server/middleware.go

@@ -58,13 +58,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 				return
 			}
 
-			clientClaims, err := assertClientToken(
+			clientClaims, err := assertClientToken(serverClaims.PeerID, store, clientToken)
-				serverClaims.PeerID,
-				store,
-				clientToken,
-				logger,
-				options.IgnoredClientTokenErrors...,
-			)
 			if err != nil {
 				logger.Printf("[ERROR] %s", err)
 				switch err {
@@ -84,11 +78,10 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 						return
 					}
 					sendError(w, http.StatusForbidden)
-					return
 				default:
 					sendError(w, http.StatusInternalServerError)
-					return
 				}
+				return
 			}
 
 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
@@ -152,7 +145,7 @@ func assertServerToken(key *rsa.PublicKey, serverToken string) (*peering.ServerT
 	return claims, nil
 }
 
-func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string, logger Logger, ignoredValidationErrors ...uint32) (*peering.ClientTokenClaims, error) {
+func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string) (*peering.ClientTokenClaims, error) {
 	fn := func(token *jwt.Token) (interface{}, error) {
 		peer, err := store.Get(peerID)
 		if err != nil {
@@ -170,35 +163,22 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s
 		}
 		return publicKey, nil
 	}
-
-	getPeeringClaims := func(token *jwt.Token) (*peering.ClientTokenClaims, error) {
-		claims, ok := token.Claims.(*peering.ClientTokenClaims)
-		if !ok {
-			return nil, ErrInvalidClaims
-		}
-		return claims, nil
-	}
-
 	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn)
 	if err != nil {
 		validationError, ok := err.(*jwt.ValidationError)
 		if ok {
-			for _, c := range ignoredValidationErrors {
-				if validationError.Errors&c != 0 {
-					logger.Printf("ignoring token validation error: '%s'", validationError.Inner)
-					return getPeeringClaims(token)
-				}
-			}
 			return nil, validationError.Inner
 		}
 		return nil, err
 	}
-
 	if !token.Valid {
 		return nil, ErrInvalidClaims
 	}
-
+	claims, ok := token.Claims.(*peering.ClientTokenClaims)
-	return getPeeringClaims(token)
+	if !ok {
+		return nil, ErrInvalidClaims
+	}
+	return claims, nil
 }
 
 func assertBodySum(rc io.ReadCloser, bodySum []byte) (bool, []byte, error) {
@@ -220,15 +200,6 @@ func sendError(w http.ResponseWriter, status int) {
 	http.Error(w, http.StatusText(status), status)
 }
 
-func filterIgnoredValidationError(err *jwt.ValidationError, ignored ...uint32) error {
-	for _, c := range ignored {
-		if err.Errors&c != 0 {
-			return nil
-		}
-	}
-	return err
-}
-
 func compareChecksum(body []byte, sum []byte) (bool, error) {
 	sha := sha256.New()
 	_, err := sha.Write(body)

server/option.go

@@ -11,10 +11,9 @@ type Logger interface {
 }
 
 type Options struct {
-	PeerAttributes           []string
+	PeerAttributes []string
-	ErrorHandler             ErrorHandler
+	ErrorHandler   ErrorHandler
-	Logger                   Logger
+	Logger         Logger
-	IgnoredClientTokenErrors []uint32
 }
 
 type OptionFunc func(*Options)
@@ -39,19 +38,12 @@ func WithErrorHandler(handler ErrorHandler) OptionFunc {
 	}
 }
 
-func WithIgnoredClientTokenErrors(codes ...uint32) OptionFunc {
-	return func(options *Options) {
-		options.IgnoredClientTokenErrors = codes
-	}
-}
-
 func defaultOptions() *Options {
 	logger := log.New(os.Stdout, "[go-http-peering] ", log.LstdFlags|log.Lshortfile)
 	return &Options{
-		PeerAttributes:           []string{"Label"},
+		PeerAttributes: []string{"Label"},
-		ErrorHandler:             DefaultErrorHandler,
+		ErrorHandler:   DefaultErrorHandler,
-		Logger:                   logger,
+		Logger:         logger,
-		IgnoredClientTokenErrors: make([]uint32, 0),
 	}
 }