This directory contains a simple Python3 HTTP server to generate temporary JWT tokens for rate-limiting purposes. This server should only be deployed once externally and accesible by all teams.
# On an infrastructure server (reachable from teams' vulnboxes)
docker compose upTokens are generated for pairs of sourceIP,targetIP, containing the targetIP
as audience. Each sourceIP,targetIP pair can only have one valid token at
any time. Tokens are then validated by each backend instance (through
arcanelink.backend) when accepting a connection (see below).
Implemented endpoints are:
/token: accepts atargetquery parameter with the IP of the desired vulnbox to connect to, and returning a temporary JWT token to be used for authorization. The same token will be returned until expired as long as the same host requests a token for the same target host./checker_token: requires apasswordand atargetquery parameter. It is normally hidden (returns 404 unless the password is correct) and can be used by the checker to generate arbitrary tokens. It always generates and returns a new token.
Send an HTTP GET request to /token?target=<team_id> to obtain a token to
connect to the vulnbox of a given team.
$ curl 'http://<token-server-endpoint>/token?target=3
"eyJhbGciOiJFUzI1Ni..."
Note that the token returned by the token server is a JSON string and
therefore enclosed in double quotes ("), which must be stripped.