feat(auth): comprehensive DPoP security improvements

+124 -31

internal/api/middleware/auth.go

··· 53 53 // RequireAuth middleware ensures the user is authenticated with a valid JWT 54 54 // If not authenticated, returns 401 55 55 // If authenticated, injects user DID and JWT claims into context 56 + // 57 + // Only accepts DPoP authorization scheme per RFC 9449: 58 + // - Authorization: DPoP <token> (DPoP-bound tokens) 56 59 func (m *AtProtoAuthMiddleware) RequireAuth(next http.Handler) http.Handler { 57 60 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 58 61 // Extract Authorization header ··· 62 65 return 63 66 } 64 67 65 - // Must be Bearer token 66 - if !strings.HasPrefix(authHeader, "Bearer ") { 67 - writeAuthError(w, "Invalid Authorization header format. Expected: Bearer <token>") 68 + // Only accept DPoP scheme per RFC 9449 69 + // HTTP auth schemes are case-insensitive per RFC 7235 70 + token, ok := extractDPoPToken(authHeader) 71 + if !ok { 72 + writeAuthError(w, "Invalid Authorization header format. Expected: DPoP <token>") 68 73 return 69 74 } 70 - 71 - token := strings.TrimPrefix(authHeader, "Bearer ") 72 - token = strings.TrimSpace(token) 73 75 74 76 var claims *auth.Claims 75 77 var err error ··· 116 118 return 117 119 } 118 120 119 - proof, err := m.verifyDPoPBinding(r, claims, dpopHeader) 121 + proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token) 120 122 if err != nil { 121 123 log.Printf("[AUTH_FAILURE] type=dpop_verification_failed ip=%s method=%s path=%s error=%v", 122 124 r.RemoteAddr, r.Method, r.URL.Path, err) ··· 154 156 155 157 // OptionalAuth middleware loads user info if authenticated, but doesn't require it 156 158 // Useful for endpoints that work for both authenticated and anonymous users 159 + // 160 + // Only accepts DPoP authorization scheme per RFC 9449: 161 + // - Authorization: DPoP <token> (DPoP-bound tokens) 157 162 func (m *AtProtoAuthMiddleware) OptionalAuth(next http.Handler) http.Handler { 158 163 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 159 164 // Extract Authorization header 160 165 authHeader := r.Header.Get("Authorization") 161 - if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") { 162 - // Not authenticated - continue without user context 166 + 167 + // Only accept DPoP scheme per RFC 9449 168 + // HTTP auth schemes are case-insensitive per RFC 7235 169 + token, ok := extractDPoPToken(authHeader) 170 + if !ok { 171 + // Not authenticated or invalid format - continue without user context 163 172 next.ServeHTTP(w, r) 164 173 return 165 174 } 166 - 167 - token := strings.TrimPrefix(authHeader, "Bearer ") 168 - token = strings.TrimSpace(token) 169 175 170 176 var claims *auth.Claims 171 177 var err error ··· 202 208 return 203 209 } 204 210 205 - proof, err := m.verifyDPoPBinding(r, claims, dpopHeader) 211 + proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token) 206 212 if err != nil { 207 213 // DPoP verification failed - cannot trust this token 208 214 log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err) ··· 280 286 // 281 287 // This prevents token theft attacks by proving the client possesses the private key 282 288 // corresponding to the public key thumbprint in the token's cnf.jkt claim. 