2022-03-28 13:00:26 +02:00
|
|
|
//go:build go1.18
|
2022-05-24 00:44:36 +02:00
|
|
|
// +build go1.18
|
2022-03-28 13:00:26 +02:00
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
package auth
|
2022-03-28 13:00:26 +02:00
|
|
|
|
|
|
|
import (
|
|
|
|
stdContext "context"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/kataras/iris/v12/context"
|
|
|
|
|
|
|
|
"github.com/google/uuid"
|
|
|
|
"github.com/gorilla/securecookie"
|
|
|
|
"github.com/kataras/jwt"
|
|
|
|
)
|
|
|
|
|
|
|
|
type (
|
2022-04-07 00:56:42 +02:00
|
|
|
// Auth holds the necessary functionality to authorize and optionally authenticating
|
|
|
|
// users to access and perform actions against the resource server (Iris API).
|
|
|
|
// It completes a secure and fast JSON Web Token signer and verifier which,
|
|
|
|
// based on the custom application needs, can be further customized.
|
|
|
|
// Each Auth of T instance can sign and verify a single custom <T> instance,
|
|
|
|
// more Auth instances can share the same configuration to support multiple custom user types.
|
|
|
|
// Initialize a new Auth of T instance using the New or MustLoad package-level functions.
|
|
|
|
// Most important methods of the instance are:
|
|
|
|
// - AddProvider
|
|
|
|
// - SigninHandler
|
|
|
|
// - VerifyHandler
|
|
|
|
// - SignoutHandler
|
|
|
|
// - SignoutAllHandler
|
|
|
|
//
|
|
|
|
// Example can be found at: https://github.com/kataras/iris/tree/master/_examples/auth/auth/main.go.
|
2022-04-02 16:30:55 +02:00
|
|
|
Auth[T User] struct {
|
2022-04-07 00:56:42 +02:00
|
|
|
// Holds the configuration passed through the New and MustLoad
|
|
|
|
// package-level functions. One or more Auth instance can share the
|
|
|
|
// same configuration's values.
|
2022-03-28 13:00:26 +02:00
|
|
|
config Configuration
|
2022-04-07 00:56:42 +02:00
|
|
|
// Holds the result of the config.KeysConfiguration.
|
|
|
|
keys jwt.Keys
|
|
|
|
// This is an Iris cookie option used to encrypt and decrypt a cookie when
|
|
|
|
// the config.Cookie.Hash & Block are not empty.
|
2022-03-28 13:00:26 +02:00
|
|
|
securecookie context.SecureCookie
|
2022-04-07 00:56:42 +02:00
|
|
|
// Defaults to an empty list, which cannot sign any tokens.
|
|
|
|
// One or more custom providers should be registered through
|
|
|
|
// the AddProvider or WithProviderAndErrorHandler methods.
|
|
|
|
providers []Provider[T] // at least one.
|
|
|
|
// Always not nil, set to custom error handler on SetErrorHandler.
|
|
|
|
errorHandler ErrorHandler
|
|
|
|
// Not nil if a transformer is registered.
|
|
|
|
transformer Transformer[T]
|
|
|
|
// Not nil if a custom claims provider is registered.
|
2022-03-28 13:00:26 +02:00
|
|
|
claimsProvider ClaimsProvider
|
2022-04-07 00:56:42 +02:00
|
|
|
// True if KIDRefresh on config.Keys.
|
|
|
|
refreshEnabled bool
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// VerifyUserFunc is passed on Verify and VerifyHandler method
|
|
|
|
// to, optionally, further validate a T user value.
|
|
|
|
VerifyUserFunc[T User] func(t T) error
|
2022-03-28 13:00:26 +02:00
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// SigninRequest is the request body the server expects
|
|
|
|
// on SignHandler. The Password and Username or Email should be filled.
|
2022-03-28 13:00:26 +02:00
|
|
|
SigninRequest struct {
|
|
|
|
Username string `json:"username" form:"username,omitempty"` // username OR email, username has priority over email.
|
|
|
|
Email string `json:"email" form:"email,omitempty"` // email OR username.
