ThijsFeryn · February 13, 2017 09:25
diff --git a/jwt.vcl b/jwt.vcl
 sub jwt {
    if(req.http.cookie ~ "^([^;]+;[ ]*)*token=[^\.]+\.[^\.]+\.[^\.]+([ ]*;[^;]+)*$") {
        set req.http.x-token = ";" + req.http.Cookie;
        set req.http.x-token = regsuball(req.http.x-token, "; +", ";");
        set req.http.x-token = regsuball(req.http.x-token, ";(token)=","; \1=");
        set req.http.x-token = regsuball(req.http.x-token, ";[^ ][^;]*", "");
        set req.http.x-token = regsuball(req.http.x-token, "^[; ]+|[; ]+$", "");

        set req.http.tmpHeader = regsub(req.http.x-token,"token=([^\.]+)\.[^\.]+\.[^\.]+","\1");
        set req.http.tmpTyp = regsub(digest.base64url_decode(req.http.tmpHeader),{"^.*?"typ"\s*:\s*"(\w+)".*?$"},"\1");
        set req.http.tmpAlg = regsub(digest.base64url_decode(req.http.tmpHeader),{"^.*?"alg"\s*:\s*"(\w+)".*?$"},"\1");

        if(req.http.tmpTyp != "JWT") {
            return(synth(400, "Token is not a JWT: " + req.http.tmpHeader));
        }
        if(req.http.tmpAlg != "HS256") {
            return(synth(400, "Token does not use HS256 hashing"));
        }

        set req.http.tmpPayload = regsub(req.http.x-token,"token=[^\.]+\.([^\.]+)\.[^\.]+$","\1");

        set req.http.tmpRequestSig = regsub(req.http.x-token,"^[^\.]+\.[^\.]+\.([^\.]+)$","\1");
        set req.http.tmpCorrectSig = digest.base64url_nopad_hex(digest.hmac_sha256("SlowWebSitesSuck",req.http.tmpHeader + "." + req.http.tmpPayload));

        if(req.http.tmpRequestSig != req.http.tmpCorrectSig) {
            return(synth(403, "Invalid JWT signature"));
        }

        set req.http.tmpPayload = digest.base64url_decode(req.http.tmpPayload);
        set req.http.X-Login = regsub(req.http.tmpPayload,{"^.*?"login"\s*:\s*(\w+).*?$"},"\1");
        set req.http.X-Username = regsub(req.http.tmpPayload,{"^.*?"sub"\s*:\s*"(\w+)".*?$"},"\1");

        unset req.http.tmpHeader;
        unset req.http.tmpTyp;
        unset req.http.tmpAlg;
        unset req.http.tmpPayload;
        unset req.http.tmpRequestSig;
        unset req.http.tmpCorrectSig;
        unset req.http.tmpPayload;
    }
 }
	sub jwt {
	if(req.http.cookie ~ "^([^;]+;[ ])token=[^\.]+\.[^\.]+\.[^\.]+([ ];[^;]+)$") {
	set req.http.x-token = ";" + req.http.Cookie;
	set req.http.x-token = regsuball(req.http.x-token, "; +", ";");
	set req.http.x-token = regsuball(req.http.x-token, ";(token)=","; \1=");
	set req.http.x-token = regsuball(req.http.x-token, ";[^ ][^;]*", "");
	set req.http.x-token = regsuball(req.http.x-token, "^[; ]+\|[; ]+$", "");

	set req.http.tmpHeader = regsub(req.http.x-token,"token=([^\.]+)\.[^\.]+\.[^\.]+","\1");
	set req.http.tmpTyp = regsub(digest.base64url_decode(req.http.tmpHeader),{"^.?"typ"\s:\s"(\w+)".?$"},"\1");
	set req.http.tmpAlg = regsub(digest.base64url_decode(req.http.tmpHeader),{"^.?"alg"\s:\s"(\w+)".?$"},"\1");

	if(req.http.tmpTyp != "JWT") {
	return(synth(400, "Token is not a JWT: " + req.http.tmpHeader));
	}
	if(req.http.tmpAlg != "HS256") {
	return(synth(400, "Token does not use HS256 hashing"));
	}

	set req.http.tmpPayload = regsub(req.http.x-token,"token=[^\.]+\.([^\.]+)\.[^\.]+$","\1");

	set req.http.tmpRequestSig = regsub(req.http.x-token,"^[^\.]+\.[^\.]+\.([^\.]+)$","\1");
	set req.http.tmpCorrectSig = digest.base64url_nopad_hex(digest.hmac_sha256("SlowWebSitesSuck",req.http.tmpHeader + "." + req.http.tmpPayload));

	if(req.http.tmpRequestSig != req.http.tmpCorrectSig) {
	return(synth(403, "Invalid JWT signature"));
	}

	set req.http.tmpPayload = digest.base64url_decode(req.http.tmpPayload);
	set req.http.X-Login = regsub(req.http.tmpPayload,{"^.?"login"\s:\s(\w+).?$"},"\1");
	set req.http.X-Username = regsub(req.http.tmpPayload,{"^.?"sub"\s:\s"(\w+)".?$"},"\1");

	unset req.http.tmpHeader;
	unset req.http.tmpTyp;
	unset req.http.tmpAlg;
	unset req.http.tmpPayload;
	unset req.http.tmpRequestSig;
	unset req.http.tmpCorrectSig;
	unset req.http.tmpPayload;
	}
	}