283 - func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader string) (*auth.DPoPProof, error) { 289 + func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader, accessToken string) (*auth.DPoPProof, error) { 284 290 // Extract the cnf.jkt claim from the already-verified token 285 291 jkt, err := auth.ExtractCnfJkt(claims) 286 292 if err != nil { ··· 288 294 } 289 295 290 296 // Build the HTTP URI for DPoP verification 291 - // Use the full URL including scheme and host 292 - scheme := strings.TrimSpace(r.URL.Scheme) 297 + // Use the full URL including scheme and host, respecting proxy headers 298 + scheme, host := extractSchemeAndHost(r) 299 + 300 + // Use EscapedPath to preserve percent-encoding (P3 fix) 301 + // r.URL.Path is decoded, but DPoP proofs contain the raw encoded path 302 + path := r.URL.EscapedPath() 303 + if path == "" { 304 + path = r.URL.Path // Fallback if EscapedPath returns empty 305 + } 306 + 307 + httpURI := scheme + "://" + host + path 308 + 309 + // Verify the DPoP proof 310 + proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI) 311 + if err != nil { 312 + return nil, fmt.Errorf("DPoP proof verification failed: %w", err) 313 + } 314 + 315 + // Verify the binding between the proof and the token (cnf.jkt) 316 + if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil { 317 + return nil, fmt.Errorf("DPoP binding verification failed: %w", err) 318 + } 319 + 320 + // Verify the access token hash (ath) if present in the proof 321 + // Per RFC 9449 section 4.2, if ath is present, it MUST match the access token 322 + if err := m.dpopVerifier.VerifyAccessTokenHash(proof, accessToken); err != nil { 323 + return nil, fmt.Errorf("DPoP ath verification failed: %w", err) 324 + } 325 + 326 + return proof, nil 327 + } 328 + 329 + // extractSchemeAndHost extracts the scheme and host from the request, 330 + // respecting proxy headers (X-Forwarded-Proto, X-Forwarded-Host, Forwarded). 331 + // This is critical for DPoP verification when behind TLS-terminating proxies. 332 + func extractSchemeAndHost(r *http.Request) (scheme, host string) { 333 + // Start with request defaults 334 + scheme = r.URL.Scheme 335 + host = r.Host 336 + 337 + // Check X-Forwarded-Proto for scheme (most common) 293 338 if forwardedProto := r.Header.Get("X-Forwarded-Proto"); forwardedProto != "" { 294 - // Forwarded proto may contain a comma-separated list; use the first entry 295 339 parts := strings.Split(forwardedProto, ",") 296 340 if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" { 297 341 scheme = strings.ToLower(strings.TrimSpace(parts[0])) 298 342 } 299 343 } 344 + 345 + // Check X-Forwarded-Host for host (common with nginx/traefik) 346 + if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" { 347 + parts := strings.Split(forwardedHost, ",") 348 + if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" { 349 + host = strings.TrimSpace(parts[0]) 350 + } 351 + } 352 + 353 + // Check standard Forwarded header (RFC 7239) - takes precedence if present 354 + // Format: Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43;host=example.com 355 + // RFC 7239 allows: mixed-case keys (Proto, PROTO), quoted values (host="example.com") 356 + if forwarded := r.Header.Get("Forwarded"); forwarded != "" { 357 + // Parse the first entry (comma-separated list) 358 + firstEntry := strings.Split(forwarded, ",")[0] 359 + for _, part := range strings.Split(firstEntry, ";") { 360 + part = strings.TrimSpace(part) 361 + // Split on first '=' to properly handle key=value pairs 362 + if idx := strings.Index(part, "="); idx != -1 { 363 + key := strings.ToLower(strings.TrimSpace(part[:idx])) 364 + value := strings.TrimSpace(part[idx+1:]) 365 + // Strip optional quotes per RFC 7239 section 4 366 + value = strings.Trim(value, "\"") 367 + 368 + switch key { 369 + case "proto": 370 + scheme = strings.ToLower(value) 371 + case "host": 372 + host = value 373 + } 374 + } 375 + } 376 + } 377 + 378 + // Fallback scheme detection from TLS 300 379 if scheme == "" { 301 380 if r.TLS != nil { 302 381 scheme = "https" ··· 304 383 scheme = "http" 305 384 } 306 385 } 307 - scheme = strings.ToLower(scheme) 308 - httpURI := scheme + "://" + r.Host + r.URL.Path 309 386 310 - // Verify the DPoP proof 311 - proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI) 312 - if err != nil { 313 - return nil, fmt.Errorf("DPoP proof verification failed: %w", err) 314 - } 315 - 316 - // Verify the binding between the proof and the token 317 - if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil { 318 - return nil, fmt.Errorf("DPoP binding verification failed: %w", err) 319 - } 320 - 321 - return proof, nil 387 + return strings.ToLower(scheme), host 322 388 } 323 389 324 390 // writeAuthError writes a JSON error response for authentication failures ··· 331 397 log.Printf("Failed to write auth error response: %v", err) 332 398 } 333 399 } 400 + 401 + // extractDPoPToken extracts the token from a DPoP Authorization header. 402 + // HTTP auth schemes are case-insensitive per RFC 7235, so "DPoP", "dpop", "DPOP" are all valid. 403 + // Returns the token and true if valid DPoP scheme, empty string and false otherwise. 404 + func extractDPoPToken(authHeader string) (string, bool) { 405 + if authHeader == "" { 406 + return "", false 407 + } 408 + 409 + // Split on first space: "DPoP <token>" -> ["DPoP", "<token>"] 410 + parts := strings.SplitN(authHeader, " ", 2) 411 + if len(parts) != 2 { 412 + return "", false 413 + } 414 + 415 + // Case-insensitive scheme comparison per RFC 7235 416 + if !strings.EqualFold(parts[0], "DPoP") { 417 + return "", false 418 + } 419 + 420 + token := strings.TrimSpace(parts[1]) 421 + if token == "" { 422 + return "", false 423 + } 424 + 425 + return token, true 426 + }

+378 -16

internal/api/middleware/auth_test.go

··· 6 6 "crypto/ecdsa" 7 7 "crypto/elliptic" 8 8 "crypto/rand" 9 + "crypto/sha256" 9 10 "encoding/base64" 10 11 "fmt" 11 12 "net/http" 12 13 "net/http/httptest" 14 + "strings" 13 15 "testing" 14 16 "time" 15 17 ··· 45 47 return tokenString 46 48 } 47 49 48 - // TestRequireAuth_ValidToken tests that valid tokens are accepted (Phase 1) 50 + // TestRequireAuth_ValidToken tests that valid tokens are accepted with DPoP scheme (Phase 1) 49 51 func TestRequireAuth_ValidToken(t *testing.T) { 50 52 fetcher := &mockJWKSFetcher{} 51 53 middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true ··· 75 77 76 78 token := createTestToken("did:plc:test123") 77 79 req := httptest.NewRequest("GET", "/test", nil) 78 - req.Header.Set("Authorization", "Bearer "+token) 80 + req.Header.Set("Authorization", "DPoP "+token) 79 81 w := httptest.NewRecorder() 80 82 81 83 handler.ServeHTTP(w, req) ··· 109 111 } 110 112 } 111 113 112 - // TestRequireAuth_InvalidAuthHeaderFormat tests that non-Bearer tokens are rejected 114 + // TestRequireAuth_InvalidAuthHeaderFormat tests that non-DPoP tokens are rejected (including Bearer) 113 115 func TestRequireAuth_InvalidAuthHeaderFormat(t *testing.T) { 114 116 fetcher := &mockJWKSFetcher{} 115 117 middleware := NewAtProtoAuthMiddleware(fetcher, true) 116 118 119 + tests := []struct { 120 + name string 121 + header string 122 + }{ 123 + {"Basic auth", "Basic dGVzdDp0ZXN0"}, 124 + {"Bearer scheme", "Bearer some-token"}, 125 + {"Invalid format", "InvalidFormat"}, 126 + } 127 + 128 + for _, tt := range tests { 129 + t.Run(tt.name, func(t *testing.T) { 130 + handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 131 + t.Error("handler should not be called") 132 + })) 133 + 134 + req := httptest.NewRequest("GET", "/test", nil) 135 + req.Header.Set("Authorization", tt.header) 136 + w := httptest.NewRecorder() 137 + 138 + handler.ServeHTTP(w, req) 139 + 140 + if w.Code != http.StatusUnauthorized { 141 + t.Errorf("expected status 401, got %d", w.Code) 142 + } 143 + }) 144 + } 145 + } 146 + 147 + // TestRequireAuth_BearerRejectionErrorMessage