website/shared/http/jwt.go

package http

import (
	"context"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"errors"
	"fmt"
	"net/http"
	"strings"

	"github.com/lestrrat-go/jwx/jwa"
	"github.com/lestrrat-go/jwx/jwt"
)

type contextKey string

// ClaimsContextKey will be used to attach a JWT claim to a request context
const ClaimsContextKey contextKey = "claims"

// JWTProtect uses the public key located at the given URL to check if the
// cookie value is signed properly. In case yes, the JWT claims will be added
// to the request context
func JWTProtect(keyURL, cookieName, headerName string, authorizer func(*http.Request, map[string]interface{}) error) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			var jwtValue string
			if authCookie, err := r.Cookie(cookieName); err == nil {
				jwtValue = authCookie.Value
			} else {
				if header := r.Header.Get(headerName); header != "" {
					jwtValue = header
				}
			}
			if jwtValue == "" {
				RespondWithJSONError(w, errors.New("jwt: could not infer JWT value from cookie or header"), http.StatusForbidden)
				return
			}

			keys, keysErr := fetchKeys(keyURL)
			if keysErr != nil {
				RespondWithJSONError(w, fmt.Errorf("jwt: error fetching keys: %v", keysErr), http.StatusInternalServerError)
				return
			}

			var token *jwt.Token
			var tokenErr error
			// the response can contain multiple keys to try as some of them
			// might have been retired with signed tokens still in use until
			// their expiry
			for _, key := range keys {
				token, tokenErr = tryParse(key, jwtValue)
				if tokenErr == nil {
					break
				}
			}

			if tokenErr != nil {
				RespondWithJSONError(w, fmt.Errorf("jwt: error verifying token signature: %v", tokenErr), http.StatusForbidden)
				return
			}

			if err := token.Verify(jwt.WithAcceptableSkew(0)); err != nil {
				RespondWithJSONError(w, fmt.Errorf("jwt: error verifying token claims: %v", err), http.StatusForbidden)
				return
			}

			privKey, _ := token.Get("priv")
			claims, _ := privKey.(map[string]interface{})
			if err := authorizer(r, claims); err != nil {
				RespondWithJSONError(w, fmt.Errorf("jwt: token claims do not allow the requested operation: %v", err), http.StatusForbidden)
				return
			}
			r = r.WithContext(context.WithValue(r.Context(), ClaimsContextKey, claims))
			next.ServeHTTP(w, r)
		})
	}
}

func tryParse(key []byte, tokenValue string) (*jwt.Token, error) {
	keyBytes, _ := pem.Decode([]byte(key))
	if keyBytes == nil {
		return nil, errors.New("jwt: no PEM block found in given key")
	}

	pubKey, parseErr := x509.ParsePKCS1PublicKey(keyBytes.Bytes)
	if parseErr != nil {
		return nil, fmt.Errorf("jwt: error parsing key: %v", parseErr)
	}

	token, jwtErr := jwt.ParseVerify(strings.NewReader(tokenValue), jwa.RS256, pubKey)
	if jwtErr != nil {
		return nil, fmt.Errorf("jwt: error parsing token: %v", jwtErr)
	}
	return token, nil
}

type keyResponse struct {
	Keys []string `json:"keys"`
}

func fetchKeys(keyURL string) ([][]byte, error) {
	fetchRes, fetchErr := http.Get(keyURL)
	if fetchErr != nil {
		return nil, fetchErr
	}
	defer fetchRes.Body.Close()
	payload := keyResponse{}
	if err := json.NewDecoder(fetchRes.Body).Decode(&payload); err != nil {
		return nil, err
	}

	asBytes := [][]byte{}
	for _, key := range payload.Keys {
		asBytes = append(asBytes, []byte(key))
	}
	return asBytes, nil
}
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`package http`

			`import (`
			`"context"`
			`"crypto/x509"`
			`"encoding/json"`
			`"encoding/pem"`
			`"errors"`
use decorator for layout in auditorium, add more context to go errors 2019-07-09 14:50:31 +02:00			`"fmt"`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`"net/http"`
			`"strings"`

			`"github.com/lestrrat-go/jwx/jwa"`
			`"github.com/lestrrat-go/jwx/jwt"`
			`)`

			`type contextKey string`

			`// ClaimsContextKey will be used to attach a JWT claim to a request context`
			`const ClaimsContextKey contextKey = "claims"`

