a bug in middlewares.go allows unauthorized access #12
Description
After an authenticated user has logged out, a malicious user can continue accessing his account if the malicious user gets his jwt token. To do so, instead of passing the jwt token in the HTTP header, the malicious user can just pass the token as a query argument "access_token".
request.OAuth2Extractor would retrieve jwt token from either HTTP header or "access_token" argument therefore a previously logged out token will be still validated. authBackend.IsInBlacklist() wouldn't block the access because req.Header.Get("Authorization") doesn't have the token.
func RequireTokenAuthentication(rw http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
authBackend := InitJWTAuthenticationBackend()
** token, err := request.ParseFromRequest(req, request.OAuth2Extractor, func(token *jwt.Token) (interface{}, error) { **
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} else {
return authBackend.PublicKey, nil
}
})
** if err == nil && token.Valid && !authBackend.**IsInBlacklist(req.Header.Get("Authorization")) { **
next(rw, req)
} else {
rw.WriteHeader(http.StatusUnauthorized)
}
}