|
|
|
|
Password string `json:"password" form:"password"`
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// SigninResponse is the response body the server sends
|
|
|
|
// to the client on the SignHandler. It contains a pair of the access token
|
|
|
|
// and the refresh token if the refresh jwt token id exists in the configuration.
|
2022-03-28 13:00:26 +02:00
|
|
|
SigninResponse struct {
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
RefreshToken string `json:"refresh_token,omitempty"`
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// RefreshRequest is the request body the server expects
|
|
|
|
// on VerifyHandler to renew an access and refresh token pair.
|
2022-03-28 13:00:26 +02:00
|
|
|
RefreshRequest struct {
|
|
|
|
RefreshToken string `json:"refresh_token"`
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// MustLoad binds a filename (fullpath) configuration yaml or json
|
|
|
|
// and constructs a new Auth instance. It panics on error.
|
2022-04-02 16:30:55 +02:00
|
|
|
func MustLoad[T User](filename string) *Auth[T] {
|
2022-03-28 13:00:26 +02:00
|
|
|
var config Configuration
|
|
|
|
if err := config.BindFile(filename); err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
return Must(New[T](config))
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// Must is a helper that wraps a call to a function returning (*Auth[T], error)
|
|
|
|
// and panics if the error is non-nil. It is intended for use in variable
|
|
|
|
// initializations such as
|
2022-06-17 21:03:18 +02:00
|
|
|
//
|
2022-04-07 00:56:42 +02:00
|
|
|
// var s = auth.Must(auth.New[MyUser](config))
|
2022-04-02 16:30:55 +02:00
|
|
|
func Must[T User](s *Auth[T], err error) *Auth[T] {
|
2022-03-28 13:00:26 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// New initializes a new Auth instance typeof T and returns it.
|
|
|
|
// The T generic can be any custom struct.
|
|
|
|
// It accepts a Configuration value which can be constructed
|
|
|
|
// manually or through a configuration file using the
|
|
|
|
// MustGenerateConfiguration or MustLoadConfiguration
|
|
|
|
// or LoadConfiguration or MustLoad package-level functions.
|
|
|
|
//
|
|
|
|
// Example can be found at: https://github.com/kataras/iris/tree/master/_examples/auth/auth/main.go.
|
2022-04-02 16:30:55 +02:00
|
|
|
func New[T User](config Configuration) (*Auth[T], error) {
|
2022-03-28 13:00:26 +02:00
|
|
|
keys, err := config.validate()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
_, refreshEnabled := keys[KIDRefresh]
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
s := &Auth[T]{
|
2022-03-28 13:00:26 +02:00
|
|
|
config: config,
|
|
|
|
keys: keys,
|
|
|
|
securecookie: securecookie.New([]byte(config.Cookie.Hash), []byte(config.Cookie.Block)),
|
|
|
|
refreshEnabled: refreshEnabled,
|
|
|
|
// providers: []Provider[T]{newProvider[T]()},
|
|
|
|
errorHandler: new(DefaultErrorHandler),
|
|
|
|
}
|
|
|
|
|
|
|
|
return s, nil
|
|
|
|
}
|
|
|
|
|
2022-04-02 20:14:46 +02:00
|
|
|
// WithProviderAndErrorHandler registers a provider (if not nil) and
|
|
|
|
// an error handler (if not nil) and returns this "s" Auth instance.
|
|
|
|
// It's the same as calling AddProvider and SetErrorHandler at once.
|
|
|
|
// It's really useful when registering an Auth instance using the iris.Party.PartyConfigure
|
|
|
|
// method when a Provider of T and ErrorHandler is available through the registered Party's dependencies.
|
|
|
|
//
|
|
|
|
// Usage Example:
|
2022-06-17 21:03:18 +02:00
|
|
|
//
|
|
|
|
// api := app.Party("/api")
|
|
|
|
// api.EnsureStaticBindings().RegisterDependency(
|
|
|
|
// NewAuthProviderErrorHandler(),
|
|
|
|
// NewAuthCustomerProvider,
|
|
|
|
// auth.Must(auth.New[Customer](authConfig)).WithProviderAndErrorHandler,
|
|
|
|
// )
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) WithProviderAndErrorHandler(provider Provider[T], errHandler ErrorHandler) *Auth[T] {
|
2022-03-28 13:00:26 +02:00
|
|
|
if provider != nil {
|
|
|
|
for i := range s.providers {
|
|
|
|
s.providers[i] = nil
|
|
|
|
}
|
|
|
|
s.providers = nil
|
|
|
|
|
|
|
|
s.providers = make([]Provider[T], 0, 1)
|
|
|
|
s.AddProvider(provider)
|
|
|
|
}
|
|
|
|
|
|
|
|
if errHandler != nil {
|
|
|
|
s.SetErrorHandler(errHandler)
|
|
|
|
}
|
|
|
|
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// AddProvider registers one or more providers to this Auth of T instance and returns itself.
