diff --git a/middleware/jwt/signer.go b/middleware/jwt/signer.go index 18bf7e3f..acd74237 100644 --- a/middleware/jwt/signer.go +++ b/middleware/jwt/signer.go @@ -7,6 +7,11 @@ import ( "github.com/kataras/jwt" ) +// Signer holds common options to sign and generate a token. +// Its Sign method can be used to generate a token which can be sent to the client. +// Its NewTokenPair can be used to construct a token pair (access_token, refresh_token). +// +// It does not support JWE, JWK. type Signer struct { Alg Alg Key interface{} @@ -16,6 +21,14 @@ type Signer struct { Encrypt func([]byte) ([]byte, error) } +// NewSigner accepts the signature algorithm among with its (private or shared) key +// and the max life time duration of generated tokens and returns a JWT signer. +// See its Sign method. +// +// Usage: +// +// signer := NewSigner(HS256, secret, 15*time.Minute) +// token, err := signer.Sign(userClaims{Username: "kataras"}) func NewSigner(signatureAlg Alg, signatureKey interface{}, maxAge time.Duration) *Signer { return &Signer{ Alg: signatureAlg, @@ -24,7 +37,7 @@ func NewSigner(signatureAlg Alg, signatureKey interface{}, maxAge time.Duration) } } -// WithEncryption enables AES-GCM payload decryption. +// WithEncryption enables AES-GCM payload-only decryption. func (s *Signer) WithEncryption(key, additionalData []byte) *Signer { encrypt, _, err := jwt.GCM(key, additionalData) if err != nil { diff --git a/middleware/jwt/verifier.go b/middleware/jwt/verifier.go index f37c2a7f..1d354ec9 100644 --- a/middleware/jwt/verifier.go +++ b/middleware/jwt/verifier.go @@ -38,6 +38,8 @@ func GetVerifiedToken(ctx *context.Context) *VerifiedToken { // Verifier holds common options to verify an incoming token. // Its Verify method can be used as a middleware to allow authorized clients to access an API. +// +// It does not support JWE, JWK. type Verifier struct { Alg Alg Key interface{} @@ -53,10 +55,30 @@ type Verifier struct { DisableContextUser bool } -// NewVerifier accepts the algorithm for the token's signature among with its (private) key +// NewVerifier accepts the algorithm for the token's signature among with its (public) key // and optionally some token validators for all verify middlewares that may initialized under this Verifier. -// // See its Verify method. +// +// Usage: +// +// verifier := NewVerifier(HS256, secret) +// OR +// verifier := NewVerifier(HS256, secret, Expected{Issuer: "my-app"}) +// +// claimsGetter := func() interface{} { return new(userClaims) } +// middleware := verifier.Verify(claimsGetter) +// OR +// middleware := verifier.Verify(claimsGetter, Expected{Issuer: "my-app"}) +// +// Register the middleware, e.g. +// app.Use(middleware) +// +// Get the claims: +// claims := jwt.Get(ctx).(*userClaims) +// username := claims.Username +// +// Get the context user: +// username, err := ctx.User().GetUsername() func NewVerifier(signatureAlg Alg, signatureKey interface{}, validators ...TokenValidator) *Verifier { return &Verifier{ Alg: signatureAlg, @@ -69,7 +91,7 @@ func NewVerifier(signatureAlg Alg, signatureKey interface{}, validators ...Token } } -// WithDecryption enables AES-GCM payload encryption. +// WithDecryption enables AES-GCM payload-only encryption. func (v *Verifier) WithDecryption(key, additionalData []byte) *Verifier { _, decrypt, err := jwt.GCM(key, additionalData) if err != nil { @@ -137,7 +159,16 @@ func (v *Verifier) VerifyToken(token []byte, validators ...TokenValidator) (*Ver // from unauthorized client requests. After this, the route handlers can access the claims // through the jwt.Get package-level function. // -// Example Code: +// By default it extracts the token from Authorization: Bearer $token header and ?token URL Query parameter, +// to change that behavior modify its Extractors field. +// +// By default a 401 status code with a generic message will be sent to the client on +// a token verification or claims validation failure, to change that behavior +// modify its ErrorHandler field or register OnErrorCode(401, errorHandler) and +// retrieve the error through Context.GetErr method. +// +// If the "claimsType" is nil then only the jwt.GetVerifiedToken is available +// and the handler should unmarshal the payload to extract the claims by itself. func (v *Verifier) Verify(claimsType func() interface{}, validators ...TokenValidator) context.Handler { unmarshal := jwt.Unmarshal if claimsType != nil {