dohertj2/natsdotnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: add permission enforcement and NKey integration tests

Browse Source 
Fix NKey nonce verification: the NATS client signs the nonce string
(ASCII bytes of the base64url-encoded nonce), not the raw nonce bytes.
Pass the encoded nonce string bytes to the authenticator for verification.
This commit is contained in:
Joseph Doherty
2026-02-22 23:03:41 -05:00
parent 9cb3e2fe0f
commit c40c2cd994
3 changed files with 206 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/NATS.Server/NatsServer.cs
View File

@@ -99,7 +99,10 @@ public sealed class NatsServer : IMessageRouter, ISubListAccess, IDisposable
var clientInfo = _serverInfo;
if (_authService.NonceRequired)
{
nonce = _authService.GenerateNonce();
var rawNonce = _authService.GenerateNonce();
var nonceStr = _authService.EncodeNonce(rawNonce);
// The client signs the nonce string (ASCII), not the raw bytes
nonce = Encoding.ASCII.GetBytes(nonceStr);
clientInfo = new ServerInfo
{
ServerId = _serverInfo.ServerId,
@@ -109,7 +112,7 @@ public sealed class NatsServer : IMessageRouter, ISubListAccess, IDisposable
Port = _serverInfo.Port,
MaxPayload = _serverInfo.MaxPayload,
AuthRequired = _serverInfo.AuthRequired,
Nonce = _authService.EncodeNonce(nonce),
Nonce = nonceStr,
};
}