-
Notifications
You must be signed in to change notification settings - Fork 207
/
jwt.go
169 lines (142 loc) · 4.11 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com
package endpoint
import (
"fmt"
"net/http"
"strings"
"time"
jwt "github.com/dgrijalva/jwt-go"
"github.com/documize/community/core/api"
"github.com/documize/community/core/api/request"
"github.com/documize/community/core/log"
)
// var jwtKey string
// func init() {
// env.GetString(&jwtKey, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated",
// func(t *string, n string) bool {
// if jwtKey == "" {
// b := make([]byte, 17)
// _, err := rand.Read(b)
// if err != nil {
// jwtKey = err.Error()
// log.Error("problem using crypto/rand", err)
// return false
// }
// for k, v := range b {
// if (v >= 'a' && v <= 'z') || (v >= 'A' && v <= 'Z') || (v >= '0' && v <= '0') {
// b[k] = v
// } else {
// s := fmt.Sprintf("%x", v)
// b[k] = s[0]
// }
// }
// jwtKey = string(b)
// log.Info("Please set DOCUMIZESALT or use -salt with this value: " + jwtKey)
// }
// return true
// })
// }
// Generates JSON Web Token (http://jwt.io)
func generateJWT(user, org, domain string) string {
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"iss": "Documize",
"sub": "webapp",
"exp": time.Now().Add(time.Hour * 168).Unix(),
"user": user,
"org": org,
"domain": domain,
})
tokenString, _ := token.SignedString([]byte(api.Runtime.Flags.Salt))
return tokenString
}
// Check for authorization token.
// We look for 'Authorization' request header OR query string "?token=XXX".
func findJWT(r *http.Request) (token string) {
header := r.Header.Get("Authorization")
if header != "" {
header = strings.Replace(header, "Bearer ", "", 1)
}
if len(header) > 1 {
token = header
} else {
query := r.URL.Query()
token = query.Get("token")
}
if token == "null" {
token = ""
}
return
}
// We take in raw token string and decode it.
func decodeJWT(tokenString string) (c request.Context, claims jwt.Claims, err error) {
method := "decodeJWT"
// sensible defaults
c.UserID = ""
c.OrgID = ""
c.Authenticated = false
c.Guest = false
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return []byte(api.Runtime.Flags.Salt), nil
})
if err != nil {
err = fmt.Errorf("bad authorization token")
return
}
if !token.Valid {
if ve, ok := err.(*jwt.ValidationError); ok {
if ve.Errors&jwt.ValidationErrorMalformed != 0 {
log.Error("invalid token", err)
err = fmt.Errorf("bad token")
return
} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
log.Error("expired token", err)
err = fmt.Errorf("expired token")
return
} else {
log.Error("invalid token", err)
err = fmt.Errorf("bad token")
return
}
} else {
log.Error("invalid token", err)
err = fmt.Errorf("bad token")
return
}
}
c = request.NewContext()
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
c.UserID = claims["user"].(string)
c.OrgID = claims["org"].(string)
} else {
fmt.Println(err)
}
if len(c.UserID) == 0 || len(c.OrgID) == 0 {
err = fmt.Errorf("%s : unable parse token data", method)
return
}
c.Authenticated = true
c.Guest = false
return c, token.Claims, nil
}
// We take in Keycloak token string and decode it.
func decodeKeycloakJWT(t, pk string) (c jwt.MapClaims, err error) {
token, err := jwt.Parse(t, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return jwt.ParseRSAPublicKeyFromPEM([]byte(pk))
})
if c, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
return c, nil
}
return nil, err
}