Heya,
I am new to caddy and after a successful inital setup, I wanted to use the filemanager plugin, secured by the jwt plugin. A little php-script of mine generates the token and sets it as a cookie.
Reading files works but editing/deleting/uploading doesn’t. I might just be to stupid to set it up correctly but I did my best to solve it including massive amounts of googling. So here I am now, hoping you guys can help me.
My config:
files.MYDOMAIN {
root /var/www/MYDOMAIN/files
internal /users.json
import config/php7.conf # This includes a fastcgi directive for php7 (this works)
browse /public/
jwt {
path /MYNAME
allow user MYNAME
}
jwt {
path /share
allow role admin
allow role member
}
browse /share/
filemanager {
on /MYNAME/
show /var/www/MYDOMAIN/files/MYNAME
}
}
This is the interesting part of my php skript using lcobucci/jwt version 3.2:
<?php
require 'vendor/autoload.php';
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Signer\Hmac\Sha256;
$jwt_secret = 'I wont show this but it also is exported to the JWT_SECRET environment variable. ;)';
$expiration_time = 3600;
$users = json_decode(file_get_contents('users.json'), true);
$username = array_key_exists('username', $_POST) ? $_POST['username'] : null;
if($username !== null) {
$user = array_key_exists($username, $users) ? $users[$username] : null;
$pwd = $_POST['password'];
if($user !== null && password_verify($pwd, $user['pwd'])) {
$hmac = new Sha256();
$token = (new Builder())
->setIssuer('https://files.MYDOMAIN')
->setAudience('https://files.MYDOMAIN')
->setIssuedAt(time())
->setNotBefore(time())
->setExpiration(time() + $expiration_time)
->set('user', $username)
->set('role', $user['role'])
->sign($hmac, $jwt_secret)
->getToken();
setcookie('jwt_token', $token, time()+$expiration_time, '/', 'files.MYDOMAIN', true);
header("Location: https://files.MYDOMAIN/".$username);
$result = "success";
} else {
$result = "failure";
}
} else {
$result = "";
}
So again: Reading files works.
However, when I want to delete, edit or upload a file I get a 403 Forbidden response. I looked into the headers that were sent and the cookie is being transmitted correctly.
Is this some problem with the jwt middleware and xhr requests? I didn’t find anything in the jwt middleware issues on GitHub.
Has anyone experienced something like that? I wanted to make sure it’s not a dumb mistake of mine before opening an issue.