171 lines
4.1 KiB
Go
171 lines
4.1 KiB
Go
package jwt
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
|
|
"github.com/lestrrat-go/jwx/jwa"
|
|
"github.com/lestrrat-go/jwx/jwt"
|
|
|
|
"go.pkg.cx/middleware"
|
|
)
|
|
|
|
// Errors
|
|
var (
|
|
ErrTokenInvalid = errors.New("token invalid")
|
|
ErrTokenNotFound = errors.New("token not found")
|
|
)
|
|
|
|
// Context keys
|
|
var (
|
|
JWTCtxKey = &middleware.CtxKey{Pkg: "go.pkg.cx/middleware/auth/jwt", Name: "JWT"}
|
|
DataCtxKey = &middleware.CtxKey{Pkg: "go.pkg.cx/middleware/auth/token", Name: "Data"}
|
|
)
|
|
|
|
// DefaultOptions represents default jwt auth middleware options
|
|
var DefaultOptions = Options(
|
|
WithFindTokenFn(middleware.TokenFromAuthorizationHeader),
|
|
WithFindTokenFn(middleware.TokenFromQuery("jwt")),
|
|
WithFindTokenFn(middleware.TokenFromCookie("jwt")),
|
|
SetResponseHandler(RespondWithUnauthorized),
|
|
SetValidateTokenFn(allowAll),
|
|
)
|
|
|
|
// Options turns a list of option instances into an option.
|
|
func Options(opts ...Option) Option {
|
|
return func(a *auth) {
|
|
for _, opt := range opts {
|
|
opt(a)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Option configures jwt auth middleware
|
|
type Option func(a *auth)
|
|
|
|
// SetKey sets key to verify jwt token with
|
|
func SetKey(key interface{}) Option {
|
|
return func(a *auth) {
|
|
a.key = key
|
|
}
|
|
}
|
|
|
|
// SetAlgorithm sets algorithm to verify jwt token with
|
|
func SetAlgorithm(alg jwa.SignatureAlgorithm) Option {
|
|
return func(a *auth) {
|
|
a.algorithm = alg
|
|
}
|
|
}
|
|
|
|
// WithFindTokenFn adds jwt token find function to the list
|
|
func WithFindTokenFn(fn func(r *http.Request) string) Option {
|
|
return func(a *auth) {
|
|
a.findTokenFns = append(a.findTokenFns, fn)
|
|
}
|
|
}
|
|
|
|
// SetFindTokenFns sets jwt token find functions list
|
|
func SetFindTokenFns(fns ...func(r *http.Request) string) Option {
|
|
return func(a *auth) {
|
|
a.findTokenFns = fns
|
|
}
|
|
}
|
|
|
|
// WithVerifyOption adds jwt verify option to the list
|
|
func WithVerifyOption(opt jwt.ValidateOption) Option {
|
|
return func(a *auth) {
|
|
a.verifyOptions = append(a.verifyOptions, opt)
|
|
}
|
|
}
|
|
|
|
// SetVerifyOptions sets jwt verify options list
|
|
func SetVerifyOptions(opts ...jwt.ValidateOption) Option {
|
|
return func(a *auth) {
|
|
a.verifyOptions = opts
|
|
}
|
|
}
|
|
|
|
// SetValidateTokenFn sets token validation function
|
|
func SetValidateTokenFn(fn func(token jwt.Token) (bool, interface{})) Option {
|
|
return func(a *auth) {
|
|
a.validateTokenFn = fn
|
|
}
|
|
}
|
|
|
|
// SetResponseHandler sets response handler
|
|
func SetResponseHandler(fn middleware.ResponseHandle) Option {
|
|
return func(a *auth) {
|
|
a.responseHandler = fn
|
|
}
|
|
}
|
|
|
|
type auth struct {
|
|
key interface{}
|
|
algorithm jwa.SignatureAlgorithm
|
|
verifyOptions []jwt.ValidateOption
|
|
findTokenFns []func(r *http.Request) string
|
|
validateTokenFn func(token jwt.Token) (bool, interface{})
|
|
responseHandler middleware.ResponseHandle
|
|
}
|
|
|
|
// Middleware returns jwt auth middleware
|
|
func Middleware(key interface{}, alg jwa.SignatureAlgorithm, opts ...Option) func(next http.Handler) http.Handler {
|
|
a := &auth{}
|
|
opts = append(opts, SetKey(key), SetAlgorithm(alg))
|
|
opts = append([]Option{DefaultOptions}, opts...)
|
|
|
|
for _, opt := range opts {
|
|
opt(a)
|
|
}
|
|
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
var token string
|
|
for _, findTokenFn := range a.findTokenFns {
|
|
token = findTokenFn(r)
|
|
if token != "" {
|
|
break
|
|
}
|
|
}
|
|
|
|
if token == "" {
|
|
a.responseHandler(w, r, ErrTokenNotFound)
|
|
return
|
|
}
|
|
|
|
jwtToken, err := jwt.ParseString(token, jwt.WithVerify(a.algorithm, a.key))
|
|
if err != nil {
|
|
a.responseHandler(w, r, err)
|
|
return
|
|
}
|
|
|
|
if err := jwt.Validate(jwtToken, a.verifyOptions...); err != nil {
|
|
a.responseHandler(w, r, err)
|
|
return
|
|
}
|
|
|
|
valid, data := a.validateTokenFn(jwtToken)
|
|
if !valid {
|
|
a.responseHandler(w, r, ErrTokenInvalid)
|
|
return
|
|
}
|
|
|
|
ctx := r.Context()
|
|
ctx = context.WithValue(ctx, JWTCtxKey, jwtToken)
|
|
ctx = context.WithValue(ctx, DataCtxKey, data)
|
|
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
// RespondWithUnauthorized is a default response handler
|
|
func RespondWithUnauthorized(w http.ResponseWriter, _ *http.Request, _ error) {
|
|
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
|
}
|
|
|
|
func allowAll(_ jwt.Token) (bool, interface{}) {
|
|
return true, nil
|
|
}
|