|
|
|
|
// Look the Provider godoc for more.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) AddProvider(providers ...Provider[T]) *Auth[T] {
|
2022-03-28 13:00:26 +02:00
|
|
|
// A provider can also implement both transformer and
|
|
|
|
// error handler if that's the design option of the end-developer.
|
|
|
|
for _, p := range providers {
|
|
|
|
if s.transformer == nil {
|
|
|
|
if transformer, ok := p.(Transformer[T]); ok {
|
|
|
|
s.SetTransformer(transformer)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if errHandler, ok := p.(ErrorHandler); ok {
|
|
|
|
s.SetErrorHandler(errHandler)
|
|
|
|
}
|
|
|
|
|
|
|
|
if s.claimsProvider == nil {
|
|
|
|
if claimsProvider, ok := p.(ClaimsProvider); ok {
|
|
|
|
s.claimsProvider = claimsProvider
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
s.providers = append(s.providers, providers...)
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// SetErrorHandler sets a custom error handler to this Auth of T instance and returns itself.
|
|
|
|
// Look the Provider and ErrorHandler godoc for more.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) SetErrorHandler(errHandler ErrorHandler) *Auth[T] {
|
2022-03-28 13:00:26 +02:00
|
|
|
s.errorHandler = errHandler
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// SetTransformer sets a custom transformer to this Auth of T instance and returns itself.
|
|
|
|
// Look the Provider and Transformer godoc for more.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) SetTransformer(transformer Transformer[T]) *Auth[T] {
|
2022-03-28 13:00:26 +02:00
|
|
|
s.transformer = transformer
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// SetTransformerFunc like SetTransformer method but accepts a function instead.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) SetTransformerFunc(transfermerFunc func(ctx stdContext.Context, tok *VerifiedToken) (T, error)) *Auth[T] {
|
2022-03-28 13:00:26 +02:00
|
|
|
s.transformer = TransformerFunc[T](transfermerFunc)
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
// Signin signs a token based on the provided username and password
|
|
|
|
// and returns a pair of access and refresh tokens.
|
|
|
|
//
|
|
|
|
// Signin calls the Provider.Signin method to check if a user
|
|
|
|
// is authenticated by the given username and password combination.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) Signin(ctx stdContext.Context, username, password string) ([]byte, []byte, error) {
|
2022-03-28 13:00:26 +02:00
|
|
|
var t T
|
|
|
|
|
|
|
|
// get "t" from a valid provider.
|
|
|
|
if n := len(s.providers); n > 0 {
|
|
|
|
for i := 0; i < n; i++ {
|
|
|
|
p := s.providers[i]
|
|
|
|
|
|
|
|
v, err := p.Signin(ctx, username, password)
|
|
|
|
if err != nil {
|
|
|
|
if i == n-1 { // last provider errored.
|
2022-04-02 16:30:55 +02:00
|
|
|
return nil, nil, fmt.Errorf("auth: signin: %w", err)
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
// keep searching.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// found.
|
|
|
|
t = v
|
|
|
|
break
|
|
|
|
}
|
|
|
|
} else {
|
2022-04-02 16:30:55 +02:00
|
|
|
return nil, nil, fmt.Errorf("auth: signin: no provider")
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// sign the tokens.
|
|
|
|
accessToken, refreshToken, err := s.sign(t)
|
|
|
|
if err != nil {
|
2022-04-02 16:30:55 +02:00
|
|
|
return nil, nil, fmt.Errorf("auth: signin: %w", err)
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return accessToken, refreshToken, nil
|
|
|
|
}
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) sign(t T) ([]byte, []byte, error) {
|
2022-03-28 13:00:26 +02:00
|
|
|
// sign the tokens.
