-
Notifications
You must be signed in to change notification settings - Fork 33
/
jwt.go
133 lines (106 loc) · 3.59 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
/* Copyright (c) 2021, VRAI Labs and/or its affiliates. All rights reserved.
*
* This software is licensed under the Apache License, Version 2.0 (the
* "License") as published by the Apache Software Foundation.
*
* You may not use this file except in compliance with the License. You may
* obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package session
import (
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"reflect"
"strconv"
"strings"
"github.com/golang-jwt/jwt/v5"
"github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
)
var HEADERS = []string{
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIxIn0=", // {"alg":"RS256","typ":"JWT","version":"1"}
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0=", // {"alg":"RS256","typ":"JWT","version":"2"}
}
func checkHeader(header string) error {
for _, h := range HEADERS {
if h == header {
return nil
}
}
return errors.New("Invalid JWT header")
}
func ParseJWTWithoutSignatureVerification(token string) (sessmodels.ParsedJWTInfo, error) {
splittedInput := strings.Split(token, ".")
latestAccessTokenVersion := 3
var kid *string
if len(splittedInput) != 3 {
errors.New("Invalid JWT")
}
// V1&V2 is functionally identical, plus all legacy tokens should be V2 now.
version := 2
// V2 or older tokens did not save the key id;
err := checkHeader(splittedInput[0])
payload := map[string]interface{}{}
// If err != nil, it is a V3 token (or above)
if err != nil {
unverifiedToken, _, rawParseError := new(jwt.Parser).ParseUnverified(token, jwt.MapClaims{})
if rawParseError != nil {
return sessmodels.ParsedJWTInfo{}, rawParseError
}
parsedHeader := unverifiedToken.Header
versionInHeader, ok := parsedHeader["version"]
if !ok {
versionInHeader = fmt.Sprint(latestAccessTokenVersion)
}
if reflect.TypeOf(versionInHeader).Kind() != reflect.String {
return sessmodels.ParsedJWTInfo{}, errors.New("JWT header mismatch")
}
versionNumber, parseError := strconv.Atoi(versionInHeader.(string))
kidInHeader, ok := parsedHeader["kid"]
if !ok {
return sessmodels.ParsedJWTInfo{}, errors.New("JWT header mismatch")
}
if reflect.TypeOf(kidInHeader).Kind() != reflect.String {
return sessmodels.ParsedJWTInfo{}, errors.New("JWT header mismatch")
}
kidString := kidInHeader.(string)
kid = &kidString
if parsedHeader["typ"].(string) != "JWT" || parseError != nil || versionNumber < 3 || parsedHeader["kid"] == nil {
return sessmodels.ParsedJWTInfo{}, errors.New("JWT header mismatch")
}
version = versionNumber
claims, ok := unverifiedToken.Claims.(jwt.MapClaims)
if ok {
payload = claims
} else {
return sessmodels.ParsedJWTInfo{}, errors.New("Invalid JWT")
}
} else {
bytes, err := base64.StdEncoding.DecodeString(splittedInput[1])
if err != nil {
return sessmodels.ParsedJWTInfo{}, err
}
decodedJson := map[string]interface{}{}
err = json.Unmarshal(bytes, &decodedJson)
if err != nil {
return sessmodels.ParsedJWTInfo{}, err
}
payload = decodedJson
}
return sessmodels.ParsedJWTInfo{
RawTokenString: token,
RawPayload: splittedInput[1],
Header: splittedInput[0],
Payload: payload,
Signature: splittedInput[2],
Version: version,
KID: kid,
}, nil
}