Initial commit
This commit is contained in:
@@ -0,0 +1,96 @@
|
||||
// Package auth implements minimal HS256 JSON Web Tokens using only the standard
|
||||
// library. The API Server issues a token after verifying a user's credentials
|
||||
// against PocketBase, and verifies that token on every protected request.
|
||||
package auth
|
||||
|
||||
import (
|
||||
"crypto/hmac"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrInvalidToken = errors.New("invalid token")
|
||||
ErrExpired = errors.New("token expired")
|
||||
)
|
||||
|
||||
// Claims is the JWT payload carried for an authenticated user.
|
||||
type Claims struct {
|
||||
Sub string `json:"sub"` // user id
|
||||
Email string `json:"email"` // user email
|
||||
Name string `json:"name"` // display name (optional)
|
||||
Role string `json:"role,omitempty"` // access role: "user" | "admin"
|
||||
Jti string `json:"jti"` // id of the backing "sessions" record, for revocation
|
||||
Iat int64 `json:"iat"` // issued-at (unix seconds)
|
||||
Exp int64 `json:"exp"` // expiry (unix seconds)
|
||||
}
|
||||
|
||||
// NewJTI generates a random session identifier, hex-encoded so it's always a
|
||||
// safe, quote-free literal to embed directly in PocketBase filter strings.
|
||||
func NewJTI() (string, error) {
|
||||
b := make([]byte, 16)
|
||||
if _, err := rand.Read(b); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return hex.EncodeToString(b), nil
|
||||
}
|
||||
|
||||
const headerB64 = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" // {"alg":"HS256","typ":"JWT"}
|
||||
|
||||
// Sign creates a signed token for the given claims and lifetime.
|
||||
func Sign(secret string, c Claims, ttl time.Duration) (string, error) {
|
||||
now := time.Now()
|
||||
c.Iat = now.Unix()
|
||||
c.Exp = now.Add(ttl).Unix()
|
||||
|
||||
payload, err := json.Marshal(c)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
signingInput := headerB64 + "." + b64(payload)
|
||||
sig := sign(signingInput, secret)
|
||||
return signingInput + "." + sig, nil
|
||||
}
|
||||
|
||||
// Verify checks the signature and expiry, returning the embedded claims.
|
||||
func Verify(secret, token string) (*Claims, error) {
|
||||
parts := strings.Split(token, ".")
|
||||
if len(parts) != 3 {
|
||||
return nil, ErrInvalidToken
|
||||
}
|
||||
signingInput := parts[0] + "." + parts[1]
|
||||
expected := sign(signingInput, secret)
|
||||
// Constant-time comparison to avoid timing leaks.
|
||||
if !hmac.Equal([]byte(expected), []byte(parts[2])) {
|
||||
return nil, ErrInvalidToken
|
||||
}
|
||||
|
||||
raw, err := base64.RawURLEncoding.DecodeString(parts[1])
|
||||
if err != nil {
|
||||
return nil, ErrInvalidToken
|
||||
}
|
||||
var c Claims
|
||||
if err := json.Unmarshal(raw, &c); err != nil {
|
||||
return nil, ErrInvalidToken
|
||||
}
|
||||
if time.Now().Unix() >= c.Exp {
|
||||
return nil, ErrExpired
|
||||
}
|
||||
return &c, nil
|
||||
}
|
||||
|
||||
func sign(input, secret string) string {
|
||||
mac := hmac.New(sha256.New, []byte(secret))
|
||||
mac.Write([]byte(input))
|
||||
return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
|
||||
}
|
||||
|
||||
func b64(b []byte) string {
|
||||
return base64.RawURLEncoding.EncodeToString(b)
|
||||
}
|
||||
Reference in New Issue
Block a user