			`// JWTProtect uses the public key located at the given URL to check if the`
			`// cookie value is signed properly. In case yes, the JWT claims will be added`
			`// to the request context`
serialize account claims into JWT and check in middleware 2019-07-13 22:04:12 +02:00			`func JWTProtect(keyURL, cookieName, headerName string, authorizer func(*http.Request, map[string]interface{}) error) func(http.Handler) http.Handler {`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
add accounts and user CRUD and connect to auth layer 2019-07-10 17:17:50 +02:00			`var jwtValue string`
			`if authCookie, err := r.Cookie(cookieName); err == nil {`
			`jwtValue = authCookie.Value`
			`} else {`
serialize account claims into JWT and check in middleware 2019-07-13 22:04:12 +02:00			`if header := r.Header.Get(headerName); header != "" {`
add accounts and user CRUD and connect to auth layer 2019-07-10 17:17:50 +02:00			`jwtValue = header`
			`}`
			`}`
			`if jwtValue == "" {`
			`RespondWithJSONError(w, errors.New("jwt: could not infer JWT value from cookie or header"), http.StatusForbidden)`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`return`
			`}`
further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`keys, keysErr := fetchKeys(keyURL)`
			`if keysErr != nil {`
			`RespondWithJSONError(w, fmt.Errorf("jwt: error fetching keys: %v", keysErr), http.StatusInternalServerError)`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`return`
			`}`
further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`var token *jwt.Token`
			`var tokenErr error`
			`// the response can contain multiple keys to try as some of them`
			`// might have been retired with signed tokens still in use until`
			`// their expiry`
			`for _, key := range keys {`
			`token, tokenErr = tryParse(key, jwtValue)`
			`if tokenErr == nil {`
			`break`
			`}`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`}`

allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`if tokenErr != nil {`
			`RespondWithJSONError(w, fmt.Errorf("jwt: error verifying token signature: %v", tokenErr), http.StatusForbidden)`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`return`
			`}`

			`if err := token.Verify(jwt.WithAcceptableSkew(0)); err != nil {`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`RespondWithJSONError(w, fmt.Errorf("jwt: error verifying token claims: %v", err), http.StatusForbidden)`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`return`
			`}`

serialize account claims into JWT and check in middleware 2019-07-13 22:04:12 +02:00			`privKey, _ := token.Get("priv")`
			`claims, _ := privKey.(map[string]interface{})`
			`if err := authorizer(r, claims); err != nil {`
			`RespondWithJSONError(w, fmt.Errorf("jwt: token claims do not allow the requested operation: %v", err), http.StatusForbidden)`
			`return`
add accounts and user CRUD and connect to auth layer 2019-07-10 17:17:50 +02:00			`}`
serialize account claims into JWT and check in middleware 2019-07-13 22:04:12 +02:00			`r = r.WithContext(context.WithValue(r.Context(), ClaimsContextKey, claims))`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`
further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`func tryParse(key []byte, tokenValue string) (*jwt.Token, error) {`
			`keyBytes, _ := pem.Decode([]byte(key))`
			`if keyBytes == nil {`
			`return nil, errors.New("jwt: no PEM block found in given key")`
			`}`

create local keypair when bootstrapping accounts 2019-07-20 16:27:56 +02:00			`pubKey, parseErr := x509.ParsePKCS1PublicKey(keyBytes.Bytes)`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`if parseErr != nil {`
			`return nil, fmt.Errorf("jwt: error parsing key: %v", parseErr)`
			`}`

			`token, jwtErr := jwt.ParseVerify(strings.NewReader(tokenValue), jwa.RS256, pubKey)`
			`if jwtErr != nil {`
			`return nil, fmt.Errorf("jwt: error parsing token: %v", jwtErr)`
			`}`
			`return token, nil`
			`}`

further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00			`type keyResponse struct {`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			Keys []string `json:"keys"`
further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00			`}`

allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`func fetchKeys(keyURL string) ([][]byte, error) {`
further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00			`fetchRes, fetchErr := http.Get(keyURL)`
			`if fetchErr != nil {`
			`return nil, fetchErr`
			`}`
			`defer fetchRes.Body.Close()`
			`payload := keyResponse{}`
			`if err := json.NewDecoder(fetchRes.Body).Decode(&payload); err != nil {`
			`return nil, err`
			`}`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00
			`asBytes := [][]byte{}`
			`for _, key := range payload.Keys {`
			`asBytes = append(asBytes, []byte(key))`
			`}`
			`return asBytes, nil`
further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00			`}`