-
Notifications
You must be signed in to change notification settings - Fork 0
/
create.go
120 lines (111 loc) · 3.1 KB
/
create.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package jwt
import (
"crypto/hmac"
"crypto/sha256"
"crypto/sha512"
"encoding/base64"
"encoding/hex"
"encoding/json"
"fmt"
"hash"
"html"
"time"
)
func (t *jwt) Create(claims Claims, h ...Headers) (string, error) {
const noPadding rune = -1
var mac hash.Hash
// Init Headers
headers := t.config.Headers
if len(h) != 0 {
if h[0].Type != "" {
headers.Type = h[0].Type
}
if h[0].SignatureAlgorithm != "" {
headers.SignatureAlgorithm = h[0].SignatureAlgorithm
}
if h[0].ContentType != "" {
headers.ContentType = h[0].ContentType
}
if h[0].KeyID != "" {
headers.KeyID = h[0].KeyID
}
if h[0].Critical != "" {
headers.Critical = h[0].Critical
}
}
if headers.Type == "" {
return "", fmt.Errorf("headers.Type header must be present")
}
if headers.SignatureAlgorithm == "" {
return "", fmt.Errorf("headers.SignatureAlgorithm header must be present")
}
// Init Claims
if claims.Issuer == "" {
claims.Issuer = t.config.Claims.Issuer
}
if claims.Subject == "" {
claims.Subject = t.config.Claims.Subject
}
if claims.Audience == "" {
claims.Audience = t.config.Claims.Audience
}
if claims.ExpirationTime == 0 {
claims.ExpirationTime = t.config.Claims.ExpirationTime
}
if claims.NotBefore == 0 {
claims.NotBefore = t.config.Claims.NotBefore
}
if claims.IssuedAt == 0 {
claims.IssuedAt = t.config.Claims.IssuedAt
}
if claims.JwtID == "" {
claims.JwtID = t.config.Claims.JwtID
}
if claims.Data == nil {
claims.Data = t.config.Claims.Data
}
// Headers part
valueByte, err := json.Marshal(headers)
if err != nil {
return "", fmt.Errorf("failed convert the headers to JSON-format: %s", err)
}
headersPart := base64.URLEncoding.WithPadding(noPadding).EncodeToString(valueByte)
// Payload part
now := time.Now().UTC().Unix()
if claims.IssuedAt == 0 {
claims.IssuedAt = now
}
if claims.NotBefore != 0 {
if claims.NotBefore < claims.IssuedAt {
return "", fmt.Errorf("claims.NotBefore cannot be less than claims.IssuedAt")
}
}
if claims.ExpirationTime == 0 {
if t.config.TokenLifetimeSec == 0 {
return "", fmt.Errorf("claims.ExpirationTime or config.TokenLifetimeSec must not be null")
}
claims.ExpirationTime =
time.Unix(now, 0).Add(time.Second * time.Duration(t.config.TokenLifetimeSec)).UTC().Unix()
}
valueByte, err = json.Marshal(claims)
if err != nil {
return "", fmt.Errorf("failed convert the token.Claims to JSON-format: %s", err)
}
payloadPart := base64.URLEncoding.WithPadding(noPadding).EncodeToString(valueByte)
// Signature part
unsignedToken := headersPart + "." + payloadPart
switch headers.SignatureAlgorithm {
case TokenSignatureAlgorithmHS256:
mac = hmac.New(sha256.New, []byte(t.config.Key))
case TokenSignatureAlgorithmHS512:
mac = hmac.New(sha512.New, []byte(t.config.Key))
default:
return "", fmt.Errorf("invalid the signature algorithm: %s", headers.SignatureAlgorithm)
}
mac.Write([]byte(unsignedToken))
signature := hex.EncodeToString(mac.Sum(nil))
// Return the JSON Web Token (JWT).
return html.UnescapeString(headersPart) +
"." + html.UnescapeString(payloadPart) +
"." + html.UnescapeString(signature), nil
}