt body");
parseJson(StringUtils::decodeBase64U(body), "jwt body");
auth::TokenCache::Entry authResult;
if (bodyBuilder.get() == nullptr) {
LOG_TOPIC(TRACE, Logger::AUTHENTICATION) << "invalid JWT body";
@ -362,8 +362,8 @@ std::string auth::TokenCache::generateRawJwt(VPackSlice const& body) const {
headerBuilder.add("typ", VPackValue("JWT"));
}
std::string fullMessage(StringUtils::encodeBase64(headerBuilder.toJson()) +
"." + StringUtils::encodeBase64(body.toJson()));
std::string fullMessage(StringUtils::encodeBase64U(headerBuilder.toJson()) +
"." + StringUtils::encodeBase64U(body.toJson()));
if (_jwtSecret.empty()) {
LOG_TOPIC(INFO, Logger::AUTHENTICATION)
<< "Using cluster without JWT Token";