iris/_examples/auth/jwt/refresh-token/main.go

package main

import (
	"time"

	"github.com/kataras/iris/v12"
	"github.com/kataras/iris/v12/middleware/jwt"
)

// UserClaims a custom access claims structure.
type UserClaims struct {
	// In order to separate refresh and access tokens on validation level:
	// - Set a different Issuer, with a field of: Issuer string `json:"iss"`
	// - Set the Iris JWT's json tag option "required" on an access token field,
	//   e.g. Username string `json:"username,required"`
	// - Let the middleware validate the correct one based on the given MaxAge,
	//   which should be different between refresh and max age (refersh should be bigger)
	//   by setting the `jwt.ExpectRefreshToken` on Verify/VerifyToken/VerifyTokenString
	//   (see `refreshToken` function below)
	ID       string `json:"user_id"`
	Username string `json:"username"`
}

// For refresh token, we will just use the jwt.Claims
// structure which contains the standard JWT fields.

func main() {
	app := iris.New()

	j := jwt.HMAC(15*time.Minute, "secret", "itsa16bytesecret")

	app.Get("/authenticate", func(ctx iris.Context) {
		generateTokenPair(ctx, j)
	})

	app.Get("/refresh", func(ctx iris.Context) {
		refreshToken(ctx, j)
	})

	protectedAPI := app.Party("/protected")
	{
		protectedAPI.Use(j.Verify(func() interface{} {
			return new(UserClaims)
		})) // OR j.VerifyToken(ctx, &claims, jwt.MeetRequirements(&UserClaims{}))

		protectedAPI.Get("/", func(ctx iris.Context) {
			// Get token info, even if our UserClaims does not embed those
			// through GetTokenInfo:
			expiresAt := jwt.GetTokenInfo(ctx).Claims.Expiry.Time()
			// Get your custom JWT claims through Get,
			// which is a shortcut of GetTokenInfo(ctx).Value:
			claims := jwt.Get(ctx).(*UserClaims)

			ctx.Writef("Username: %s\nExpires at: %s\n", claims.Username, expiresAt)
		})
	}

	// http://localhost:8080/protected (401)
	// http://localhost:8080/authenticate (200) (response JSON {access_token, refresh_token})
	// http://localhost:8080/protected?token={access_token} (200)
	// http://localhost:8080/protected?token={refresh_token} (401)
	// http://localhost:8080/refresh?token={refresh_token}
	// OR http://localhost:8080/refresh (request JSON{refresh_token = {refresh_token}}) (200) (response JSON {access_token, refresh_token})
	// OR http://localhost:8080/refresh (request PLAIN TEXT of {refresh_token}) (200) (response JSON {access_token, refresh_token})
	// http://localhost:8080/refresh?token={access_token} (401)
	app.Listen(":8080")
}

func generateTokenPair(ctx iris.Context, j *jwt.JWT) {
	// Simulate a user...
	userID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"

	// Map the current user with the refresh token,
	// so we make sure, on refresh route, that this refresh token owns
	// to that user before re-generate.
	refresh := jwt.Claims{Subject: userID}

	access := UserClaims{
		ID:       userID,
		Username: "kataras",
	}

	// Generates a Token Pair, long-live for refresh tokens, e.g. 1 hour.
	// Second argument is the refresh claims and,
	// the last one is the access token's claims.
	tokenPair, err := j.TokenPair(1*time.Hour, refresh, access)
	if err != nil {
		ctx.Application().Logger().Debugf("token pair: %v", err)
		ctx.StopWithStatus(iris.StatusInternalServerError)
		return
	}

	// Send the generated token pair to the client.
	// The tokenPair looks like: {"access_token": $token, "refresh_token": $token}
	ctx.JSON(tokenPair)
}

func refreshToken(ctx iris.Context, j *jwt.JWT) {
	/*
		We could pass a jwt.Claims pointer as the second argument,
		but we don't have to because the method already returns
		the standard JWT claims information back to us:
		refresh, err := VerifyRefreshToken(ctx, nil)
	*/