verifies that Bearer tokens are rejected 148 + // with a helpful error message guiding users to use DPoP scheme 149 + func TestRequireAuth_BearerRejectionErrorMessage(t *testing.T) { 150 + fetcher := &mockJWKSFetcher{} 151 + middleware := NewAtProtoAuthMiddleware(fetcher, true) 152 + 117 153 handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 118 154 t.Error("handler should not be called") 119 155 })) 120 156 121 157 req := httptest.NewRequest("GET", "/test", nil) 122 - req.Header.Set("Authorization", "Basic dGVzdDp0ZXN0") // Wrong format 158 + req.Header.Set("Authorization", "Bearer some-token") 123 159 w := httptest.NewRecorder() 124 160 125 161 handler.ServeHTTP(w, req) 126 162 127 163 if w.Code != http.StatusUnauthorized { 128 164 t.Errorf("expected status 401, got %d", w.Code) 165 + } 166 + 167 + // Verify error message guides user to use DPoP 168 + body := w.Body.String() 169 + if !strings.Contains(body, "Expected: DPoP") { 170 + t.Errorf("error message should guide user to use DPoP, got: %s", body) 171 + } 172 + } 173 + 174 + // TestRequireAuth_CaseInsensitiveScheme verifies that DPoP scheme matching is case-insensitive 175 + // per RFC 7235 which states HTTP auth schemes are case-insensitive 176 + func TestRequireAuth_CaseInsensitiveScheme(t *testing.T) { 177 + fetcher := &mockJWKSFetcher{} 178 + middleware := NewAtProtoAuthMiddleware(fetcher, true) 179 + 180 + // Create a valid JWT for testing 181 + validToken := createValidJWT(t, "did:plc:test123", time.Hour) 182 + 183 + testCases := []struct { 184 + name string 185 + scheme string 186 + }{ 187 + {"lowercase", "dpop"}, 188 + {"uppercase", "DPOP"}, 189 + {"mixed_case", "DpOp"}, 190 + {"standard", "DPoP"}, 191 + } 192 + 193 + for _, tc := range testCases { 194 + t.Run(tc.name, func(t *testing.T) { 195 + handlerCalled := false 196 + handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 197 + handlerCalled = true 198 + w.WriteHeader(http.StatusOK) 199 + })) 200 + 201 + req := httptest.NewRequest("GET", "/test", nil) 202 + req.Header.Set("Authorization", tc.scheme+" "+validToken) 203 + w := httptest.NewRecorder() 204 + 205 + handler.ServeHTTP(w, req) 206 + 207 + if !handlerCalled { 208 + t.Errorf("scheme %q should be accepted (case-insensitive per RFC 7235), got status %d: %s", 209 + tc.scheme, w.Code, w.Body.String()) 210 + } 211 + }) 129 212 } 130 213 } 131 214 ··· 139 222 })) 140 223 141 224 req := httptest.NewRequest("GET", "/test", nil) 142 - req.Header.Set("Authorization", "Bearer not-a-valid-jwt") 225 + req.Header.Set("Authorization", "DPoP not-a-valid-jwt") 143 226 w := httptest.NewRecorder() 144 227 145 228 handler.ServeHTTP(w, req) ··· 171 254 tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType) 172 255 173 256 req := httptest.NewRequest("GET", "/test", nil) 174 - req.Header.Set("Authorization", "Bearer "+tokenString) 257 + req.Header.Set("Authorization", "DPoP "+tokenString) 175 258 w := httptest.NewRecorder() 176 259 177 260 handler.ServeHTTP(w, req) ··· 203 286 tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType) 204 287 205 288 req := httptest.NewRequest("GET", "/test", nil) 206 - req.Header.Set("Authorization", "Bearer "+tokenString) 289 + req.Header.Set("Authorization", "DPoP "+tokenString) 207 290 w := httptest.NewRecorder() 208 291 209 292 handler.ServeHTTP(w, req) ··· 213 296 } 214 297 } 215 298 216 - // TestOptionalAuth_WithToken tests that OptionalAuth accepts valid tokens 299 + // TestOptionalAuth_WithToken tests that OptionalAuth accepts valid DPoP tokens 217 300 func TestOptionalAuth_WithToken(t *testing.T) { 218 301 fetcher := &mockJWKSFetcher{} 219 302 middleware := NewAtProtoAuthMiddleware(fetcher, true) ··· 233 316 234 317 token := createTestToken("did:plc:test123") 235 318 req := httptest.NewRequest("GET", "/test", nil) 236 - req.Header.Set("Authorization", "Bearer "+token) 319 + req.Header.Set("Authorization", "DPoP "+token) 237 320 w := httptest.NewRecorder() 238 321 239 322 handler.ServeHTTP(w, req) ··· 299 382 })) 300 383 301 384 req := httptest.NewRequest("GET", "/test", nil) 302 - req.Header.Set("Authorization", "Bearer not-a-valid-jwt") 385 + req.Header.Set("Authorization", "DPoP not-a-valid-jwt") 303 386 w := httptest.NewRecorder() 304 387 305 388 handler.ServeHTTP(w, req) ··· 393 476 })) 394 477 395 478 req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil) 396 - req.Header.Set("Authorization", "Bearer "+tokenString) 479 + req.Header.Set("Authorization", "DPoP "+tokenString) 397 480 req.Header.Set("DPoP", dpopProof) 398 481 w := httptest.NewRecorder() 399 482 ··· 437 520 })) 438 521 439 522 req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil) 440 - req.Header.Set("Authorization", "Bearer "+tokenString) 523 + req.Header.Set("Authorization", "DPoP "+tokenString) 441 524 // No DPoP header 442 525 w := httptest.NewRecorder() 443 526 ··· 488 571 })) 489 572 490 573 req := httptest.NewRequest("POST", "https://api.example.com/protected", nil) 491 - req.Header.Set("Authorization", "Bearer "+tokenString) 574 + req.Header.Set("Authorization", "DPoP "+tokenString) 492 575 req.Header.Set("DPoP", dpopProof) 493 576 w := httptest.NewRecorder() 494 577 ··· 537 620 req.Host = "api.example.com" 538 621 req.Header.Set("X-Forwarded-Proto", "https") 539 622 540 - proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof) 623 + // Pass a fake access token - ath verification will pass since we don't include ath in the DPoP proof 624 + fakeAccessToken := "fake-access-token-for-testing" 625 + proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken) 541 626 if err != nil { 542 627 t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err) 543 628 } ··· 547 632 } 548 633 } 549 634 635 + // TestVerifyDPoPBinding_UsesForwardedHost ensures we honor X-Forwarded-Host header 636 + // when behind a TLS-terminating proxy that rewrites the Host header. 637 + func TestVerifyDPoPBinding_UsesForwardedHost(t *testing.T) { 638 + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 639 + if err != nil { 640 + t.Fatalf("failed to generate key: %v", err) 641 + } 642 + 643 + jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey) 644 + thumbprint, err := auth.CalculateJWKThumbprint(jwk) 645 + if err != nil { 646 + t.Fatalf("failed to calculate thumbprint: %v", err) 647 + } 648 + 649 + claims := &auth.Claims{ 650 + RegisteredClaims: jwt.RegisteredClaims{ 651 + Subject: "did:plc:test123", 652 + Issuer: "https://test.pds.local", 653 + ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)), 654 + IssuedAt: jwt.NewNumericDate(time.Now()), 655 + }, 656 + Scope: "atproto", 657 + Confirmation: map[string]interface{}{ 658 + "jkt": thumbprint, 659 + }, 660 + } 661 + 662 + middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false) 663 + defer middleware.Stop() 664 + 665 + // External URI that the client uses 666 + externalURI := "https://api.example.com/protected/resource" 667 + dpopProof := createDPoPProof(t, privateKey, "GET", externalURI) 668 + 669 + // Request hits internal service with internal hostname, but X-Forwarded-Host has public hostname 670 + req := httptest.NewRequest("GET", "http://internal-service:8080/protected/resource", nil) 671 + req.Host = "internal-service:8080" // Internal host after proxy 672 + req.Header.Set("X-Forwarded-Proto", "https") 673 + req.Header.Set("X-Forwarded-Host", "api.example.com") // Original public host 674 + 675 + fakeAccessToken := "fake-access-token-for-testing" 