Skip to content

feat: support multiple extract token key #4328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ch3nnn wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat: support multiple extract token key #4328

ch3nnn wants to merge 6 commits into from

Conversation

@ch3nnn
Copy link
Contributor

@ch3nnn ch3nnn commented Aug 23, 2024
edited
Loading

Implement support for multiple custom token keys and simplify the JWT authentication configuration. WithTokenLookups function enables setting token keys, improving the authentication process by accommodating various token header extraction strategies. by accommodating various token header extraction strategies.

example:

jwt-api.api

syntax = "v1"


type Request {
	Name string `path:"name,options=you|me"`
}

type Response {
	Message string `json:"message"`
}

type FormExampleReq {
	Name string `form:"name,options=you|me"`
}

@server(
	jwt: Auth
	jwtTransition: Trans
)
service A-api {
	@handler GreetHandler
	get /greet/from/:name(Request) returns (Response)

	@handler FormExample
	post /form/example (FormExampleReq) returns (Response)
}

a-api.yaml

Name: A-api
Host: 0.0.0.0
Port: 8888

Auth:
  AccessSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  AccessExpire: 604800
  TokenLookup:
    - "header:Token"
    - "query:Token"
    - "form:Token"
    - "cookie:Token"
    - "param:Token"



Trans:
  Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  PrevSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  TokenLookup:
    - "header:Token"
    - "query:Token"
    - "form:Token"
    - "cookie:Token"
    - "param:Token"

TokenLookup extract a jwt from custom request header or post form or get url arguments.

@codecov
Copy link

codecov bot commented Aug 23, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.58%. Comparing base (8690859) to head (5edcd9b).
Report is 285 commits behind head on master.

Additional details and impacted files
Files with missing lines Coverage Δ
rest/engine.go 100.00% <100.00%> (ø)
rest/handler/authhandler.go 86.88% <100.00%> (+1.97%) ⬆️
rest/server.go 96.87% <100.00%> (+0.34%) ⬆️
rest/token/extractor.go 100.00% <100.00%> (ø)
rest/token/tokenparser.go 93.81% <100.00%> (+2.03%) ⬆️

... and 13 files with indirect coverage changes

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kevwan
Copy link
Contributor

kevwan commented Aug 27, 2024

Would you please give some examples on how to use different token keys? For example, how to request the API with curl.

@kevwan kevwan force-pushed the feat-rest-authhandler branch from c2d7e29 to a01f817 Compare August 27, 2024 13:00
@ch3nnn
Copy link
Contributor Author

ch3nnn commented Aug 27, 2024
edited
Loading

According to the a-api.yaml configuration file, the Auth.TokenLookup field is optional.

TokenLookup are attempted in sequence until a match is found; if no match occurs, the default Bearer auth request header is used.

example:

  • url arguments

    curl --request GET \
  --url 'http://127.0.0.1:8888/greet/from/me?Token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8' \
  --header 'content-type: application/json'

  • post form

    curl --request POST \
  --url http://localhost:8888/form/example \
  --header 'content-type: multipart/form-data' \
  --form Token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8 \
  --form name=me

  • custom request header

    curl --request GET \
  --url http://127.0.0.1:8888/greet/from/me \
  --header 'content-type: application/json' \
  --header 'Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8'

If the setting TokenLookup is not provided, the default Bearer authorization request header will be used.

curl --request GET \
  --url http://127.0.0.1:8888/greet/from/me \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8' \
  --header 'content-type: application/json'

@kevwan kevwan force-pushed the feat-rest-authhandler branch from a01f817 to a3f44cf Compare August 27, 2024 14:39
@kevwan
Copy link
Contributor

kevwan commented Aug 27, 2024

Bearer is the standard schema, is there any official spec that talks about Bearer replacement?

@ch3nnn
Copy link
Contributor Author

ch3nnn commented Aug 29, 2024
edited
Loading

I look up https://golang-jwt.github.io/jwt/#jwt-and-oauth-20 have mention a point

A JWT token is simply a signed JSON object. It can be used anywhere such a thing is useful.

This feature is also supported in other frameworks/libraries.

@kevwan kevwan self-assigned this Aug 29, 2024
@kevwan kevwan self-requested a review August 29, 2024 14:09
ch3nnn added 4 commits January 30, 2025 23:41
@ch3nnn @kevwan
feat: support multiple extract token key
1c64c6c 
Implement support for multiple custom token keys and simplify the JWT authentication configuration.
`WithTokenKeys` function enables setting token keys, improving the authentication process by accommodating various token header extraction strategies. by accommodating various token header extraction strategies.
@ch3nnn @kevwan
test: add test
80609c2
@ch3nnn @kevwan
feat(auth): support configurable token extraction lookups
ae51115 
Extracting JWT from different request sources (headers, query params, form data) is now
configurable via `TokenLookup`.
@ch3nnn @kevwan
fix(rest): correct jwt tokenLookups syntax in engine_test
d167104
@kevwan kevwan force-pushed the feat-rest-authhandler branch from 3e19023 to d167104 Compare January 30, 2025 15:41
@ch3nnn
feat(rest): add cookie and param token extraction methods
38c765f 
- Implement CookieExtractor and ParamExtractor for token extraction
- Add tests for new token extraction methods
- Improve error handling and test coverage
@ch3nnn
docs(rest): update TokenLookup documentation
5edcd9b
@greper
Copy link

greper commented Dec 11, 2025

Why haven't they merged yet?
I want to download the file, but I need to verify the authorization. It's impossible to add it to the header. So, I can only use the query parameter, something like window.open('download?token=xxxxx')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevwan kevwan Awaiting requested review from kevwan

At least 1 approving review is required to merge this pull request.

Assignees

@kevwan kevwan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ch3nnn @kevwan @greper