From abbce9edf38b5752f9657f2ca3aa25a126f83dda Mon Sep 17 00:00:00 2001 From: Firstyear Date: Thu, 21 Nov 2024 16:52:43 +1000 Subject: [PATCH] Improve warning around invalid JWT deserialisation (#3224) * Improve warning around invalid JWT deserialisation * typo --- server/core/src/https/mod.rs | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/server/core/src/https/mod.rs b/server/core/src/https/mod.rs index 026dde008..d3cd43f5a 100644 --- a/server/core/src/https/mod.rs +++ b/server/core/src/https/mod.rs @@ -31,7 +31,7 @@ use axum::{ }; use axum_extra::extract::cookie::CookieJar; -use compact_jwt::{JwsCompact, JwsHs256Signer, JwsVerifier}; +use compact_jwt::{error::JwtError, JwsCompact, JwsHs256Signer, JwsVerifier}; use futures::pin_mut; use hyper::body::Incoming; use hyper_util::rt::{TokioExecutor, TokioIo}; @@ -83,7 +83,19 @@ impl ServerState { Ok(val) => match self.jws_signer.verify(&val) { Ok(val) => val.from_json::().ok(), Err(err) => { - error!("Failed to unmarshal JWT from headers: {:?}", err); + error!(?err, "Failed to deserialise JWT from request"); + if matches!(err, JwtError::InvalidSignature) { + // The server has an ephemeral in memory HMAC signer. This is important as + // auth (login) sessions on one node shouldn't validate on another. Sessions + // that are shared beween nodes use the internal ECDSA signer. + // + // But because of this if the server restarts it rolls the key. Additionally + // it can occur if the load balancer isn't sticking sessions to the correct + // node. That can cause this error. So we want to specifically call it out + // to admins so they can investigate that the fault is occurring *outside* + // of kanidm. + warn!("Invalid Signature errors can occur if your instance restarted recently, if a load balancer is not configured for sticky sessions, or a session was tampered with."); + } None } },