-
Notifications
You must be signed in to change notification settings - Fork 0
/
jwt.go
72 lines (63 loc) · 1.74 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package auth
import (
"context"
"errors"
"fmt"
"log"
"strings"
"net/http"
"github.com/Frontman-Labs/frontman/config"
"github.com/lestrrat-go/jwx/v2/jwk"
"github.com/lestrrat-go/jwx/v2/jws"
"github.com/lestrrat-go/jwx/v2/jwt"
)
type JWTValidator struct {
issuer string
audience string
JWKS jwk.Set
}
type JWTValidatorOption func(*JWTValidator)
const AuthTypeBearer string = "bearer"
var (
ErrMissingAuthHeader = errors.New("missing authorization header")
ErrBadFormatAuthHeader = errors.New("invalid format for authorization header")
)
func NewJWTValidator(cfg *config.JWTConfig, opts ...JWTValidatorOption) (*JWTValidator, error) {
jwks := jwk.NewSet()
if cfg.KeysUrl != "" {
keySet, err := jwk.Fetch(context.Background(), cfg.KeysUrl)
if err != nil {
log.Printf("Error loading jwks from %s: %s", cfg.KeysUrl, err.Error())
return nil, err
}
jwks = keySet
}
validator := &JWTValidator{
issuer: cfg.Issuer,
audience: cfg.Audience,
JWKS: jwks,
}
for _, opt := range opts {
opt(validator)
}
return validator, nil
}
func (v JWTValidator) ValidateToken(request *http.Request) (map[string]interface{}, error) {
tokenString := request.Header.Get("Authorization")
if len(tokenString) == 0 {
return nil, ErrMissingAuthHeader
}
splitToken := strings.Fields(tokenString)
if len(splitToken) < 2 {
return nil, ErrBadFormatAuthHeader
}
if strings.ToLower(splitToken[0]) != AuthTypeBearer {
return nil, fmt.Errorf("unsupported authorization type, expected 'Bearer' %w", http.ErrNotSupported)
}
token := splitToken[len(splitToken)-1]
result, err := jwt.Parse([]byte(token), jwt.WithKeySet(v.JWKS, jws.WithInferAlgorithmFromKey(true)))
if err != nil {
return nil, err
}
return result.PrivateClaims(), nil
}