From ab5fda67c8deaa0e29652406516bb80a804a9c19 Mon Sep 17 00:00:00 2001 From: marty Date: Sat, 17 Jan 2026 14:27:56 +0100 Subject: [PATCH] add jwt token in weed admin headers requests --- weed/admin/handlers/file_browser_handlers.go | 23 ++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/weed/admin/handlers/file_browser_handlers.go b/weed/admin/handlers/file_browser_handlers.go index b7c44a69d..aa7d7d477 100644 --- a/weed/admin/handlers/file_browser_handlers.go +++ b/weed/admin/handlers/file_browser_handlers.go @@ -24,6 +24,7 @@ import ( "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb" "github.com/seaweedfs/seaweedfs/weed/util" "github.com/seaweedfs/seaweedfs/weed/util/http/client" + "github.com/seaweedfs/seaweedfs/weed/security" ) type FileBrowserHandlers struct { @@ -364,6 +365,22 @@ func (h *FileBrowserHandlers) uploadFileToFiler(filePath string, fileHeader *mul } defer file.Close() + // Load security configuration + v := util.GetViper() + + // Read Filer JWT token from security.toml + signingKey := security.SigningKey(v.GetString("jwt.filer_signing.key")) + expiresAfterSec := v.GetInt("jwt.filer_signing.expires_after_seconds") + + // Generate JWT token to authenticate with Filer + var jwtToken security.EncodedJwt + if len(signingKey) > 0 { + jwtToken = security.GenJwtForFilerServer(signingKey, expiresAfterSec) + glog.V(4).Infof("Generated JWT token for filer upload (expires in %d sec)", expiresAfterSec) + } else { + glog.V(2).Info("No JWT signing key configured, uploading without authentication") + } + // Create multipart form data var body bytes.Buffer writer := multipart.NewWriter(&body) @@ -407,6 +424,12 @@ func (h *FileBrowserHandlers) uploadFileToFiler(filePath string, fileHeader *mul // Set content type with boundary req.Header.Set("Content-Type", writer.FormDataContentType()) + // Add JWT Token to Authorization Header + if jwtToken != "" { + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", string(jwtToken))) + glog.V(4).Infof("Added JWT authorization header") + } + // Send request using TLS-aware HTTP client with 60s timeout for large file uploads // lgtm[go/ssrf] // Safe: filerAddress validated by validateFilerAddress() to match configured filer