JWT package "interface" #77
Conversation
Signed-off-by: Jon Carl <jon.carl@auth0.com>
grounded042
changed the title
There was a problem hiding this comment.
Seems good. Can we put the relevant "adapters" in a separate package? that way folks can have a drop in solution.
(Or a different repo, TL;DR just somewhere)
The only thing I'd consider is looking at what gets imported with/without the separate package. I think it's fine adding more deps, just something to consider.
|
Totally - separate package would be great. |
| // Default value: nil | ||
| ValidationKeyGetter jwt.Keyfunc | ||
| // Validate handles validating a token. | ||
| Validate ValidateToken |
There was a problem hiding this comment.
Awesome! So an example of an impl where jwx was the package choose would roughly look like:
func ValidateWithJwx(token string) (interface{}, error) {
parsedToken, err := jwt.ParseString(token, jwt.WithVerify(m.Options.SigningMethod, []byte(m.Options.Key)))
if err != nil {
return nil, err
}
msg, err := jws.ParseString(token)
if err != nil {
return nil, err
}
signatures := msg.Signatures()
if len(signatures) == 0 {
return nil, errors.New("No signatures where found with the token")
}
algorithm := signatures[0].ProtectedHeaders().Algorithm()
if m.Options.SigningMethod != algorithm {
return nil, errors.New("Problems found with signing alg")
}
valid := m.Options.ValidatorFunc(parsedToken)
// Check if the parsed token is valid...
if !valid {
return nil, errors.New("Token is invalid")
}
return parsedToken, nil
}
Itd definitely be better than that as the default, more like what is over on my PoC branch, but just throwing out an example for understanding sake.
There was a problem hiding this comment.
Yup, and we could even add in some options to that setup.
| // Default value: | ||
| // The function that will be called when there are errors in the | ||
| // middleware. | ||
| // Default value: OnError | ||
| ErrorHandler errorHandler |
There was a problem hiding this comment.
with this abstraction, does this mean the only thing this errorHandler would really get called for is if the token cant be found on the header, or if the token is an empty string?
There was a problem hiding this comment.
It would be called if the Validate function errors.
Over in #73 (comment) I mentioned breaking JWT package functionality out into an interface. This is a first pass at that which ended up putting things into a type function instead of an interface. I'm suggesting we merge this into v2 as it's pre-release and if we need to iterate on the design we can.