	// Assuming you have access to the current user, e.g. sessions.
	//
	// Simulate a database call against our jwt subject
	// to make sure that this refresh token is a pair generated by this user.
	// * Note: You can remove the ExpectSubject and do this validation later on by yourself.
	currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"

	// Verify the refresh token, which its subject MUST match the "currentUserID".
	_, err := j.VerifyRefreshToken(ctx, nil, jwt.ExpectSubject(currentUserID))
	if err != nil {
		ctx.Application().Logger().Debugf("verify refresh token: %v", err)
		ctx.StatusCode(iris.StatusUnauthorized)
		return
	}

	/* Custom validation checks can be performed after Verify calls too:
	currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"
	userID := refresh.Claims.Subject
	if userID != currentUserID {
		ctx.StopWithStatus(iris.StatusUnauthorized)
		return
	}
	*/

	// All OK, re-generate the new pair and send to client.
	generateTokenPair(ctx, j)
}
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`package main`

			`import (`
			`"time"`

			`"github.com/kataras/iris/v12"`
			`"github.com/kataras/iris/v12/middleware/jwt"`
			`)`

New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// UserClaims a custom access claims structure.`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`type UserClaims struct {`
add an extra security layer on JWT and able to separate access from refresh tokens without any end-developer action on the claims payload (e.g. set a different issuer) 2020-10-18 13:42:19 +02:00			`// In order to separate refresh and access tokens on validation level:`
			// - Set a different Issuer, with a field of: Issuer string `json:"iss"`
			`// - Set the Iris JWT's json tag option "required" on an access token field,`
			// e.g. Username string `json:"username,required"`
			`// - Let the middleware validate the correct one based on the given MaxAge,`
			`// which should be different between refresh and max age (refersh should be bigger)`
			// by setting the `jwt.ExpectRefreshToken` on Verify/VerifyToken/VerifyTokenString
			// (see `refreshToken` function below)
			ID string `json:"user_id"`
			Username string `json:"username"`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`}`

New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// For refresh token, we will just use the jwt.Claims`
			`// structure which contains the standard JWT fields.`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00
			`func main() {`
			`app := iris.New()`

New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`j := jwt.HMAC(15*time.Minute, "secret", "itsa16bytesecret")`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00
			`app.Get("/authenticate", func(ctx iris.Context) {`
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`generateTokenPair(ctx, j)`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`})`

add an extra security layer on JWT and able to separate access from refresh tokens without any end-developer action on the claims payload (e.g. set a different issuer) 2020-10-18 13:42:19 +02:00			`app.Get("/refresh", func(ctx iris.Context) {`
			`refreshToken(ctx, j)`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`})`

New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`protectedAPI := app.Party("/protected")`
			`{`
			`protectedAPI.Use(j.Verify(func() interface{} {`
			`return new(UserClaims)`
			`})) // OR j.VerifyToken(ctx, &claims, jwt.MeetRequirements(&UserClaims{}))`

			`protectedAPI.Get("/", func(ctx iris.Context) {`
			`// Get token info, even if our UserClaims does not embed those`
			`// through GetTokenInfo:`
			`expiresAt := jwt.GetTokenInfo(ctx).Claims.Expiry.Time()`
			`// Get your custom JWT claims through Get,`
			`// which is a shortcut of GetTokenInfo(ctx).Value:`
			`claims := jwt.Get(ctx).(*UserClaims)`

			`ctx.Writef("Username: %s\nExpires at: %s\n", claims.Username, expiresAt)`
			`})`
			`}`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// http://localhost:8080/protected (401)`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`// http://localhost:8080/authenticate (200) (response JSON {access_token, refresh_token})`
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// http://localhost:8080/protected?token={access_token} (200)`
			`// http://localhost:8080/protected?token={refresh_token} (401)`
add an extra security layer on JWT and able to separate access from refresh tokens without any end-developer action on the claims payload (e.g. set a different issuer) 2020-10-18 13:42:19 +02:00			`// http://localhost:8080/refresh?token={refresh_token}`
jwt: add the (last) helper: VerifyRefreshToken 2020-10-18 16:15:29 +02:00			`// OR http://localhost:8080/refresh (request JSON{refresh_token = {refresh_token}}) (200) (response JSON {access_token, refresh_token})`
			`// OR http://localhost:8080/refresh (request PLAIN TEXT of {refresh_token}) (200) (response JSON {access_token, refresh_token})`
add an extra security layer on JWT and able to separate access from refresh tokens without any end-developer action on the claims payload (e.g. set a different issuer) 2020-10-18 13:42:19 +02:00			`// http://localhost:8080/refresh?token={access_token} (401)`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`app.Listen(":8080")`
			`}`

