search

nats-io / jwt.net

JWT tokens signed using NKeys for Ed25519 for NATS .NET
Apache License 2.0
2 stars 5 forks source link

Allow for no user limits to be specified #5

Closed ckasabula closed 1 month ago

ckasabula commented 1 month ago

e.g. for scoped users

ckasabula commented 1 month ago

To fix: [53296] 2024/08/09 17:11:31.390463 [DBG] 127.0.0.1:56156 - cid:5 - Client connection created [53296] 2024/08/09 17:11:31.399562 [TRC] 127.0.0.1:56156 - cid:5 - <<- [CONNECT {"echo":true,"verbose":false,"pedantic":false,"tls_required":false,"jwt":"eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiI2WkVOWDJVWDZPQ05UMkZTTlJJRFo1UE81M1ZVWTNPU01JQjQ0TTVVWkpMSUtYTVhYMlZBIiwiaWF0IjoxNzIzMjM3ODg5LCJpc3MiOiJBQk1RUUxVVlM2RUJVUjQ2VVRUWFBHTEpNU1M3SlI2UlMyWVFXQVlDVURJUUpVTE1VNk1DT0w3QiIsIm5hbWUiOiJCb2ItU21pdGgiLCJzdWIiOiJVQTRPS0lHNUpDSlVISU5TN09PQ0xGR1hZWFoyN1BPT0VMV1hRVklCWTY2SFpMVFJaTEc3RllQUSIsIm5hdHMiOnsicHViIjp7fSwic3ViIjp7fSwic3VicyI6LTEsImRhdGEiOi0xLCJwYXlsb2FkIjotMSwiaXNzdWVyX2FjY291bnQiOiJBQjU3VExLNlhPVlRLUExFRUs1REtNWUFLVVdNVzVYM01DM0JXSlJZMjdJSktHT05XWENTMkFDWCIsInRhZ3MiOlsidW5pcXVlaWQ6MTExMSIsImNsaWVudGlkOmFtYWciXSwidHlwZSI6InVzZXIiLCJ2ZXJzaW9uIjoyfX0.TvZgF3SHw4AogBybmFKxkYasVhX4lTXVf_PceHeWaorXz9bcSjJW0L07lKEXgmPVWyERO9piq6VSQK1mu3p4DQ","name":"demo","lang":".NET","version":"2.3.3","protocol":1,"headers":true,"no_responders":true}] [53296] 2024/08/09 17:11:31.400592 [DBG] Account [AB57TLK6XOVTKPLEEK5DKMYAKUWMW5X3MC3BWJRY27IJKGONWXCS2ACX] fetch took 0s [53296] 2024/08/09 17:11:31.401115 [DBG] Updating account claims: AB57TLK6XOVTKPLEEK5DKMYAKUWMW5X3MC3BWJRY27IJKGONWXCS2ACX/VMS [53296] 2024/08/09 17:11:31.401115 [DBG] 127.0.0.1:56156 - cid:5 - User JWT is not valid: scoped users require no permissions or limits set [53296] 2024/08/09 17:11:31.401115 [ERR] 127.0.0.1:56156 - cid:5 - authentication error [53296] 2024/08/09 17:11:31.401115 [TRC] 127.0.0.1:56156 - cid:5 - ->> [-ERR Authorization Violation]

var uc = jwt.NewUserClaims(userKey.GetPublicKey()); uc.Name = "Bob-Smith"; uc.User.Tags = tags; uc.User.IssuerAccount = "AB57TLK6XOVTKPLEEK5DKMYAKUWMW5X3MC3BWJRY27IJKGONWXCS2ACX"; // limits not specified for scoped user var userJwt = jwt.EncodeUserClaims(uc, signingKey);

ckasabula commented 1 month ago

I will look at the failing test.

@mtmk - For consistency, do you think I should make the same changes to the longs in NatsOperatorLimits?

mtmk commented 1 month ago

I will look at the failing test.

@mtmk - For consistency, do you think I should make the same changes to the longs in NatsOperatorLimits?

yes I think we should. Could you also check why/how Go implementation is handling this? https://github.com/nats-io/jwt/blob/41dad79143e9cff55e4bde8af4df7a40ad49786c/v2/user_claims.go#L73

ckasabula commented 1 month ago

@mtmk - I checked the Go implementation. Glad you suggested that. It also puts the NoLimit/-1 for subs/data/payload. However, in our working go client code, we call SetScoped(true) on UserClaims. I don't see an equivalent method in jwt.net. I closed this PR. I'll create a new one adding similar to jwt.net. https://github.com/nats-io/jwt/blob/41dad79143e9cff55e4bde8af4df7a40ad49786c/v2/user_claims.go#L78


uc := jwt.NewUserClaims(upub)
uc.Name = userName
uc.SetScoped(true)
ckasabula commented 1 month ago

@mtmk The work-around for this is to set subs/data/payload to zero.


    uc.User.Data = 0;
    uc.User.Subs = 0;
    uc.User.Payload = 0;
    var userJwt = jwt.EncodeUserClaims(uc, signingKey);