676 + proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken) 677 + if err != nil { 678 + t.Fatalf("expected DPoP verification to succeed with X-Forwarded-Host, got %v", err) 679 + } 680 + 681 + if proof == nil || proof.Claims == nil { 682 + t.Fatal("expected DPoP proof to be returned") 683 + } 684 + } 685 + 686 + // TestVerifyDPoPBinding_UsesStandardForwardedHeader tests RFC 7239 Forwarded header parsing 687 + func TestVerifyDPoPBinding_UsesStandardForwardedHeader(t *testing.T) { 688 + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 689 + if err != nil { 690 + t.Fatalf("failed to generate key: %v", err) 691 + } 692 + 693 + jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey) 694 + thumbprint, err := auth.CalculateJWKThumbprint(jwk) 695 + if err != nil { 696 + t.Fatalf("failed to calculate thumbprint: %v", err) 697 + } 698 + 699 + claims := &auth.Claims{ 700 + RegisteredClaims: jwt.RegisteredClaims{ 701 + Subject: "did:plc:test123", 702 + Issuer: "https://test.pds.local", 703 + ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)), 704 + IssuedAt: jwt.NewNumericDate(time.Now()), 705 + }, 706 + Scope: "atproto", 707 + Confirmation: map[string]interface{}{ 708 + "jkt": thumbprint, 709 + }, 710 + } 711 + 712 + middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false) 713 + defer middleware.Stop() 714 + 715 + // External URI 716 + externalURI := "https://api.example.com/protected/resource" 717 + dpopProof := createDPoPProof(t, privateKey, "GET", externalURI) 718 + 719 + // Request with standard Forwarded header (RFC 7239) 720 + req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil) 721 + req.Host = "internal-service" 722 + req.Header.Set("Forwarded", "for=192.0.2.60;proto=https;host=api.example.com") 723 + 724 + fakeAccessToken := "fake-access-token-for-testing" 725 + proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken) 726 + if err != nil { 727 + t.Fatalf("expected DPoP verification to succeed with Forwarded header, got %v", err) 728 + } 729 + 730 + if proof == nil { 731 + t.Fatal("expected DPoP proof to be returned") 732 + } 733 + } 734 + 735 + // TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes tests RFC 7239 edge cases: 736 + // mixed-case keys (Proto vs proto) and quoted values (host="example.com") 737 + func TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes(t *testing.T) { 738 + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 739 + if err != nil { 740 + t.Fatalf("failed to generate key: %v", err) 741 + } 742 + 743 + jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey) 744 + thumbprint, err := auth.CalculateJWKThumbprint(jwk) 745 + if err != nil { 746 + t.Fatalf("failed to calculate thumbprint: %v", err) 747 + } 748 + 749 + claims := &auth.Claims{ 750 + RegisteredClaims: jwt.RegisteredClaims{ 751 + Subject: "did:plc:test123", 752 + Issuer: "https://test.pds.local", 753 + ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)), 754 + IssuedAt: jwt.NewNumericDate(time.Now()), 755 + }, 756 + Scope: "atproto", 757 + Confirmation: map[string]interface{}{ 758 + "jkt": thumbprint, 759 + }, 760 + } 761 + 762 + middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false) 763 + defer middleware.Stop() 764 + 765 + // External URI that the client uses 766 + externalURI := "https://api.example.com/protected/resource" 767 + dpopProof := createDPoPProof(t, privateKey, "GET", externalURI) 768 + 769 + // Request with RFC 7239 Forwarded header using: 770 + // - Mixed-case keys: "Proto" instead of "proto", "Host" instead of "host" 771 + // - Quoted value: Host="api.example.com" (legal per RFC 7239 section 4) 772 + req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil) 773 + req.Host = "internal-service" 774 + req.Header.Set("Forwarded", `for=192.0.2.60;Proto=https;Host="api.example.com"`) 775 + 776 + fakeAccessToken := "fake-access-token-for-testing" 777 + proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken) 778 + if err != nil { 779 + t.Fatalf("expected DPoP verification to succeed with mixed-case/quoted Forwarded header, got %v", err) 780 + } 781 + 782 + if proof == nil { 783 + t.Fatal("expected DPoP proof to be returned") 784 + } 785 + } 786 + 787 + // TestVerifyDPoPBinding_AthValidation tests access token hash (ath) claim validation 788 + func TestVerifyDPoPBinding_AthValidation(t *testing.T) { 789 + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 790 + if err != nil { 791 + t.Fatalf("failed to generate key: %v", err) 792 + } 793 + 794 + jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey) 795 + thumbprint, err := auth.CalculateJWKThumbprint(jwk) 796 + if err != nil { 797 + t.Fatalf("failed to calculate thumbprint: %v", err) 798 + } 799 + 800 + claims := &auth.Claims{ 801 + RegisteredClaims: jwt.RegisteredClaims{ 802 + Subject: "did:plc:test123", 803 + Issuer: "https://test.pds.local", 804 + ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)), 805 + IssuedAt: jwt.NewNumericDate(time.Now()), 806 + }, 807 + Scope: "atproto", 808 + Confirmation: map[string]interface{}{ 809 + "jkt": thumbprint, 810 + }, 811 + } 812 + 813 + middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false) 814 + defer middleware.Stop() 815 + 816 + accessToken := "real-access-token-12345" 817 + 818 + t.Run("ath_matches_access_token", func(t *testing.T) { 819 + // Create DPoP proof with ath claim matching the access token 820 + dpopProof := createDPoPProofWithAth(t, privateKey, "GET", "https://api.example.com/resource", accessToken) 821 + 822 + req := httptest.NewRequest("GET", "https://api.example.com/resource", nil) 823 + req.Host = "api.example.com" 824 + 825 + proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken) 826 + if err != nil { 827 + t.Fatalf("expected verification to succeed with matching ath, got %v", err) 828 + } 829 + if proof == nil { 830 + t.Fatal("expected proof to be returned") 831 + } 832 + }) 833 + 834 + t.Run("ath_mismatch_rejected", func(t *testing.T) { 835 + // Create DPoP proof with ath for a DIFFERENT token 836 + differentToken := "different-token-67890" 837 + dpopProof := createDPoPProofWithAth(t, privateKey, "POST", "https://api.example.com/resource", differentToken) 838 + 839 + req := httptest.NewRequest("POST", "https://api.example.com/resource", nil) 840 + req.Host = "api.example.com" 841 + 842 + // Try to use with the original access token - should fail 843 + _, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken) 844 + if err == nil { 845 + t.Fatal("SECURITY: expected verification to fail when ath doesn't match access token") 846 + } 847 + if !strings.Contains(err.Error(), "ath") { 848 + t.Errorf("error should mention ath mismatch, got: %v", err) 849 + } 850 + }) 851 + } 852 + 550 853 // TestMiddlewareStop tests that the middleware can be stopped properly 551 854 func TestMiddlewareStop(t *testing.T) { 552 855 fetcher := &mockJWKSFetcher{} ··· 607 910 })) 608 911 609 912 req := httptest.NewRequest("GET", "/test", nil) 610 - req.Header.Set("Authorization", "Bearer "+tokenString) 913 + req.Header.Set("Authorization", "DPoP "+tokenString) 611 914 // Deliberately NOT setting DPoP header 612 915 w := httptest.NewRecorder() 613 916 ··· 639 942 })) 640 943 641 944 req := httptest.NewRequest("GET", "/test", nil) 642 - req.Header.Set("Authorization", "Bearer "+tokenString) 945 + req.Header.Set("Authorization", "DPoP "+tokenString) 643 946 // No DPoP header 644 947 w := httptest.NewRecorder() 