From 2011ceb732ae75b109cd170cb2dfd4be6b1bc2dc Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Wed, 10 Apr 2024 14:43:18 +0800 Subject: [PATCH 1/9] test --- go.mod | 1 + go.sum | 2 + pkg/auth/auth.go | 4 +- pkg/auth/jwt.go | 124 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 pkg/auth/jwt.go diff --git a/go.mod b/go.mod index 2a5003d7..84f8bae0 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ require ( github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 github.com/coreos/go-oidc/v3 v3.10.0 github.com/fatedier/golib v0.4.2 + github.com/golang-jwt/jwt/v5 v5.2.1 github.com/google/uuid v1.6.0 github.com/gorilla/mux v1.8.1 github.com/gorilla/websocket v1.5.1 diff --git a/go.sum b/go.sum index 8f1610f3..6a94df6d 100644 --- a/go.sum +++ b/go.sum @@ -34,6 +34,8 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index 9d8db7b6..dcb9e52f 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -30,7 +30,7 @@ type Setter interface { func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter) { switch cfg.Method { case v1.AuthMethodToken: - authProvider = NewTokenAuth(cfg.AdditionalScopes, cfg.Token) + authProvider = NewJWTAuth(cfg.AdditionalScopes, cfg.Token) case v1.AuthMethodOIDC: authProvider = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC) default: @@ -48,7 +48,7 @@ type Verifier interface { func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) { switch cfg.Method { case v1.AuthMethodToken: - authVerifier = NewTokenAuth(cfg.AdditionalScopes, cfg.Token) + authVerifier = NewJWTAuth(cfg.AdditionalScopes, cfg.Token) case v1.AuthMethodOIDC: authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, cfg.OIDC) } diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go new file mode 100644 index 00000000..66c5c973 --- /dev/null +++ b/pkg/auth/jwt.go @@ -0,0 +1,124 @@ +// Copyright 2020 guylewin, guy@lewin.co.il +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package auth + +import ( + "errors" + "fmt" + "slices" + "time" + + "github.com/golang-jwt/jwt/v5" + + v1 "github.com/fatedier/frp/pkg/config/v1" + "github.com/fatedier/frp/pkg/msg" +) + +type JWTAuthSetterVerifier struct { + additionalAuthScopes []v1.AuthScope + token string +} + +func NewJWTAuth(additionalAuthScopes []v1.AuthScope, token string) *JWTAuthSetterVerifier { + return &JWTAuthSetterVerifier{ + additionalAuthScopes: additionalAuthScopes, + token: token, + } +} + +func (auth *JWTAuthSetterVerifier) SetLogin(loginMsg *msg.Login) error { + loginMsg.PrivilegeKey = auth.token + return nil +} + +func (auth *JWTAuthSetterVerifier) SetPing(pingMsg *msg.Ping) error { + if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) { + return nil + } + + pingMsg.Timestamp = time.Now().Unix() + pingMsg.PrivilegeKey = auth.token + return nil +} + +func (auth *JWTAuthSetterVerifier) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) error { + if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) { + return nil + } + + newWorkConnMsg.Timestamp = time.Now().Unix() + newWorkConnMsg.PrivilegeKey = auth.token + return nil +} + +func (auth *JWTAuthSetterVerifier) VerifyLogin(m *msg.Login) error { + return auth.VerifyToken(m.User, m.PrivilegeKey) +} + +func (auth *JWTAuthSetterVerifier) VerifyPing(m *msg.Ping) error { + if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) { + return nil + } + + return auth.VerifyToken("", m.PrivilegeKey) +} + +func (auth *JWTAuthSetterVerifier) VerifyNewWorkConn(m *msg.NewWorkConn) error { + if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) { + return nil + } + + return auth.VerifyToken("", m.PrivilegeKey) +} + +func (auth *JWTAuthSetterVerifier) VerifyToken(user, token string) error { + methodKey := map[string]string{jwt.SigningMethodHS256.Alg(): auth.token} + parser := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Name})) + parsedToken, err := parser.Parse(token, func(t *jwt.Token) (any, error) { + key, ok := methodKey[t.Method.Alg()] + if !ok { + return nil, fmt.Errorf("method %s is not supported", t.Method) + } + return []byte(key), nil + }) + + if err != nil { + if errors.Is(err, jwt.ErrTokenExpired) { + return errors.New("token is expired") + } + return err + } + + if !parsedToken.Valid { + return fmt.Errorf("token %s is invalid", token) + } + + claims, ok := parsedToken.Claims.(jwt.MapClaims) + if !ok { + return fmt.Errorf("claims %v is invalid", parsedToken.Claims) + } + + if len(user) > 0 { + id, found := claims["email"] + if !found { + id, found = claims["id"] + } + if id != user { + return fmt.Errorf("token %s is not for user %s", token, user) + } + } + + return nil +} From 36cd2202bbb94bb5acd59489331dc00f7b54fe36 Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Wed, 10 Apr 2024 14:47:26 +0800 Subject: [PATCH 2/9] test --- pkg/auth/jwt.go | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go index 66c5c973..0473ea28 100644 --- a/pkg/auth/jwt.go +++ b/pkg/auth/jwt.go @@ -1,17 +1,3 @@ -// Copyright 2020 guylewin, guy@lewin.co.il -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - package auth import ( From dd2f4b5973635f380c1294fb0f6bc2a7224d89cd Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Wed, 10 Apr 2024 16:56:05 +0800 Subject: [PATCH 3/9] test --- README_agi7.md | 9 +++++++++ pkg/auth/auth.go | 8 ++++++-- pkg/auth/jwt.go | 18 +++++++++++++----- pkg/auth/legacy/legacy.go | 14 ++++++++++++++ pkg/config/v1/client.go | 2 ++ pkg/config/v1/common.go | 1 + pkg/config/v1/server.go | 1 + pkg/config/v1/validation/validation.go | 1 + pkg/msg/handler.go | 3 +++ server/control.go | 2 +- 10 files changed, 51 insertions(+), 8 deletions(-) create mode 100644 README_agi7.md diff --git a/README_agi7.md b/README_agi7.md new file mode 100644 index 00000000..2c5a9f50 --- /dev/null +++ b/README_agi7.md @@ -0,0 +1,9 @@ +## build nvr frpc +```shell +env GOOS=linux GOARCH=arm GOARM=7 go build -v -o frpc ./cmd/frpc +``` + +## build frps for linux +```shell +env GOOS=linux GOARCH=amd64 go build -v -o frpc ./cmd/frps +``` diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index dcb9e52f..47cb76f4 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -30,7 +30,9 @@ type Setter interface { func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter) { switch cfg.Method { case v1.AuthMethodToken: - authProvider = NewJWTAuth(cfg.AdditionalScopes, cfg.Token) + authProvider = NewTokenAuth(cfg.AdditionalScopes, cfg.Token) + case v1.AuthMethodJWT: + authProvider = NewJWTAuth(cfg.AdditionalScopes, cfg.Token, cfg.Secret) case v1.AuthMethodOIDC: authProvider = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC) default: @@ -48,7 +50,9 @@ type Verifier interface { func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) { switch cfg.Method { case v1.AuthMethodToken: - authVerifier = NewJWTAuth(cfg.AdditionalScopes, cfg.Token) + authVerifier = NewTokenAuth(cfg.AdditionalScopes, cfg.Token) + case v1.AuthMethodJWT: + authVerifier = NewJWTAuth(cfg.AdditionalScopes, cfg.Token, cfg.Secret) case v1.AuthMethodOIDC: authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, cfg.OIDC) } diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go index 0473ea28..e083fe29 100644 --- a/pkg/auth/jwt.go +++ b/pkg/auth/jwt.go @@ -15,12 +15,14 @@ import ( type JWTAuthSetterVerifier struct { additionalAuthScopes []v1.AuthScope token string + secret string } -func NewJWTAuth(additionalAuthScopes []v1.AuthScope, token string) *JWTAuthSetterVerifier { +func NewJWTAuth(additionalAuthScopes []v1.AuthScope, token, secret string) *JWTAuthSetterVerifier { return &JWTAuthSetterVerifier{ additionalAuthScopes: additionalAuthScopes, token: token, + secret: secret, } } @@ -50,7 +52,11 @@ func (auth *JWTAuthSetterVerifier) SetNewWorkConn(newWorkConnMsg *msg.NewWorkCon } func (auth *JWTAuthSetterVerifier) VerifyLogin(m *msg.Login) error { - return auth.VerifyToken(m.User, m.PrivilegeKey) + if m.User == "" { + return errors.New("user is empty") + } + token := m.PrivilegeKey + return auth.VerifyToken(m.User, token) } func (auth *JWTAuthSetterVerifier) VerifyPing(m *msg.Ping) error { @@ -58,7 +64,8 @@ func (auth *JWTAuthSetterVerifier) VerifyPing(m *msg.Ping) error { return nil } - return auth.VerifyToken("", m.PrivilegeKey) + token := m.PrivilegeKey + return auth.VerifyToken("", token) } func (auth *JWTAuthSetterVerifier) VerifyNewWorkConn(m *msg.NewWorkConn) error { @@ -66,11 +73,12 @@ func (auth *JWTAuthSetterVerifier) VerifyNewWorkConn(m *msg.NewWorkConn) error { return nil } - return auth.VerifyToken("", m.PrivilegeKey) + token := m.PrivilegeKey + return auth.VerifyToken("", token) } func (auth *JWTAuthSetterVerifier) VerifyToken(user, token string) error { - methodKey := map[string]string{jwt.SigningMethodHS256.Alg(): auth.token} + methodKey := map[string]string{jwt.SigningMethodHS256.Alg(): auth.secret} parser := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Name})) parsedToken, err := parser.Parse(token, func(t *jwt.Token) (any, error) { key, ok := methodKey[t.Method.Alg()] diff --git a/pkg/auth/legacy/legacy.go b/pkg/auth/legacy/legacy.go index c16d38f2..8567ad7a 100644 --- a/pkg/auth/legacy/legacy.go +++ b/pkg/auth/legacy/legacy.go @@ -40,6 +40,7 @@ type ClientConfig struct { BaseConfig `ini:",extends"` OidcClientConfig `ini:",extends"` TokenConfig `ini:",extends"` + JWTConfig `ini:",extends"` } func GetDefaultClientConf() ClientConfig { @@ -47,6 +48,7 @@ func GetDefaultClientConf() ClientConfig { BaseConfig: getDefaultBaseConf(), OidcClientConfig: getDefaultOidcClientConf(), TokenConfig: getDefaultTokenConf(), + JWTConfig: getDefaultJWTConf(), } } @@ -54,6 +56,7 @@ type ServerConfig struct { BaseConfig `ini:",extends"` OidcServerConfig `ini:",extends"` TokenConfig `ini:",extends"` + JWTConfig `ini:",extends"` } func GetDefaultServerConf() ServerConfig { @@ -61,6 +64,7 @@ func GetDefaultServerConf() ServerConfig { BaseConfig: getDefaultBaseConf(), OidcServerConfig: getDefaultOidcServerConf(), TokenConfig: getDefaultTokenConf(), + JWTConfig: getDefaultJWTConf(), } } @@ -143,3 +147,13 @@ func getDefaultTokenConf() TokenConfig { Token: "", } } + +type JWTConfig struct { + Secret string `ini:"secret" json:"secret"` +} + +func getDefaultJWTConf() JWTConfig { + return JWTConfig{ + Secret: "", + } +} diff --git a/pkg/config/v1/client.go b/pkg/config/v1/client.go index 52b87690..7041e4ed 100644 --- a/pkg/config/v1/client.go +++ b/pkg/config/v1/client.go @@ -175,6 +175,8 @@ type AuthClientConfig struct { // to succeed. By default, this value is "". Token string `json:"token,omitempty"` OIDC AuthOIDCClientConfig `json:"oidc,omitempty"` + + Secret string `json:"secret"` } func (c *AuthClientConfig) Complete() { diff --git a/pkg/config/v1/common.go b/pkg/config/v1/common.go index ddb23356..2579415f 100644 --- a/pkg/config/v1/common.go +++ b/pkg/config/v1/common.go @@ -44,6 +44,7 @@ type AuthMethod string const ( AuthMethodToken AuthMethod = "token" AuthMethodOIDC AuthMethod = "oidc" + AuthMethodJWT AuthMethod = "jwt" ) // QUIC protocol options diff --git a/pkg/config/v1/server.go b/pkg/config/v1/server.go index 03b05d9d..b2cfabf1 100644 --- a/pkg/config/v1/server.go +++ b/pkg/config/v1/server.go @@ -127,6 +127,7 @@ type AuthServerConfig struct { AdditionalScopes []AuthScope `json:"additionalScopes,omitempty"` Token string `json:"token,omitempty"` OIDC AuthOIDCServerConfig `json:"oidc,omitempty"` + Secret string `json:"secret,omitempty"` } func (c *AuthServerConfig) Complete() { diff --git a/pkg/config/v1/validation/validation.go b/pkg/config/v1/validation/validation.go index 4ca6b67f..cbe7a397 100644 --- a/pkg/config/v1/validation/validation.go +++ b/pkg/config/v1/validation/validation.go @@ -33,6 +33,7 @@ var ( SupportedAuthMethods = []v1.AuthMethod{ "token", "oidc", + "jwt", } SupportedAuthAdditionalScopes = []v1.AuthScope{ diff --git a/pkg/msg/handler.go b/pkg/msg/handler.go index cb1eb15a..be6d62bb 100644 --- a/pkg/msg/handler.go +++ b/pkg/msg/handler.go @@ -17,6 +17,8 @@ package msg import ( "io" "reflect" + + "github.com/fatedier/frp/pkg/util/log" ) func AsyncHandler(f func(Message)) func(Message) { @@ -65,6 +67,7 @@ func (d *Dispatcher) readLoop() { for { m, err := ReadMsg(d.rw) if err != nil { + log.Errorf("read msg error, %v", err) close(d.doneCh) return } diff --git a/server/control.go b/server/control.go index ea8a34c1..9938c3bf 100644 --- a/server/control.go +++ b/server/control.go @@ -186,7 +186,7 @@ func NewControl( ctl.lastPing.Store(time.Now()) if ctlConnEncrypted { - cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, []byte(ctl.serverCfg.Auth.Token)) + cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, []byte(loginMsg.PrivilegeKey)) if err != nil { return nil, err } From 8c4c872939b8d05957ed79f9955a4fad3a3f670f Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Wed, 10 Apr 2024 17:03:15 +0800 Subject: [PATCH 4/9] test --- pkg/auth/legacy/legacy.go | 14 -------------- pkg/msg/handler.go | 3 --- 2 files changed, 17 deletions(-) diff --git a/pkg/auth/legacy/legacy.go b/pkg/auth/legacy/legacy.go index 8567ad7a..c16d38f2 100644 --- a/pkg/auth/legacy/legacy.go +++ b/pkg/auth/legacy/legacy.go @@ -40,7 +40,6 @@ type ClientConfig struct { BaseConfig `ini:",extends"` OidcClientConfig `ini:",extends"` TokenConfig `ini:",extends"` - JWTConfig `ini:",extends"` } func GetDefaultClientConf() ClientConfig { @@ -48,7 +47,6 @@ func GetDefaultClientConf() ClientConfig { BaseConfig: getDefaultBaseConf(), OidcClientConfig: getDefaultOidcClientConf(), TokenConfig: getDefaultTokenConf(), - JWTConfig: getDefaultJWTConf(), } } @@ -56,7 +54,6 @@ type ServerConfig struct { BaseConfig `ini:",extends"` OidcServerConfig `ini:",extends"` TokenConfig `ini:",extends"` - JWTConfig `ini:",extends"` } func GetDefaultServerConf() ServerConfig { @@ -64,7 +61,6 @@ func GetDefaultServerConf() ServerConfig { BaseConfig: getDefaultBaseConf(), OidcServerConfig: getDefaultOidcServerConf(), TokenConfig: getDefaultTokenConf(), - JWTConfig: getDefaultJWTConf(), } } @@ -147,13 +143,3 @@ func getDefaultTokenConf() TokenConfig { Token: "", } } - -type JWTConfig struct { - Secret string `ini:"secret" json:"secret"` -} - -func getDefaultJWTConf() JWTConfig { - return JWTConfig{ - Secret: "", - } -} diff --git a/pkg/msg/handler.go b/pkg/msg/handler.go index be6d62bb..cb1eb15a 100644 --- a/pkg/msg/handler.go +++ b/pkg/msg/handler.go @@ -17,8 +17,6 @@ package msg import ( "io" "reflect" - - "github.com/fatedier/frp/pkg/util/log" ) func AsyncHandler(f func(Message)) func(Message) { @@ -67,7 +65,6 @@ func (d *Dispatcher) readLoop() { for { m, err := ReadMsg(d.rw) if err != nil { - log.Errorf("read msg error, %v", err) close(d.doneCh) return } From b84dd2d9c4e3f80589e08b0d2c389e3ed25161e6 Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Wed, 10 Apr 2024 17:07:25 +0800 Subject: [PATCH 5/9] fix --- server/control.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/server/control.go b/server/control.go index 9938c3bf..0227549b 100644 --- a/server/control.go +++ b/server/control.go @@ -186,7 +186,11 @@ func NewControl( ctl.lastPing.Store(time.Now()) if ctlConnEncrypted { - cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, []byte(loginMsg.PrivilegeKey)) + key := []byte(ctl.serverCfg.Auth.Token) + if ctl.serverCfg.Auth.Method == v1.AuthMethodJWT { + key = []byte(loginMsg.PrivilegeKey) + } + cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, key) if err != nil { return nil, err } From d1896f66c5e01a1db847cde6a4c53181f3559fd9 Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Wed, 10 Apr 2024 19:08:35 +0800 Subject: [PATCH 6/9] fix --- server/proxy/http.go | 7 ++++++- server/proxy/proxy.go | 6 +++++- server/proxy/udp.go | 6 +++++- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/server/proxy/http.go b/server/proxy/http.go index cd4c4b96..3e0d5239 100644 --- a/server/proxy/http.go +++ b/server/proxy/http.go @@ -164,7 +164,12 @@ func (pxy *HTTPProxy) GetRealConn(remoteAddr string) (workConn net.Conn, err err var rwc io.ReadWriteCloser = tmpConn if pxy.cfg.Transport.UseEncryption { - rwc, err = libio.WithEncryption(rwc, []byte(pxy.serverCfg.Auth.Token)) + key := []byte(pxy.serverCfg.Auth.Token) + if pxy.serverCfg.Auth.Method == v1.AuthMethodJWT { + key = []byte(pxy.loginMsg.PrivilegeKey) + } + + rwc, err = libio.WithEncryption(rwc, key) if err != nil { xl.Errorf("create encryption stream error: %v", err) return diff --git