如何在Golang中验证和验证JWT令牌的有效载荷

huangapple go评论91阅读模式
英文:

How to validate & verify JWT token payload in golang

问题

我正在尝试验证我的 JSON 令牌,但是我无法做到。

这是我的示例令牌:

Header:
{
  "alg": "HS256",
  "typ": "JWT"
}

Payloads:

{
  "admin": false,
  "School_ID": 123,
  "name": "XXXXXX",
  "sub": "XXXXXXXX"
}

Signature:
Key

我的问题是,当我尝试操作 JSON Web 令牌并将 admin 的值从 "false" 改为 "true" 时,它绕过了我的 API,并从普通用户变成了管理员用户。为了防止这种情况发生,我尝试使用以下代码:

token, err := jwt.ParseWithClaims(tokenString, newClaims(), func(*jwt.Token) (interface{}, error) {
    return tokenString, nil
})

但问题仍然存在。有人可以帮助我如何解决这个问题吗?这是一个严重的安全漏洞,我需要修复它。

英文:

I am trying to validate my json token but i am not able to do that,

Here is my sample token

Header:
{
  "alg": "HS256",
  "typ": "JWT"
}

Payloads:

{
  "admin": false,
  "School_ID": 123,
  "name": "XXXXXX",
  "sub": "XXXXXXXX"
}

Singature:
Key

My problem is as soon as i am trying to manipulate JSON web token and change the value of admin 'false' to 'true', it is bypassing my API and becoming as an admin user from the normal user, to prevent that i tried using

token, err: = new(jwt.Parser).ParseWithClaims(tokenString, newClaims(), func( * jwt.Token)(interface {}, error) {
    return tokenString, nil
})

but problem still there can anyone help me how to fix that issue as its critical security bug and i need to fix it.

答案1

得分: 1

首先,JWT防止用户更改有效载荷,因为用户无法获得密钥重新生成JWT令牌。如果您在有效载荷中将admin从false更改为true,您会重新生成签名吗?

例如,您可以将以下文本粘贴到jtw.io中:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c。您将看到验证的有效签名。

但是,如果您仅更改有效载荷,您将获得无效的签名,就像这样:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRHd3d29lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c。您也可以将其复制到jtw.io中尝试。

因此,当您在不重新生成JWT令牌的情况下更改有效载荷时,您将获得无效的JWT令牌。当不知道您的密钥的用户修改了您的JWT令牌(将admin: false更改为true)时,这些用户基本上无法获得管理员权限。

最后,JWT中的签名不是密钥,它只是一个用于验证此JWT令牌由您的密钥签名的“签名”。

英文:

First thing, JWT prevents the users from changing the payload because the users couldn't have key to regenerate the JWT token. If you change admin from false to true in the payload, do you regenerate the signature?

For example, you could paste the following text in jtw.io
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c. You'll see valid signature verified.

But, if you change only payload, you'll get invalid signature, like this, eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRHd3d29lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c. You also could copy it to try in jtw.io.

So when you change payload without regenerating the JWT token, you'll get invalid JWT token. When your JWT token is modified (admin: false to true) by users who don't know your key, the users basically could not get the admin permission.

Last, signature in JWT is not the key, it's just a signature to approve this JWT token is signed by your key.

答案2

得分: 0

看起来你没有在任何地方验证签名。你解析了令牌的有效载荷,但没有验证签名。当你读取一个JWT时,你必须验证签名,以便检查是否有人更改了令牌的内容。所以为了防止你在示例中所做的事情,当你将admin声明更改为true时,签名将不再与有效载荷匹配,你将能够拒绝这样的令牌。

英文:

It doesn't look like you're verifying the signature anywhere. You're parsing the token payload, but you don't verify the signature. When you're reading a JWT you have to verify the signature in order to check whether someone has changed the contents of the token. So to prevent exactly what you have done in your example. When you change admin claim to true then the signature will no longer match the payload and you will be able to reject such a token.

huangapple
  • 本文由 发表于 2022年1月30日 01:24:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/70907961.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定