645 948 ··· 709 1012 return signedToken 710 1013 } 711 1014 1015 + // Helper: createDPoPProofWithAth creates a DPoP proof JWT with ath (access token hash) claim 1016 + func createDPoPProofWithAth(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri, accessToken string) string { 1017 + // Create JWK from public key 1018 + jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey) 1019 + 1020 + // Calculate ath: base64url(SHA-256(access_token)) 1021 + hash := sha256.Sum256([]byte(accessToken)) 1022 + ath := base64.RawURLEncoding.EncodeToString(hash[:]) 1023 + 1024 + // Create DPoP claims with ath 1025 + claims := auth.DPoPClaims{ 1026 + RegisteredClaims: jwt.RegisteredClaims{ 1027 + IssuedAt: jwt.NewNumericDate(time.Now()), 1028 + ID: uuid.New().String(), 1029 + }, 1030 + HTTPMethod: method, 1031 + HTTPURI: uri, 1032 + AccessTokenHash: ath, 1033 + } 1034 + 1035 + // Create token with custom header 1036 + token := jwt.NewWithClaims(jwt.SigningMethodES256, claims) 1037 + token.Header["typ"] = "dpop+jwt" 1038 + token.Header["jwk"] = jwk 1039 + 1040 + // Sign with private key 1041 + signedToken, err := token.SignedString(privateKey) 1042 + if err != nil { 1043 + t.Fatalf("failed to sign DPoP proof: %v", err) 1044 + } 1045 + 1046 + return signedToken 1047 + } 1048 + 712 1049 // Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map 713 1050 func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} { 714 1051 // Get curve name ··· 742 1079 "y": base64.RawURLEncoding.EncodeToString(yPadded), 743 1080 } 744 1081 } 1082 + 1083 + // Helper: createValidJWT creates a valid unsigned JWT token for testing 1084 + // This is used with skipVerify=true middleware where signature verification is skipped 1085 + func createValidJWT(t *testing.T, subject string, expiry time.Duration) string { 1086 + t.Helper() 1087 + 1088 + claims := auth.Claims{ 1089 + RegisteredClaims: jwt.RegisteredClaims{ 1090 + Subject: subject, 1091 + Issuer: "https://test.pds.local", 1092 + ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)), 1093 + IssuedAt: jwt.NewNumericDate(time.Now()), 1094 + }, 1095 + Scope: "atproto", 1096 + } 1097 + 1098 + // Create unsigned token (for skipVerify=true tests) 1099 + token := jwt.NewWithClaims(jwt.SigningMethodNone, claims) 1100 + signedToken, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) 1101 + if err != nil { 1102 + t.Fatalf("failed to create test JWT: %v", err) 1103 + } 1104 + 1105 + return signedToken 1106 + }

+21

internal/atproto/auth/dpop.go

··· 314 314 return nil 315 315 } 316 316 317 + // VerifyAccessTokenHash verifies the DPoP proof's ath (access token hash) claim 318 + // matches the SHA-256 hash of the presented access token. 319 + // Per RFC 9449 section 4.2, if ath is present, the RS MUST verify it. 320 + func (v *DPoPVerifier) VerifyAccessTokenHash(proof *DPoPProof, accessToken string) error { 321 + // If ath claim is not present, that's acceptable per RFC 9449 322 + // (ath is only required when the RS mandates it) 323 + if proof.Claims.AccessTokenHash == "" { 324 + return nil 325 + } 326 + 327 + // Calculate the expected ath: base64url(SHA-256(access_token)) 328 + hash := sha256.Sum256([]byte(accessToken)) 329 + expectedAth := base64.RawURLEncoding.EncodeToString(hash[:]) 330 + 331 + if proof.Claims.AccessTokenHash != expectedAth { 332 + return fmt.Errorf("DPoP proof ath mismatch: proof bound to different access token") 333 + } 334 + 335 + return nil 336 + } 337 + 317 338 // CalculateJWKThumbprint calculates the JWK thumbprint per RFC 7638 318 339 // The thumbprint is the base64url-encoded SHA-256 hash of the canonical JWK representation 319 340 func CalculateJWKThumbprint(jwk map[string]interface{}) (string, error) {