-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathjwt.go
117 lines (92 loc) · 3.02 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package jwt
import (
"context"
"fmt"
"path"
"strings"
sjwt "github.com/alexfalkowski/go-service/security/jwt"
"github.com/alexfalkowski/go-service/security/meta"
sstrings "github.com/alexfalkowski/go-service/strings"
smeta "github.com/alexfalkowski/go-service/transport/grpc/meta"
"github.com/form3tech-oss/jwt-go"
middleware "github.com/grpc-ecosystem/go-grpc-middleware"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/status"
)
// UnaryServerInterceptor for token.
func UnaryServerInterceptor(verifier sjwt.Verifier) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
service := path.Dir(info.FullMethod)[1:]
if sstrings.IsHealth(service) {
return handler(ctx, req)
}
md := smeta.ExtractIncoming(ctx)
values := md["authorization"]
if len(values) == 0 {
return nil, status.Errorf(codes.Unauthenticated, sjwt.ErrMissingToken.Error())
}
token, err := verifier.Verify(ctx, tkn(values[0]))
if err != nil {
return nil, status.Errorf(codes.Unauthenticated, "could not verify token: %s", err.Error())
}
claims := token.Claims.(jwt.MapClaims)
azp, ok := claims["azp"]
if ok {
ctx = meta.WithAuthorizedParty(ctx, azp.(string))
}
return handler(ctx, req)
}
}
// StreamServerInterceptor for token.
func StreamServerInterceptor(verifier sjwt.Verifier) grpc.StreamServerInterceptor {
return func(srv any, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
service := path.Dir(info.FullMethod)[1:]
if sstrings.IsHealth(service) {
return handler(srv, stream)
}
ctx := stream.Context()
md := smeta.ExtractIncoming(ctx)
values := md["authorization"]
if len(values) == 0 {
return status.Errorf(codes.Unauthenticated, sjwt.ErrMissingToken.Error())
}
token, err := verifier.Verify(ctx, tkn(values[0]))
if err != nil {
return status.Errorf(codes.Unauthenticated, "could not verify token: %s", err.Error())
}
claims := token.Claims.(jwt.MapClaims)
azp, ok := claims["azp"]
if ok {
ctx = meta.WithAuthorizedParty(ctx, azp.(string))
}
wrapped := middleware.WrapServerStream(stream)
wrapped.WrappedContext = ctx
return handler(srv, wrapped)
}
}
// NewPerRPCCredentials for token.
func NewPerRPCCredentials(generator sjwt.Generator) credentials.PerRPCCredentials {
return &tokenPerRPCCredentials{generator: generator}
}
type tokenPerRPCCredentials struct {
generator sjwt.Generator
}
func (p *tokenPerRPCCredentials) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
t, err := p.generator.Generate(ctx)
if err != nil {
return nil, err
}
if len(t) == 0 {
return nil, sjwt.ErrMissingToken
}
return map[string]string{"authorization": fmt.Sprintf("Bearer %s", t)}, nil
}
func (p *tokenPerRPCCredentials) RequireTransportSecurity() bool {
return false
}
func tkn(header string) []byte {
s := strings.Split(header, " ")
return []byte(s[1])
}