|
|
|
|
var (
|
|
|
|
accessStdClaims StandardClaims
|
|
|
|
refreshStdClaims StandardClaims
|
|
|
|
)
|
|
|
|
|
|
|
|
if s.claimsProvider != nil {
|
|
|
|
accessStdClaims = s.claimsProvider.GetAccessTokenClaims()
|
|
|
|
refreshStdClaims = s.claimsProvider.GetRefreshTokenClaims(accessStdClaims)
|
|
|
|
}
|
|
|
|
|
|
|
|
iat := jwt.Clock().Unix()
|
|
|
|
|
|
|
|
if accessStdClaims.IssuedAt == 0 {
|
|
|
|
accessStdClaims.IssuedAt = iat
|
|
|
|
}
|
|
|
|
|
|
|
|
if accessStdClaims.ID == "" {
|
|
|
|
accessStdClaims.ID = uuid.NewString()
|
|
|
|
}
|
|
|
|
|
|
|
|
if refreshStdClaims.IssuedAt == 0 {
|
|
|
|
refreshStdClaims.IssuedAt = iat
|
|
|
|
}
|
|
|
|
|
|
|
|
if refreshStdClaims.ID == "" {
|
|
|
|
refreshStdClaims.ID = uuid.NewString()
|
|
|
|
}
|
|
|
|
|
|
|
|
if refreshStdClaims.OriginID == "" {
|
|
|
|
// keep a reference of the access token the refresh token is created,
|
|
|
|
// if that access token is invalidated then
|
|
|
|
// its refresh token should be too so the user can force-login.
|
|
|
|
refreshStdClaims.OriginID = accessStdClaims.ID
|
|
|
|
}
|
|
|
|
|
|
|
|
accessToken, err := s.keys.SignToken(KIDAccess, t, accessStdClaims)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, fmt.Errorf("access: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var refreshToken []byte
|
|
|
|
if s.refreshEnabled {
|
|
|
|
refreshToken, err = s.keys.SignToken(KIDRefresh, t, refreshStdClaims)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, fmt.Errorf("refresh: %w", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return accessToken, refreshToken, nil
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// SignHandler generates and sends a pair of access and refresh token to the client
|
|
|
|
// as JSON body of `SigninResponse` and cookie (if cookie setting was provided).
|
|
|
|
// See `Signin` method for more.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) SigninHandler(ctx *context.Context) {
|
2022-03-28 13:00:26 +02:00
|
|
|
// No, let the developer decide it based on a middleware, e.g. iris.LimitRequestBodySize.
|
|
|
|
// ctx.SetMaxRequestBodySize(s.maxRequestBodySize)
|
|
|
|
|
|
|
|
var (
|
|
|
|
req SigninRequest
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
switch ctx.GetContentTypeRequested() {
|
|
|
|
case context.ContentFormHeaderValue, context.ContentFormMultipartHeaderValue:
|
|
|
|
err = ctx.ReadForm(&req)
|
|
|
|
default:
|
|
|
|
err = ctx.ReadJSON(&req)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
s.errorHandler.InvalidArgument(ctx, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if req.Username == "" {
|
|
|
|
req.Username = req.Email
|
|
|
|
}
|
|
|
|
|
|
|
|
accessTokenBytes, refreshTokenBytes, err := s.Signin(ctx, req.Username, req.Password)
|
|
|
|
if err != nil {
|
|
|
|
s.tryRemoveCookie(ctx) // remove cookie on invalidated.
|
|
|
|
|
|
|
|
s.errorHandler.Unauthenticated(ctx, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
accessToken := jwt.BytesToString(accessTokenBytes)
|
|
|
|
refreshToken := jwt.BytesToString(refreshTokenBytes)
|
|
|
|
|
|
|
|
s.trySetCookie(ctx, accessToken)
|
|
|
|
|
|
|
|
resp := SigninResponse{
|
|
|
|
AccessToken: accessToken,
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
}
|
|
|
|
ctx.JSON(resp)
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// Verify accepts a token and verifies it.
|
|
|
|
// It returns the token's custom and standard JWT claims.