a/server/proxy/proxy.go b/server/proxy/proxy.go index d5ab0f13..b73fa9ee 100644 --- a/server/proxy/proxy.go +++ b/server/proxy/proxy.go @@ -240,7 +240,11 @@ func (pxy *BaseProxy) handleUserTCPConnection(userConn net.Conn) { xl.Tracef("handler user tcp connection, use_encryption: %t, use_compression: %t", cfg.Transport.UseEncryption, cfg.Transport.UseCompression) if cfg.Transport.UseEncryption { - local, err = libio.WithEncryption(local, []byte(serverCfg.Auth.Token)) + key := []byte(serverCfg.Auth.Token) + if serverCfg.Auth.Method == v1.AuthMethodJWT { + key = []byte(pxy.loginMsg.PrivilegeKey) + } + local, err = libio.WithEncryption(local, key) if err != nil { xl.Errorf("create encryption stream error: %v", err) return diff --git a/server/proxy/udp.go b/server/proxy/udp.go index 53a07d52..28784f01 100644 --- a/server/proxy/udp.go +++ b/server/proxy/udp.go @@ -205,7 +205,11 @@ func (pxy *UDPProxy) Run() (remoteAddr string, err error) { var rwc io.ReadWriteCloser = workConn if pxy.cfg.Transport.UseEncryption { - rwc, err = libio.WithEncryption(rwc, []byte(pxy.serverCfg.Auth.Token)) + key := []byte(pxy.serverCfg.Auth.Token) + if pxy.serverCfg.Auth.Method == v1.AuthMethodJWT { + key = []byte(pxy.loginMsg.PrivilegeKey) + } + rwc, err = libio.WithEncryption(rwc, key) if err != nil { xl.Errorf("create encryption stream error: %v", err) workConn.Close() From 7d9c9af00124c4ff41efce6de10169d02b35a50e Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Thu, 11 Apr 2024 12:02:36 +0800 Subject: [PATCH 7/9] fix --- pkg/auth/jwt.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go index e083fe29..7a5acf60 100644 --- a/pkg/auth/jwt.go +++ b/pkg/auth/jwt.go @@ -107,7 +107,7 @@ func (auth *JWTAuthSetterVerifier) VerifyToken(user, token string) error { if len(user) > 0 { id, found := claims["email"] if !found { - id, found = claims["id"] + id, _ = claims["id"] } if id != user { return fmt.Errorf("token %s is not for user %s", token, user) From aeeb36747c458c444af4849f9df0e2a2ff2108b4 Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Thu, 11 Apr 2024 14:28:48 +0800 Subject: [PATCH 8/9] fix --- pkg/auth/jwt.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go index 7a5acf60..9d179b7f 100644 --- a/pkg/auth/jwt.go +++ b/pkg/auth/jwt.go @@ -104,11 +104,12 @@ func (auth *JWTAuthSetterVerifier) VerifyToken(user, token string) error { return fmt.Errorf("claims %v is invalid", parsedToken.Claims) } + sub := claims["sub"] + if sub != "remote_ssh" { + return fmt.Errorf("token sub is invalid") + } if len(user) > 0 { - id, found := claims["email"] - if !found { - id, _ = claims["id"] - } + id := claims["aud"] if id != user { return fmt.Errorf("token %s is not for user %s", token, user) } From ad3b01f853d7f9b5008f351b76770e966e9c11d5 Mon Sep 17 00:00:00 2001 From: chenzhongjie Date: Thu, 11 Apr 2024 15:27:12 +0800 Subject: [PATCH 9/9] fix --- README_agi7.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_agi7.md b/README_agi7.md index 2c5a9f50..d165da17 100644 --- a/README_agi7.md +++ b/README_agi7.md @@ -5,5 +5,5 @@ env GOOS=linux GOARCH=arm GOARM=7 go build -v -o frpc ./cmd/frpc ## build frps for linux ```shell -env GOOS=linux GOARCH=amd64 go build -v -o frpc ./cmd/frps +env GOOS=linux GOARCH=amd64 go build -v -o frps ./cmd/frps ```