Skip to content

feat(lib): Add optional restrictions for JWT based on a specific header value #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat(lib): Add optional restrictions for JWT based on a specific header value #697

wants to merge 9 commits into from
+72 −35

Conversation

Earl0fPudding
Copy link
Contributor

@Earl0fPudding Earl0fPudding commented Jun 19, 2025
edited
Loading

Due to the fact that it would be possible for a botnet to generate the JWT once and then roll it out on many bots, it would be nice if one can restrict the JWT to specific criteria.
With this change, one can define the JWT_RESTRICTION_HEADER setting which allows the token to only be valid if a specific header value is the same as it was during the creation of the token. Setting it to X-Real-IP e.g. would restrict the token only to be valid for this one IP address.

One can also add custom header using a reverse-proxy using a combined values of SRC-IP, User-Agent, TLS-Fingerprint etc to restrict the token even further. E.g. in HAProxy:

  http-request add-header X-Custom-Anubis-Restriction "%[src]__%[req.fhdr(User-Agent)]"

And then setting JWT_RESTRICTION_HEADER=X-Custom-Anubis-Restriction in Anubis.

This may result in having to re-calculate the token when changing SRC-IPs for the user, but it might be necessary when dealing with an intelligent botnet.

SHA256 is being used as potentially sensitive information might be used for restrictions.

This is not a breaking change. If the setting is empty, then the behavior is as normal.

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)

@Xe
Copy link
Contributor

Xe commented Jun 19, 2025

I think this should be on by default and set to X-Real-Ip.

@Earl0fPudding
Copy link
Contributor Author

I think this should be on by default and set to X-Real-Ip.

Thanks, what an honor you think this should be set by default. X-Real-IP as default has been set.

@JasonLovesDoggo
Copy link
Member

I think this should be on by default and set to X-Real-Ip.

Is that not already done?

anubis/lib/anubis.go

Line 86 in 226cf36

"Accept-Language=%s,X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d",

@Earl0fPudding
Copy link
Contributor Author

I think this should be on by default and set to X-Real-Ip.

Is that not already done?

Do you mean something like that in the current main branch, @JasonLovesDoggo ? Not really unfortunately.
I just tested this myself. I compiled the latest main, rolled it out on my server and called the website from the same device and same browser but from different IPs. The result was that only the first time with the first IP the token has to be generated, the other times with other IPs Anubis let me straight to the website.

This means that currently it is not possible to restrict the token to a specific attribute (e.g. SRC IP) and botnets could use this to their advantage. Nothing is easier than calling the website manually one and roll a cookie out on thousands of their bots. With the default vault of COOKIE_EXPIRATION_TIME, this only needs to be done once a week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Earl0fPudding @Xe @JasonLovesDoggo