Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge main #708

Merged
merged 7 commits into from
Jun 6, 2022
Merged

Merge main #708

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
881b4c4
Setup cron system (#691)
subomi May 30, 2022
7498d2f
add support for jwt authentication (#690)
Dotunj May 31, 2022
ca9875b
add ReplayAppEvent endpoint (#672)
danvixent May 31, 2022
ac5fb35
add crud for organisations (#685)
danvixent Jun 1, 2022
43d3a04
Add missing comma to convoy.json.example (#700)
djperrefort Jun 2, 2022
2b66727
Merge branch 'main' into raymond/feat/merge-main
jirevwe Jun 6, 2022
e9e800c
chore: fixed tests and build
jirevwe Jun 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions auth/credential.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ type Credential struct {
Username string `json:"username"`
Password string `json:"password"`
APIKey string `json:"api_key"`
Token string `json:"token"`
}

func (c *Credential) String() string {
Expand All @@ -28,6 +29,7 @@ type CredentialType string
const (
CredentialTypeBasic = CredentialType("BASIC")
CredentialTypeAPIKey = CredentialType("BEARER")
CredentialTypeJWT = CredentialType("JWT")
)

func (c CredentialType) String() string {
Expand Down
201 changes: 201 additions & 0 deletions auth/realm/jwt/jwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
package jwt

import (
"context"
"encoding/base64"
"errors"
"fmt"
"time"

"github.com/frain-dev/convoy"
"github.com/frain-dev/convoy/cache"
"github.com/frain-dev/convoy/config"
"github.com/frain-dev/convoy/datastore"
"github.com/frain-dev/convoy/util"
"github.com/golang-jwt/jwt"
)

var (
ErrInvalidToken = errors.New("invalid token")
ErrTokenExpired = errors.New("expired token")
)

type Token struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
}

type VerifiedToken struct {
UserID string
Expiry int64
}

const (
JwtDefaultSecret string = "convoy-jwt"
JwtDefaultRefreshSecret string = "convoy-refresh-jwt"
JwtDefaultExpiry int = 1800 //seconds
JwtDefaultRefreshExpiry int = 86400 //seconds
)

type Jwt struct {
Secret string
Expiry int
RefreshSecret string
RefreshExpiry int
cache cache.Cache
}

func NewJwt(opts *config.JwtRealmOptions, cache cache.Cache) *Jwt {

j := &Jwt{
Secret: opts.Secret,
Expiry: opts.Expiry,
RefreshSecret: opts.RefreshSecret,
RefreshExpiry: opts.RefreshExpiry,
cache: cache,
}

if util.IsStringEmpty(j.Secret) {
j.Secret = JwtDefaultSecret
}

if util.IsStringEmpty(j.RefreshSecret) {
j.RefreshSecret = JwtDefaultRefreshSecret
}

if j.Expiry == 0 {
j.Expiry = JwtDefaultExpiry
}

if j.RefreshExpiry == 0 {
j.RefreshExpiry = JwtDefaultRefreshExpiry
}

return j
}

func (j *Jwt) GenerateToken(user *datastore.User) (Token, error) {
tok := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"sub": user.UID,
"exp": time.Now().Add(time.Second * time.Duration(j.Expiry)).Unix(),
})

token := Token{}

accessToken, err := tok.SignedString([]byte(j.Secret))
if err != nil {
return token, err
}

refreshToken, err := j.generateRefreshToken(user)
if err != nil {
return token, err
}

token.AccessToken = accessToken
token.RefreshToken = refreshToken

return token, nil

}

func (j *Jwt) ValidateAccessToken(accessToken string) (*VerifiedToken, error) {
return j.validateToken(accessToken, j.Secret)
}

func (j *Jwt) ValidateRefreshToken(refreshToken string) (*VerifiedToken, error) {
return j.validateToken(refreshToken, j.RefreshSecret)
}

// A token is considered blacklisted if the base64 encoding
// of the token exists as a key within the cache
func (j *Jwt) isTokenBlacklisted(token string) (bool, error) {
var exists *string

key := convoy.TokenCacheKey.Get(j.EncodeToken(token)).String()
err := j.cache.Get(context.Background(), key, &exists)

if err != nil {
return false, err
}

if exists == nil {
return false, nil
}

return true, nil

}

func (j *Jwt) BlacklistToken(verified *VerifiedToken, token string) error {
// Calculate the remaining valid time for the token
ttl := time.Until(time.Unix(verified.Expiry, 0))
key := convoy.TokenCacheKey.Get(j.EncodeToken(token)).String()
err := j.cache.Set(context.Background(), key, &verified.UserID, ttl)

if err != nil {
return err
}

return nil
}

func (j *Jwt) EncodeToken(token string) string {
return base64.StdEncoding.EncodeToString([]byte(token))
}

func (j *Jwt) generateRefreshToken(user *datastore.User) (string, error) {
refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"sub": user.UID,
"exp": time.Now().Add(time.Second * time.Duration(j.RefreshExpiry)).Unix(),
})

return refreshToken.SignedString([]byte(j.RefreshSecret))
}

func (j *Jwt) validateToken(accessToken, secret string) (*VerifiedToken, error) {
var userId string
var expiry float64

isBlacklisted, err := j.isTokenBlacklisted(accessToken)
if err != nil {
return nil, err
}

if isBlacklisted {
return nil, ErrInvalidToken
}

token, err := jwt.Parse(accessToken, func(token *jwt.Token) (interface{}, error) {
_, ok := token.Method.(*jwt.SigningMethodHMAC)
if !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}

return []byte(secret), nil
})

if err != nil {
v, ok := err.(*jwt.ValidationError)
if ok && v.Errors == jwt.ValidationErrorExpired {
if payload, ok := token.Claims.(jwt.MapClaims); ok {
expiry = payload["exp"].(float64)
}

return &VerifiedToken{Expiry: int64(expiry)}, ErrTokenExpired
}

return nil, err
}

payload, ok := token.Claims.(jwt.MapClaims)
if ok && token.Valid {
userId = payload["sub"].(string)
expiry = payload["exp"].(float64)

v := &VerifiedToken{UserID: userId, Expiry: int64(expiry)}
return v, nil
}

return nil, err
}
49 changes: 49 additions & 0 deletions auth/realm/jwt/jwt_realm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
package jwt

import (
"context"
"fmt"

"github.com/frain-dev/convoy/auth"
"github.com/frain-dev/convoy/cache"
"github.com/frain-dev/convoy/config"
"github.com/frain-dev/convoy/datastore"
)

type JwtRealm struct {
userRepo datastore.UserRepository
jwt *Jwt
}

func NewJwtRealm(userRepo datastore.UserRepository, opts *config.JwtRealmOptions, cache cache.Cache) *JwtRealm {
return &JwtRealm{userRepo: userRepo, jwt: NewJwt(opts, cache)}
}

func (j *JwtRealm) Authenticate(ctx context.Context, cred *auth.Credential) (*auth.AuthenticatedUser, error) {
if cred.Type != auth.CredentialTypeJWT {
return nil, fmt.Errorf("%s only authenticates credential type %s", j.GetName(), auth.CredentialTypeJWT.String())
}

verified, err := j.jwt.ValidateAccessToken(cred.Token)
if err != nil {
return nil, ErrInvalidToken
}

user, err := j.userRepo.FindUserByID(ctx, verified.UserID)
if err != nil {
return nil, ErrInvalidToken
}

authUser := &auth.AuthenticatedUser{
AuthenticatedByRealm: j.GetName(),
Credential: *cred,
Role: user.Role,
}

return authUser, nil

}

func (j *JwtRealm) GetName() string {
return "jwt"
}