|
2022-04-07 00:56:42 +02:00
|
|
|
func (s *Auth[T]) Verify(ctx stdContext.Context, token []byte, verifyFuncs ...VerifyUserFunc[T]) (T, StandardClaims, error) {
|
2022-03-28 13:00:26 +02:00
|
|
|
t, claims, err := s.verify(ctx, token)
|
|
|
|
if err != nil {
|
2022-04-02 16:30:55 +02:00
|
|
|
return t, StandardClaims{}, fmt.Errorf("auth: verify: %w", err)
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
for _, verify := range verifyFuncs {
|
|
|
|
if verify == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = verify(t); err != nil {
|
|
|
|
return t, StandardClaims{}, fmt.Errorf("auth: verify: %w", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-28 13:00:26 +02:00
|
|
|
return t, claims, nil
|
|
|
|
}
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) verify(ctx stdContext.Context, token []byte) (T, StandardClaims, error) {
|
2022-03-28 13:00:26 +02:00
|
|
|
var t T
|
|
|
|
|
|
|
|
if len(token) == 0 { // should never happen at this state.
|
|
|
|
return t, StandardClaims{}, jwt.ErrMissing
|
|
|
|
}
|
|
|
|
|
|
|
|
verifiedToken, err := jwt.VerifyWithHeaderValidator(nil, nil, token, s.keys.ValidateHeader, jwt.Leeway(time.Minute))
|
|
|
|
if err != nil {
|
|
|
|
return t, StandardClaims{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if s.transformer != nil {
|
|
|
|
if t, err = s.transformer.Transform(ctx, verifiedToken); err != nil {
|
|
|
|
return t, StandardClaims{}, err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if err = verifiedToken.Claims(&t); err != nil {
|
|
|
|
return t, StandardClaims{}, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
standardClaims := verifiedToken.StandardClaims
|
|
|
|
|
|
|
|
if n := len(s.providers); n > 0 {
|
|
|
|
for i := 0; i < n; i++ {
|
|
|
|
p := s.providers[i]
|
|
|
|
|
|
|
|
err := p.ValidateToken(ctx, standardClaims, t)
|
|
|
|
if err != nil {
|
|
|
|
if i == n-1 { // last provider errored.
|
|
|
|
return t, StandardClaims{}, err
|
|
|
|
}
|
|
|
|
// keep searching.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// token is allowed.
|
|
|
|
break
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// return t, StandardClaims{}, fmt.Errorf("no provider")
|
|
|
|
}
|
|
|
|
|
|
|
|
return t, standardClaims, nil
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// VerifyHandler verifies and sets the necessary information about the user(claims) and
|
|
|
|
// the verified token to the Iris Context and calls the Context's Next method.
|
|
|
|
// This information is available through auth.GetAccessToken, auth.GetStandardClaims and
|
|
|
|
// auth.GetUser[T] package-level functions.
|
|
|
|
//
|
|
|
|
// See `Verify` method for more.
|
2022-04-07 00:56:42 +02:00
|
|
|
func (s *Auth[T]) VerifyHandler(verifyFuncs ...VerifyUserFunc[T]) context.Handler {
|
2022-03-28 13:00:26 +02:00
|
|
|
return func(ctx *context.Context) {
|
|
|
|
accessToken := s.extractAccessToken(ctx)
|
|
|
|
|
|
|
|
if accessToken == "" { // if empty, fire 401.
|
|
|
|
s.errorHandler.Unauthenticated(ctx, jwt.ErrMissing)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
t, claims, err := s.Verify(ctx, []byte(accessToken), verifyFuncs...)
|
2022-03-28 13:00:26 +02:00
|
|
|
if err != nil {
|
|
|
|
s.errorHandler.Unauthenticated(ctx, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx.SetUser(t)
|
|
|
|
|
|
|
|
// store the user to the request.
|
|
|
|
ctx.Values().Set(accessTokenContextKey, accessToken)
|
|
|
|
ctx.Values().Set(standardClaimsContextKey, claims)
|
2022-04-07 00:56:42 +02:00
|
|
|
ctx.Values().Set(userContextKey, t)
|
2022-03-28 13:00:26 +02:00
|
|
|
|
|
|
|
ctx.Next()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) extractAccessToken(ctx *context.Context) string {
|
2022-03-28 13:00:26 +02:00
|
|
|
// first try from authorization: bearer header.
