-
Notifications
You must be signed in to change notification settings - Fork 0
/
parse.go
113 lines (101 loc) · 3.41 KB
/
parse.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package jwt
import (
"encoding/base64"
"encoding/json"
"fmt"
"strings"
"time"
)
func (t *jwt) Parse(jwt string, parseOptions ...ParseOptions) (Token, string, error) {
const NoPadding rune = -1
var token Token
var now = time.Now().UTC().Unix()
var options ParseOptions
// Init Parse Options
if len(parseOptions) != 0 {
options = parseOptions[0]
} else {
options = t.config.ParseOptions
}
// Split Token values
jwtParts := strings.Split(jwt, ".")
if len(jwtParts) != 3 {
return Token{}, ValidationErrorMalformed,
fmt.Errorf( "%s: failed to split the token values", ValidationErrorMalformed)
}
// Parse Headers
valueByte, err := base64.URLEncoding.WithPadding(NoPadding).DecodeString(jwtParts[0])
if err != nil {
return Token{}, ValidationErrorHeadersMalformed, err
}
err = json.Unmarshal(valueByte, &token.Headers)
if err != nil {
return Token{}, ValidationErrorHeadersMalformed, err
}
// Parse Claims
valueByte, err = base64.URLEncoding.WithPadding(NoPadding).DecodeString(jwtParts[1])
if err != nil {
return Token{}, ValidationErrorClaimsMalformed, err
}
err = json.Unmarshal(valueByte, &token.Claims)
if err != nil {
return Token{}, ValidationErrorClaimsMalformed, err
}
// Get Signature
token.Signature = jwtParts[2]
// Validate Signature
if options.Claims.SkipSignatureValidation == false {
jwtSample, err := t.Create(token.Claims, token.Headers)
if err != nil {
return Token{}, ValidationErrorUnverifiable, err
}
if strings.Split(jwtSample, ".")[2] != token.Signature {
return Token{}, ValidationErrorSignatureInvalid,
fmt.Errorf("failed to validate signature: sample %s, token %s",
strings.Split(jwtSample, ".")[2], token.Signature)
}
}
// Validate Headers
if options.Headers.RequiredContentType && token.Headers.ContentType == "" {
return Token{}, ValidationErrorHeadersContentType, errTokenIsInvalid
}
if options.Headers.RequiredKeyID && token.Headers.KeyID == "" {
return Token{}, ValidationErrorHeadersKeyID, errTokenIsInvalid
}
if options.Headers.RequiredCritical && token.Headers.Critical == "" {
return Token{}, ValidationErrorHeadersCritical, errTokenIsInvalid
}
// Validate Claims
if options.Claims.RequiredIssuer && token.Claims.Issuer == "" {
return Token{}, ValidationErrorClaimsIssuer, errTokenIsInvalid
}
if options.Claims.RequiredSubject && token.Claims.Subject == "" {
return Token{}, ValidationErrorClaimsSubject, errTokenIsInvalid
}
if options.Claims.RequiredAudience && token.Claims.Audience == "" {
return Token{}, ValidationErrorClaimsAudience, errTokenIsInvalid
}
if options.Claims.RequiredJwtId && token.Claims.JwtId == "" {
return Token{}, ValidationErrorClaimsJwtId, errTokenIsInvalid
}
if options.Claims.RequiredData && token.Claims.Data == nil {
return Token{}, ValidationErrorClaimsData, errTokenIsInvalid
}
if options.Claims.SkipClaimsValidation == false {
// Validate ExpirationTime value
if now > time.Unix(token.Claims.IssuedAt, 0).Add(time.Second*time.Duration(t.config.TokenLifetimeSec)).UTC().Unix() {
return Token{}, ValidationErrorClaimsExpired, errTokenIsInvalid
}
// Validate NotBefore value
if token.Claims.NotBefore != 0 {
if now < token.Claims.NotBefore {
return Token{}, ValidationErrorClaimsNotValidYet, errTokenIsInvalid
}
}
// Validate IssuedAt value
if now < token.Claims.IssuedAt {
return Token{}, ValidationErrorClaimsIssuedAt, errTokenIsInvalid
}
}
return token, "", nil
}