Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: only use JWT middleware on /api paths #1074

Merged
merged 1 commit into from
Feb 11, 2025
Merged

fix: only use JWT middleware on /api paths #1074

merged 1 commit into from
Feb 11, 2025

Conversation

rolznz
Copy link
Contributor

@rolznz rolznz commented Feb 6, 2025
edited
Loading

Fixes #1071 by only applying the JWT config to the /api prefix.

I do not understand why this works, as this should mean the non-restricted API endpoints would not work, but they still do. This needs to be understood properly before merging.

Also moves a few endpoints into the restricted group (they were still protected, but it's better for them to be protected by the JWT middleware)

restrictedApiGroup := e.Group("/api")
restrictedApiGroup.Use(echojwt.WithConfig(jwtConfig))

im-adithya
im-adithya approved these changes Feb 11, 2025
View reviewed changes
Copy link
Member

@im-adithya im-adithya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rolznz
Copy link
Contributor Author

rolznz commented Feb 11, 2025

As far as I can tell this is due to buggy handling of groups when the path is set to "", combined with how the static middleware handles not found routes

@rolznz rolznz marked this pull request as ready for review February 11, 2025 16:41
@rolznz rolznz merged commit e7a0b25 into master Feb 11, 2025
9 of 10 checks passed
@rolznz rolznz deleted the fix/restricted-api-group branch February 11, 2025 16:42
@rolznz
Copy link
Contributor Author

rolznz commented Feb 11, 2025
edited
Loading

Further debugging thanks to @im-adithya

Before we had the group prefix as "" and it has a not found handler which applies its middleware, which includes the JWT middleware. See https://github.com/labstack/echo/blob/master/group.go#L116-L118

The static middleware also tries to apply other middleware before falling back to the index page: https://github.com/labstack/echo/blob/master/middleware/static.go#L188-L209

That's why all routes except the index are default 404s and therefore hit the JWT middleware from the restricted group.

Now that we moved the group to /api and all our api routes are clearly defined, the 404 route is not hit for our non-restricted api endpoints, but an unknown API route will hit the JWT middleware because of the restricted group's fallback not found handler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@im-adithya im-adithya im-adithya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(v1.14.0) Opening my.albyhub.com URL directly returns JWT error
2 participants
@rolznz @im-adithya