|
2022-04-02 16:30:55 +02:00
|
|
|
accessToken := s.extractTokenFromHeader(ctx)
|
2022-03-28 13:00:26 +02:00
|
|
|
|
|
|
|
// then if no header, try try extract from cookie.
|
|
|
|
if accessToken == "" {
|
|
|
|
if cookieName := s.config.Cookie.Name; cookieName != "" {
|
|
|
|
accessToken = ctx.GetCookie(cookieName, context.CookieEncoding(s.securecookie))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return accessToken
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// Refresh accepts a previously generated refresh token (from SigninHandler) and
|
|
|
|
// returns a new access and refresh token pair.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) Refresh(ctx stdContext.Context, refreshToken []byte) ([]byte, []byte, error) {
|
2022-03-28 13:00:26 +02:00
|
|
|
if !s.refreshEnabled {
|
2022-04-02 16:30:55 +02:00
|
|
|
return nil, nil, fmt.Errorf("auth: refresh: disabled")
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
t, _, err := s.verify(ctx, refreshToken)
|
|
|
|
if err != nil {
|
2022-04-02 16:30:55 +02:00
|
|
|
return nil, nil, fmt.Errorf("auth: refresh: %w", err)
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// refresh the tokens, both refresh & access tokens will be renew to prevent
|
|
|
|
// malicious 😈 users that may hold a refresh token.
|
|
|
|
accessTok, refreshTok, err := s.sign(t)
|
|
|
|
if err != nil {
|
2022-04-02 16:30:55 +02:00
|
|
|
return nil, nil, fmt.Errorf("auth: refresh: %w", err)
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return accessTok, refreshTok, nil
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// RefreshHandler reads the request body which should include data for `RefreshRequest` structure
|
|
|
|
// and sends a new access and refresh token pair,
|
|
|
|
// also sets the cookie to the new encrypted access token value.
|
|
|
|
// See `Refresh` method for more.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) RefreshHandler(ctx *context.Context) {
|
2022-03-28 13:00:26 +02:00
|
|
|
var req RefreshRequest
|
|
|
|
err := ctx.ReadJSON(&req)
|
|
|
|
if err != nil {
|
|
|
|
s.errorHandler.InvalidArgument(ctx, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
accessTokenBytes, refreshTokenBytes, err := s.Refresh(ctx, []byte(req.RefreshToken))
|
|
|
|
if err != nil {
|
|
|
|
// s.tryRemoveCookie(ctx)
|
|
|
|
s.errorHandler.Unauthenticated(ctx, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
accessToken := jwt.BytesToString(accessTokenBytes)
|
|
|
|
refreshToken := jwt.BytesToString(refreshTokenBytes)
|
|
|
|
|
|
|
|
s.trySetCookie(ctx, accessToken)
|
|
|
|
|
|
|
|
resp := SigninResponse{
|
|
|
|
AccessToken: accessToken,
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
}
|
|
|
|
ctx.JSON(resp)
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// Signout accepts the access token and a boolean which reports whether
|
|
|
|
// the signout should be applied to all tokens generated for a specific user (logout from all devices)
|
|
|
|
// or just the provided token's one.
|
|
|
|
// It calls the Provider's InvalidateToken(all=false) or InvalidateTokens (all=true).
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) Signout(ctx stdContext.Context, token []byte, all bool) error {
|
2022-03-28 13:00:26 +02:00
|
|
|
t, standardClaims, err := s.verify(ctx, token)
|
|
|
|
if err != nil {
|
2022-04-02 16:30:55 +02:00
|
|
|
return fmt.Errorf("auth: signout: verify: %w", err)
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
for i, n := 0, len(s.providers)-1; i <= n; i++ {
|
|
|
|
p := s.providers[i]
|
|
|
|
|
|
|
|
if all {
|
|
|
|
err = p.InvalidateTokens(ctx, t)
|
|
|
|
} else {
|
|
|
|
err = p.InvalidateToken(ctx, standardClaims, t)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
if i == n { // last provider errored.
