-
Notifications
You must be signed in to change notification settings - Fork 0
/
parse.go
113 lines (101 loc) · 3.41 KB
/
parse.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package jwt
import (
"encoding/base64"
"encoding/json"
"fmt"
"strings"
"time"
)
func (t *jwt) Parse(jwt string, p ...ParseOptions) (Token, string, error) {
const NoPadding rune = -1
var token Token
var now = time.Now().UTC().Unix()
var parseOptions ParseOptions
// Init Parse Options
if len(p) != 0 {
parseOptions = p[0]
} else {
parseOptions = t.config.ParseOptions
}
// Split Token values
jwtParts := strings.Split(jwt, ".")
if len(jwtParts) != 3 {
return Token{}, ValidationErrorMalformed,
fmt.Errorf("%s: failed to split the token values", ValidationErrorMalformed)
}
// Parse Headers
valueByte, err := base64.URLEncoding.WithPadding(NoPadding).DecodeString(jwtParts[0])
if err != nil {
return Token{}, ValidationErrorHeadersMalformed, err
}
err = json.Unmarshal(valueByte, &token.Headers)
if err != nil {
return Token{}, ValidationErrorHeadersMalformed, err
}
// Parse Claims
valueByte, err = base64.URLEncoding.WithPadding(NoPadding).DecodeString(jwtParts[1])
if err != nil {
return Token{}, ValidationErrorClaimsMalformed, err
}
err = json.Unmarshal(valueByte, &token.Claims)
if err != nil {
return Token{}, ValidationErrorClaimsMalformed, err
}
// Get Signature
token.Signature = jwtParts[2]
// Validate Signature
if parseOptions.SkipSignatureValidation == false {
jwtSample, err := t.Create(token.Claims, token.Headers)
if err != nil {
return Token{}, ValidationErrorUnverifiable, err
}
if strings.Split(jwtSample, ".")[2] != token.Signature {
return Token{}, ValidationErrorSignatureInvalid,
fmt.Errorf("failed to validate signature: sample %s, token %s",
strings.Split(jwtSample, ".")[2], token.Signature)
}
}
// Validate Headers
if parseOptions.RequiredHeaderContentType && token.Headers.ContentType == "" {
return Token{}, ValidationErrorHeadersContentType, errTokenIsInvalid
}
if parseOptions.RequiredHeaderKeyID && token.Headers.KeyID == "" {
return Token{}, ValidationErrorHeadersKeyID, errTokenIsInvalid
}
if parseOptions.RequiredHeaderCritical && token.Headers.Critical == "" {
return Token{}, ValidationErrorHeadersCritical, errTokenIsInvalid
}
// Validate Claims
if parseOptions.RequiredClaimIssuer && token.Claims.Issuer == "" {
return Token{}, ValidationErrorClaimsIssuer, errTokenIsInvalid
}
if parseOptions.RequiredClaimSubject && token.Claims.Subject == "" {
return Token{}, ValidationErrorClaimsSubject, errTokenIsInvalid
}
if parseOptions.RequiredClaimAudience && token.Claims.Audience == "" {
return Token{}, ValidationErrorClaimsAudience, errTokenIsInvalid
}
if parseOptions.RequiredClaimJwtID && token.Claims.JwtID == "" {
return Token{}, ValidationErrorClaimsJwtId, errTokenIsInvalid
}
if parseOptions.RequiredClaimData && token.Claims.Data == nil {
return Token{}, ValidationErrorClaimsData, errTokenIsInvalid
}
if parseOptions.SkipClaimsValidation == false {
// Validate ExpirationTime value
if now > time.Unix(token.Claims.IssuedAt, 0).Add(time.Second*time.Duration(t.config.TokenLifetimeSec)).UTC().Unix() {
return Token{}, ValidationErrorClaimsExpired, errTokenIsInvalid
}
// Validate NotBefore value
if token.Claims.NotBefore != 0 {
if now < token.Claims.NotBefore {
return Token{}, ValidationErrorClaimsNotValidYet, errTokenIsInvalid
}
}
// Validate IssuedAt value
if now < token.Claims.IssuedAt {
return Token{}, ValidationErrorClaimsIssuedAt, errTokenIsInvalid
}
}
return token, "", nil
}