feat(lib): Add option for adding difficulty field to JWT claims (#1063)

* Add option for difficulty JWT field * Add DIFFICULTY_IN_JWT option to docs * Add missing_required_forwarded_headers to lt translation via Google Translate * docs(CHANGELOG): move CHANGELOG entry to the top Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>
2025-09-11 15:50:33 +02:00 · 2025-09-11 15:50:33 +02:00 · 8ed89a6c6e
commit 8ed89a6c6e
parent 9430d0e6a5
6 changed files with 26 additions and 23 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@ -501,6 +501,12 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	var tokenString string

 	// check if JWTRestrictionHeader is set and header is in request
+	claims := jwt.MapClaims{
+		"challenge":  chall.ID,
+		"method":     rule.Challenge.Algorithm,
+		"policyRule": rule.Hash(),
+		"action":     string(cr.Rule),
+	}
 	if s.opts.JWTRestrictionHeader != "" {
 		if r.Header.Get(s.opts.JWTRestrictionHeader) == "" {
 			lg.Error("JWTRestrictionHeader is set in config but not found in request, please check your reverse proxy config.")
@ -508,22 +514,13 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 			s.respondWithError(w, r, "failed to sign JWT")
 			return
 		} else {
-			tokenString, err = s.signJWT(jwt.MapClaims{
-				"challenge":   chall.ID,
-				"method":      rule.Challenge.Algorithm,
-				"policyRule":  rule.Hash(),
-				"action":      string(cr.Rule),
-				"restriction": internal.SHA256sum(r.Header.Get(s.opts.JWTRestrictionHeader)),
-			})
+			claims["restriction"] = internal.SHA256sum(r.Header.Get(s.opts.JWTRestrictionHeader))
 		}
-	} else {
-		tokenString, err = s.signJWT(jwt.MapClaims{
-			"challenge":  chall.ID,
-			"method":     rule.Challenge.Algorithm,
-			"policyRule": rule.Hash(),
-			"action":     string(cr.Rule),
-		})
 	}
+	if s.opts.DifficultyInJWT {
+		claims["difficulty"] = rule.Challenge.Difficulty
+	}
+	tokenString, err = s.signJWT(claims)

 	if err != nil {
 		lg.Error("failed to sign JWT", "err", err)
--- a/lib/config.go
+++ b/lib/config.go
@ -46,6 +46,7 @@ type Options struct {
 	Logger               *slog.Logger
 	PublicUrl            string
 	JWTRestrictionHeader string
+	DifficultyInJWT      bool
 }

 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
--- a/lib/localization/locales/lt.json
+++ b/lib/localization/locales/lt.json
@ -62,5 +62,6 @@
  "js_iterations": "iteracijų",
  "js_finished_reading": "Viską perskaičiau, tęskime →",
  "js_calculation_error": "Skaičiavimo klaida!",
-  "js_calculation_error_msg": "Nepavyko įveikti iššūkio:"
+  "js_calculation_error_msg": "Nepavyko įveikti iššūkio:",
+  "missing_required_forwarded_headers": "Trūksta privalomų X-Forwarded-* antraščių"
 }