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// keep trying.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// token is marked as invalidated by a provider.
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// SignoutHandler verifies the request's access token and invalidates it, calling
|
|
|
|
// the Provider's InvalidateToken method.
|
|
|
|
// See `Signout` method too.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) SignoutHandler(ctx *context.Context) {
|
2022-03-28 13:00:26 +02:00
|
|
|
s.signoutHandler(ctx, false)
|
|
|
|
}
|
|
|
|
|
2022-04-09 23:19:04 +02:00
|
|
|
// SignoutAllHandler verifies the request's access token and
|
|
|
|
// should invalidate all the tokens generated previously calling
|
|
|
|
// the Provider's InvalidateTokens method.
|
|
|
|
// See `Signout` method too.
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) SignoutAllHandler(ctx *context.Context) {
|
2022-03-28 13:00:26 +02:00
|
|
|
s.signoutHandler(ctx, true)
|
|
|
|
}
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) signoutHandler(ctx *context.Context, all bool) {
|
2022-03-28 13:00:26 +02:00
|
|
|
accessToken := s.extractAccessToken(ctx)
|
|
|
|
if accessToken == "" {
|
|
|
|
s.errorHandler.Unauthenticated(ctx, jwt.ErrMissing)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err := s.Signout(ctx, []byte(accessToken), all)
|
|
|
|
if err != nil {
|
|
|
|
s.errorHandler.Unauthenticated(ctx, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
s.tryRemoveCookie(ctx)
|
|
|
|
|
|
|
|
ctx.SetUser(nil)
|
|
|
|
|
|
|
|
ctx.Values().Remove(accessTokenContextKey)
|
|
|
|
ctx.Values().Remove(standardClaimsContextKey)
|
2022-04-07 00:56:42 +02:00
|
|
|
ctx.Values().Remove(userContextKey)
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) extractTokenFromHeader(ctx *context.Context) string {
|
|
|
|
for _, headerKey := range s.config.Headers {
|
2022-03-28 13:00:26 +02:00
|
|
|
headerValue := ctx.GetHeader(headerKey)
|
|
|
|
if headerValue == "" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// pure check: authorization header format must be Bearer {token}
|
|
|
|
authHeaderParts := strings.Split(headerValue, " ")
|
|
|
|
if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
return authHeaderParts[1]
|
|
|
|
}
|
|
|
|
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) trySetCookie(ctx *context.Context, accessToken string) {
|
2022-03-28 13:00:26 +02:00
|
|
|
if cookieName := s.config.Cookie.Name; cookieName != "" {
|
|
|
|
maxAge := s.keys[KIDAccess].MaxAge
|
|
|
|
if maxAge == 0 {
|
|
|
|
maxAge = context.SetCookieKVExpiration
|
|
|
|
}
|
|
|
|
|
|
|
|
cookie := &http.Cookie{
|
|
|
|
Name: cookieName,
|
|
|
|
Value: url.QueryEscape(accessToken),
|
2022-04-07 00:56:42 +02:00
|
|
|
Path: "/",
|
2022-03-28 13:00:26 +02:00
|
|
|
HttpOnly: true,
|
2022-04-02 17:17:47 +02:00
|
|
|
Secure: s.config.Cookie.Secure || ctx.IsSSL(),
|
2022-03-28 13:00:26 +02:00
|
|
|
Domain: ctx.Domain(),
|
|
|
|
SameSite: http.SameSiteLaxMode,
|
|
|
|
Expires: time.Now().Add(maxAge),
|
|
|
|
MaxAge: int(maxAge.Seconds()),
|
|
|
|
}
|
|
|
|
|
2022-04-07 00:56:42 +02:00
|
|
|
ctx.SetCookie(cookie, context.CookieEncoding(s.securecookie), context.CookieAllowReclaim())
|
2022-03-28 13:00:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-02 16:30:55 +02:00
|
|
|
func (s *Auth[T]) tryRemoveCookie(ctx *context.Context) {
|
2022-03-28 13:00:26 +02:00
|
|
|
if cookieName := s.config.Cookie.Name; cookieName != "" {
|
|
|
|
ctx.RemoveCookie(cookieName)
|
|
|
|
}
|
|
|
|
}
|