########################################################################################## VID-12: Token Checker ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Done (2019-04-18 18:10:49) Project: Videos.bentasker.co.uk (VID) Reported By: btasker Assigned To: btasker Components: - Authentication Targeted for fix in version: - v0.14 Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Need to implement a token validator which can be run in Openresty to validate that a HMAC token provided as part of the URL is valid. The tokens are minted by the script created in VID-11 and are a SHA256 HMAC generated based upon a string comprised of the following -- BEGIN SNIPPET -- vidpath:expiry:clientip -- END SNIPPET -- To be considered valid: - The token must not have expired (i.e. os.time() >= expiry) - The HMAC should validate (i.e. we can regenerate the same string using the secret) Variables used to supply the token in a request (as per VID-10) are t (token) and e (expiry) in the querystring. Once the basic functionality is in place, want to look at improving so that a token can be used for segments too (currently we can only force protection for master manifests, otherwise playback would fail). That'll likely involve using dirname on the path when minting a token, and then adjusting the validator to push the token into a cookie (or similar). That can be dealt with properly later - the prime concern currently being to ensure VID-11 tokens can be used - but should be kept in mind. ----------------------------------------------------------------------------------------- Issue Relations ================ - relates to VID-11: Token Minter - relates to VID-13: Issue and validate tokens against containing directory not specific file ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2019-04-18 14:49:54 btasker ----------------------------------------------------------------------------------------- OK, as a quick mock-up, this is sufficient to validate the HMAC itself -- BEGIN SNIPPET -- local table = table local require = require local string = string local os = os local sha256 = require "lib.sha256" local function mint_token(path,expires,ip,secret) local mint = {path,expires,ip} local mintstr = table.concat(mint,':') -- print mintstr return sha256.hmac_sha256(secret,mintstr) end -- Use same static values as were used to mint the origin token referer = 'https://snippets.bentasker.co.uk/foobar' vidpath = '2019/08/16.m3u8' ip = '127.0.1.1' secret = '1234abcd' httpref = 'https://snippets.bentasker.co.uk/foobar' -- From the token minted earlier local provided = '830a80dfe53cf869251eecb921416b66524b43767b1673177d055cddb826a983' local expires = 1555598449 local now = os.time() if (os.time() > expires) then print("Deny Time") return end local nowtok = mint_token(vidpath,expires,ip,secret) if now == provided then print("Auth") else print("Deny Tok") end -- END SNIPPET -- ----------------------------------------------------------------------------------------- 2019-04-18 16:13:45 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: videos.bentasker.co.uk Host:Rimmer commit eb684167417a96d3a676c814024fa253dbdc834e Author: B Tasker