thermokarst/jwt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor verify

Browse source
This commit is contained in:
Matthew Dillon 2015-09-17 15:53:10 -07:00
parent 7752009bbb
commit 88ac9569ee
1 changed files with 49 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

104
jwt.go
View file

@ -115,64 +115,12 @@ func (m *Middleware) Secure(h http.Handler, v VerifyClaimsFunc) http.Handler {
} else { } else {
token = strings.Split(authHeader, " ")[1] token = strings.Split(authHeader, " ")[1]
} }
tokenParts := strings.Split(token, ".")
if len(tokenParts) != 3 {
return &jwtError{status: http.StatusUnauthorized, err: ErrMalformedToken}
}
// First, verify JOSE header if status, err, message := m.VerifyToken(token, v, r); err != nil {
header, err := decode(tokenParts[0])
if err != nil {
return &jwtError{ return &jwtError{
status: http.StatusInternalServerError, status: status,
err: err, err: err,
message: fmt.Sprintf("decoding header (%v)", tokenParts[0]), message: message,
}
}
var t struct {
Typ string
Alg string
}
err = json.Unmarshal(header, &t)
if err != nil {
return &jwtError{
status: http.StatusInternalServerError,
err: ErrMalformedToken,
message: fmt.Sprintf("unmarshalling header (%s)", header),
}
}
// Then, verify signature
mac := hmac.New(sha256.New, []byte(m.secret))
message := []byte(strings.Join([]string{tokenParts[0], tokenParts[1]}, "."))
mac.Write(message)
expectedMac, err := encode(mac.Sum(nil))
if err != nil {
return &jwtError{status: http.StatusInternalServerError, err: err}
}
if !hmac.Equal([]byte(tokenParts[2]), []byte(expectedMac)) {
return &jwtError{
status: http.StatusUnauthorized,
err: ErrInvalidSignature,
message: fmt.Sprintf("checking signature (%v)", tokenParts[2]),
}
}
// Finally, check claims
claimSet, err := decode(tokenParts[1])
if err != nil {
return &jwtError{
status: http.StatusInternalServerError,
err: ErrDecoding,
message: "decoding claims",
}
}
err = v(claimSet, r)
if err != nil {
return &jwtError{
status: http.StatusUnauthorized,
err: err,
message: "handling claims callback",
} }
} }
@ -279,6 +227,52 @@ func (m *Middleware) CreateToken(identity string) (string, error) {
return response, nil return response, nil
} }
// VerifyToken verifies a token
func (m *Middleware) VerifyToken(token string, v VerifyClaimsFunc, r *http.Request) (int, error, string) {
tokenParts := strings.Split(token, ".")
if len(tokenParts) != 3 {
return http.StatusUnauthorized, ErrMalformedToken, ""
}
// First, verify JOSE header
header, err := decode(tokenParts[0])
if err != nil {
return http.StatusInternalServerError, err, fmt.Sprintf("decoding header (%v)", tokenParts[0])
}
var t struct {
Typ string
Alg string
}
err = json.Unmarshal(header, &t)
if err != nil {
return http.StatusInternalServerError, ErrMalformedToken, fmt.Sprintf("unmarshalling header (%s)", header)
}
// Then, verify signature
mac := hmac.New(sha256.New, []byte(m.secret))
message := []byte(strings.Join([]string{tokenParts[0], tokenParts[1]}, "."))
mac.Write(message)
expectedMac, err := encode(mac.Sum(nil))
if err != nil {
return http.StatusInternalServerError, err, ""
}
if !hmac.Equal([]byte(tokenParts[2]), []byte(expectedMac)) {
return http.StatusUnauthorized, ErrInvalidSignature, fmt.Sprintf("checking signature (%v)", tokenParts[2])
}
// Finally, check claims
claimSet, err := decode(tokenParts[1])
if err != nil {
return http.StatusInternalServerError, ErrDecoding, "decoding claims"
}
err = v(claimSet, r)
if err != nil {
return http.StatusUnauthorized, err, "handling claims callback"
}
return 200, nil, ""
}
type jwtError struct { type jwtError struct {
status int status int
err error err error