feat: Add option to use HS512 secret for JWT instead of ED25519 (#680)

* Add functionality for HS512 JWT tokens * Add HS512_SECRET to installation docs * Update CHANGELOG.md regarding HS512 * Move HS512_SECRET to advenced section in docs * Move token Keyfunc logic to Server function * Add Keyfunc to spelling * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Martin Weidenauer <mweidenauer@nanx0as46153.anx.local> Co-authored-by: Xe Iaso <me@xeiaso.net>
2025-06-26 12:06:44 +02:00 · 2025-06-26 12:06:44 +02:00 · 59f5b07281
commit 59f5b07281
parent 1562f88c35
7 changed files with 68 additions and 36 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@ -63,19 +63,37 @@ var (
 )

 type Server struct {
-	next       http.Handler
-	mux        *http.ServeMux
-	policy     *policy.ParsedConfig
-	DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse]
-	OGTags     *ogtags.OGTagCache
-	cookieName string
-	priv       ed25519.PrivateKey
-	pub        ed25519.PublicKey
-	opts       Options
+	next        http.Handler
+	mux         *http.ServeMux
+	policy      *policy.ParsedConfig
+	DNSBLCache  *decaymap.Impl[string, dnsbl.DroneBLResponse]
+	OGTags      *ogtags.OGTagCache
+	cookieName  string
+	ed25519Priv ed25519.PrivateKey
+	hs512Secret []byte
+	opts        Options
+}
+
+func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
+	// return ED25519 key if HS512 is not set
+	if len(s.hs512Secret) == 0 {
+		return func(token *jwt.Token) (interface{}, error) {
+			return s.ed25519Priv.Public().(ed25519.PublicKey), nil
+		}
+	} else {
+		return func(token *jwt.Token) (interface{}, error) {
+			return s.hs512Secret, nil
+		}
+	}
 }

 func (s *Server) challengeFor(r *http.Request, difficulty int) string {
-	fp := sha256.Sum256(s.pub[:])
+	var fp [32]byte
+	if len(s.hs512Secret) == 0 {
+		fp = sha256.Sum256(s.ed25519Priv.Public().(ed25519.PublicKey)[:])
+	} else {
+		fp = sha256.Sum256(s.hs512Secret)
+	}

 	challengeData := fmt.Sprintf(
 		"X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d",
@ -149,9 +167,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 		return
 	}

-	token, err := jwt.ParseWithClaims(ckie.Value, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return s.pub, nil
-	}, jwt.WithExpirationRequired(), jwt.WithStrictDecoding())
+	token, err := jwt.ParseWithClaims(ckie.Value, jwt.MapClaims{}, s.getTokenKeyfunc(), jwt.WithExpirationRequired(), jwt.WithStrictDecoding())

 	if err != nil || !token.Valid {
 		lg.Debug("invalid token", "path", r.URL.Path, "err", err)