Added min token length check: fixes TykTechnologies#1681 (TykTechnolo…

…gies#1692) Added new internal `min_token_length` param
DTLC3 · May 11, 2018 · b95bd65 · b95bd65
1 parent 33f7149
commit b95bd65
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/config/config.go b/config/config.go
@@ -286,6 +286,7 @@ type Config struct {
 	NewRelic                          NewRelicConfig                        `json:"newrelic"`
 	VersionHeader                     string                                `json:"version_header"`
 	EnableHashedKeysListing           bool                                  `json:"enable_hashed_keys_listing"`
+	MinTokenLength                    int                                   `json:"min_token_length"`
 }
 
 type CertData struct {

diff --git a/lint/schema.go b/lint/schema.go
@@ -730,6 +730,9 @@ const confSchema = `{
 	},
 	"enable_hashed_keys_listing": {
 		"type": "boolean"
-	}
+	},
+	"min_token_length": {
+		"type": "integer"
+ 	}
 }
 }`
diff --git a/middleware.go b/middleware.go
@@ -281,6 +281,16 @@ func (t BaseMiddleware) ApplyPolicies(key string, session *user.SessionState) er
 // CheckSessionAndIdentityForValidKey will check first the Session store for a valid key, if not found, it will try
 // the Auth Handler, if not found it will fail
 func (t BaseMiddleware) CheckSessionAndIdentityForValidKey(key string) (user.SessionState, bool) {
+	minLength := t.Spec.GlobalConfig.MinTokenLength
+	if minLength == 0 {
+		// See https://github.com/TykTechnologies/tyk/issues/1681
+		minLength = 3
+	}
+
+	if len(key) <= minLength {
+		return user.SessionState{IsInactive: true}, false
+	}
+
 	// Try and get the session from the session store
 	log.Debug("Querying local cache")
 	cacheKey := key