jwt,browser: allow short-expiry tokens for GETs (#4684)

This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-24 12:46:37 -07:00
parent 4785555d34
commit ec5293ce29
7 changed files with 131 additions and 6 deletions
--- a/cmd/jwt_test.go
+++ b/cmd/jwt_test.go
@@ -60,6 +60,8 @@ func testAuthenticate(authType string, t *testing.T) {
 			_, err = authenticateNode(testCase.accessKey, testCase.secretKey)
 		} else if authType == "web" {
 			_, err = authenticateWeb(testCase.accessKey, testCase.secretKey)
+		} else if authType == "url" {
+			_, err = authenticateURL(testCase.accessKey, testCase.secretKey)
 		}

 		if testCase.expectedErr != nil {
@@ -83,6 +85,10 @@ func TestAuthenticateWeb(t *testing.T) {
 	testAuthenticate("web", t)
 }

+func TestAuthenticateURL(t *testing.T) {
+	testAuthenticate("url", t)
+}
+
 func BenchmarkAuthenticateNode(b *testing.B) {
 	testPath, err := newTestConfig(globalMinioDefaultRegion)
 	if err != nil {