New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`func generateTokenPair(ctx iris.Context, j *jwt.JWT) {`
			`// Simulate a user...`
			`userID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// Map the current user with the refresh token,`
			`// so we make sure, on refresh route, that this refresh token owns`
			`// to that user before re-generate.`
			`refresh := jwt.Claims{Subject: userID}`

			`access := UserClaims{`
			`ID: userID,`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`Username: "kataras",`
			`}`

New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// Generates a Token Pair, long-live for refresh tokens, e.g. 1 hour.`
			`// Second argument is the refresh claims and,`
			`// the last one is the access token's claims.`
			`tokenPair, err := j.TokenPair(1*time.Hour, refresh, access)`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`if err != nil {`
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`ctx.Application().Logger().Debugf("token pair: %v", err)`
			`ctx.StopWithStatus(iris.StatusInternalServerError)`
			`return`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`}`

New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// Send the generated token pair to the client.`
			`// The tokenPair looks like: {"access_token": $token, "refresh_token": $token}`
			`ctx.JSON(tokenPair)`
			`}`

add an extra security layer on JWT and able to separate access from refresh tokens without any end-developer action on the claims payload (e.g. set a different issuer) 2020-10-18 13:42:19 +02:00			`func refreshToken(ctx iris.Context, j *jwt.JWT) {`
jwt: add the (last) helper: VerifyRefreshToken 2020-10-18 16:15:29 +02:00			`/*`
			`We could pass a jwt.Claims pointer as the second argument,`
			`but we don't have to because the method already returns`
			`the standard JWT claims information back to us:`
			`refresh, err := VerifyRefreshToken(ctx, nil)`
			`*/`

			`// Assuming you have access to the current user, e.g. sessions.`
			`//`
			`// Simulate a database call against our jwt subject`
			`// to make sure that this refresh token is a pair generated by this user.`
			`// * Note: You can remove the ExpectSubject and do this validation later on by yourself.`
			`currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00
jwt: add the (last) helper: VerifyRefreshToken 2020-10-18 16:15:29 +02:00			`// Verify the refresh token, which its subject MUST match the "currentUserID".`
			`_, err := j.VerifyRefreshToken(ctx, nil, jwt.ExpectSubject(currentUserID))`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`if err != nil {`
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`ctx.Application().Logger().Debugf("verify refresh token: %v", err)`
			`ctx.StatusCode(iris.StatusUnauthorized)`
			`return`
			`}`

jwt: add the (last) helper: VerifyRefreshToken 2020-10-18 16:15:29 +02:00			`/* Custom validation checks can be performed after Verify calls too:`
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"`
jwt: add the (last) helper: VerifyRefreshToken 2020-10-18 16:15:29 +02:00			`userID := refresh.Claims.Subject`
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`if userID != currentUserID {`
			`ctx.StopWithStatus(iris.StatusUnauthorized)`
			`return`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`}`
jwt: add the (last) helper: VerifyRefreshToken 2020-10-18 16:15:29 +02:00			`*/`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00
New JWT features and changes (examples updated). Improvements on the Context User and Private Error features TODO: Write the new e-book JWT section and the HISTORY entry of the chnages and add a simple example on site docs 2020-10-17 05:40:17 +02:00			`// All OK, re-generate the new pair and send to client.`
			`generateTokenPair(ctx, j)`
add auth/jwt/refresh-token example as requested at #1635 2020-09-16 12:57:11 +02:00			`}`