124 lines
2.7 KiB
Go
124 lines
2.7 KiB
Go
package jwt
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
"git.javil.eu/jacob1123/budgeteer"
|
|
"git.javil.eu/jacob1123/budgeteer/postgres"
|
|
"github.com/dgrijalva/jwt-go"
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
// TokenVerifier verifies Tokens.
|
|
type tokenVerifier struct {
|
|
secret string
|
|
}
|
|
|
|
var ErrEmptySecret = fmt.Errorf("secret is required")
|
|
|
|
func NewTokenVerifier(secret string) (*tokenVerifier, error) {
|
|
if secret == "" {
|
|
return nil, ErrEmptySecret
|
|
}
|
|
|
|
return &tokenVerifier{
|
|
secret: secret,
|
|
}, nil
|
|
}
|
|
|
|
// Token contains everything to authenticate a user.
|
|
type Token struct {
|
|
username string
|
|
name string
|
|
expiry float64
|
|
id uuid.UUID
|
|
}
|
|
|
|
const (
|
|
expiration = 72
|
|
)
|
|
|
|
// CreateToken creates a new token from username and name.
|
|
func (tv *tokenVerifier) CreateToken(user *postgres.User) (string, error) {
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
|
|
"usr": user.Email,
|
|
"name": user.Name,
|
|
"exp": time.Now().Add(time.Hour * expiration).Unix(),
|
|
"id": user.ID,
|
|
})
|
|
|
|
// Generate encoded token and send it as response.
|
|
t, err := token.SignedString([]byte(tv.secret))
|
|
if err != nil {
|
|
return "", fmt.Errorf("create token: %w", err)
|
|
}
|
|
|
|
return t, nil
|
|
}
|
|
|
|
var (
|
|
ErrUnexpectedSigningMethod = fmt.Errorf("unexpected signing method")
|
|
ErrInvalidToken = fmt.Errorf("token is invalid")
|
|
ErrTokenExpired = fmt.Errorf("token has expired")
|
|
)
|
|
|
|
// VerifyToken verifys a given string-token.
|
|
func (tv *tokenVerifier) VerifyToken(tokenString string) (budgeteer.Token, error) { //nolint:ireturn
|
|
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, fmt.Errorf("method '%v': %w", token.Header["alg"], ErrUnexpectedSigningMethod)
|
|
}
|
|
return []byte(tv.secret), nil
|
|
})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("parse jwt: %w", err)
|
|
}
|
|
|
|
claims, err := verifyToken(token)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("verify jwt: %w", err)
|
|
}
|
|
|
|
tkn := &Token{ //nolint:forcetypeassert
|
|
username: claims["usr"].(string),
|
|
name: claims["name"].(string),
|
|
expiry: claims["exp"].(float64),
|
|
id: uuid.MustParse(claims["id"].(string)),
|
|
}
|
|
return tkn, nil
|
|
}
|
|
|
|
func verifyToken(token *jwt.Token) (jwt.MapClaims, error) {
|
|
if !token.Valid {
|
|
return nil, ErrInvalidToken
|
|
}
|
|
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
if !ok {
|
|
return nil, ErrInvalidToken
|
|
}
|
|
|
|
if !claims.VerifyExpiresAt(time.Now().Unix(), true) {
|
|
return nil, ErrTokenExpired
|
|
}
|
|
|
|
return claims, nil
|
|
}
|
|
|
|
func (t *Token) GetName() string {
|
|
return t.name
|
|
}
|
|
|
|
func (t *Token) GetUsername() string {
|
|
return t.username
|
|
}
|
|
|
|
func (t *Token) GetExpiry() float64 {
|
|
return t.expiry
|
|
}
|
|
|
|
func (t *Token) GetID() uuid.UUID {
|
|
return t.id
|
|
}
|