portal/account/jwt.go

package account

import (
	"crypto/ed25519"
	"errors"
	"fmt"
	"net/http"
	"strconv"
	"time"

	"git.lumeweb.com/LumeWeb/portal/api/router"

	apiRegistry "git.lumeweb.com/LumeWeb/portal/api/registry"

	"github.com/golang-jwt/jwt/v5"
)

const AUTH_COOKIE_NAME = "auth_token"

type JWTPurpose string
type VerifyTokenFunc func(claim *jwt.RegisteredClaims) error

var (
	nopVerifyFunc VerifyTokenFunc = func(claim *jwt.RegisteredClaims) error {
		return nil
	}

	ErrJWTUnexpectedClaimsType = errors.New("unexpected claims type")
	ErrJWTUnexpectedIssuer     = errors.New("unexpected issuer")
	ErrJWTInvalid              = errors.New("invalid JWT")
)

const (
	JWTPurposeLogin JWTPurpose = "login"
	JWTPurpose2FA   JWTPurpose = "2fa"
	JWTPurposeNone  JWTPurpose = ""
)

func JWTGenerateToken(domain string, privateKey ed25519.PrivateKey, userID uint, purpose JWTPurpose) (string, error) {
	return JWTGenerateTokenWithDuration(domain, privateKey, userID, time.Hour*24, purpose)
}

func JWTGenerateTokenWithDuration(domain string, privateKey ed25519.PrivateKey, userID uint, duration time.Duration, purpose JWTPurpose) (string, error) {

	// Define the claims
	claims := jwt.RegisteredClaims{
		Issuer:    domain,
		Subject:   strconv.Itoa(int(userID)),
		ExpiresAt: jwt.NewNumericDate(time.Now().Add(duration)),
		IssuedAt:  jwt.NewNumericDate(time.Now()),
		Audience:  []string{string(purpose)},
	}

	// Create the token
	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)

	// Sign the token with the Ed25519 private key
	tokenString, err := token.SignedString(privateKey)
	if err != nil {
		return "", err
	}

	return tokenString, nil
}

func JWTVerifyToken(token string, domain string, privateKey ed25519.PrivateKey, verifyFunc VerifyTokenFunc) (*jwt.RegisteredClaims, error) {
	validatedToken, err := jwt.ParseWithClaims(token, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}

		publicKey := privateKey.Public()

		return publicKey, nil
	})

	if err != nil {
		return nil, err
	}

	if verifyFunc == nil {
		verifyFunc = nopVerifyFunc
	}

	claim, ok := validatedToken.Claims.(*jwt.RegisteredClaims)

	if !ok {
		return nil, fmt.Errorf("%w: %s", ErrJWTUnexpectedClaimsType, validatedToken.Claims)
	}

	if domain != claim.Issuer {
		return nil, fmt.Errorf("%w: %s", ErrJWTUnexpectedIssuer, claim.Issuer)
	}

	err = verifyFunc(claim)

	return claim, err
}

func SetAuthCookie(w http.ResponseWriter, token string, apiName string) {
	for name, api := range apiRegistry.GetAllAPIs() {
		routeableApi, ok := api.(router.RoutableAPI)
		if !ok {
			continue
		}

		if len(apiName) > 0 && apiName != name {
			continue
		}

		http.SetCookie(w, &http.Cookie{
			Name:     name,
			Value:    token,
			Expires:  time.Now().Add(24 * time.Hour),
			Secure:   true,
			HttpOnly: true,
			Path:     "/",
			Domain:   routeableApi.Domain(),
		})
	}
}
feat: implement EmailExists, PubkeyExists, CreateAccount,AddPubkeyToAccount, LoginPassword, LoginPubkey 2024-01-16 18:30:36 +00:00			`package account`

			`import (`
			`"crypto/ed25519"`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00			`"errors"`
			`"fmt"`
feat: add SetAuthCookie helper 2024-03-17 12:15:27 +00:00			`"net/http"`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00			`"strconv"`
feat: implement EmailExists, PubkeyExists, CreateAccount,AddPubkeyToAccount, LoginPassword, LoginPubkey 2024-01-16 18:30:36 +00:00			`"time"`
fix: need to use the claim by ref 2024-02-18 01:07:43 +00:00
refactor: set auth cookie for every api, and optionally pass a specific api name to only set instead 2024-03-17 12:59:34 +00:00			`"git.lumeweb.com/LumeWeb/portal/api/router"`

			`apiRegistry "git.lumeweb.com/LumeWeb/portal/api/registry"`

fix: need to use the claim by ref 2024-02-18 01:07:43 +00:00			`"github.com/golang-jwt/jwt/v5"`
feat: implement EmailExists, PubkeyExists, CreateAccount,AddPubkeyToAccount, LoginPassword, LoginPubkey 2024-01-16 18:30:36 +00:00			`)`

refactor: move DEFAULT_AUTH_COOKIE_NAME to account 2024-03-17 12:51:59 +00:00			`const AUTH_COOKIE_NAME = "auth_token"`

feat: add purpose to jwt with consts 2024-02-14 01:58:17 +00:00			`type JWTPurpose string`
fix: need to pass the claim by ref 2024-02-18 01:11:43 +00:00			`type VerifyTokenFunc func(claim *jwt.RegisteredClaims) error`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00
			`var (`
fix: need to pass the claim by ref 2024-02-18 01:11:43 +00:00			`nopVerifyFunc VerifyTokenFunc = func(claim *jwt.RegisteredClaims) error {`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00			`return nil`
			`}`

			`ErrJWTUnexpectedClaimsType = errors.New("unexpected claims type")`
			`ErrJWTUnexpectedIssuer = errors.New("unexpected issuer")`
			`ErrJWTInvalid = errors.New("invalid JWT")`
			`)`
feat: add purpose to jwt with consts 2024-02-14 01:58:17 +00:00
			`const (`
			`JWTPurposeLogin JWTPurpose = "login"`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00			`JWTPurpose2FA JWTPurpose = "2fa"`
refactor: allow purpose to be none 2024-03-13 22:44:09 +00:00			`JWTPurposeNone JWTPurpose = ""`
feat: add purpose to jwt with consts 2024-02-14 01:58:17 +00:00			`)`

refactor: prefix all jwt helpers 2024-02-14 03:31:44 +00:00			`func JWTGenerateToken(domain string, privateKey ed25519.PrivateKey, userID uint, purpose JWTPurpose) (string, error) {`
			`return JWTGenerateTokenWithDuration(domain, privateKey, userID, time.Hour*24, purpose)`
refactor: create and export GenerateTokenWithDuration and GenerateToken 2024-01-20 12:30:46 +00:00			`}`
feat: add purpose to jwt with consts 2024-02-14 01:58:17 +00:00
refactor: prefix all jwt helpers 2024-02-14 03:31:44 +00:00			`func JWTGenerateTokenWithDuration(domain string, privateKey ed25519.PrivateKey, userID uint, duration time.Duration, purpose JWTPurpose) (string, error) {`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00
feat: implement EmailExists, PubkeyExists, CreateAccount,AddPubkeyToAccount, LoginPassword, LoginPubkey 2024-01-16 18:30:36 +00:00			`// Define the claims`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00			`claims := jwt.RegisteredClaims{`
			`Issuer: domain,`
			`Subject: strconv.Itoa(int(userID)),`
			`ExpiresAt: jwt.NewNumericDate(time.Now().Add(duration)),`
			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`Audience: []string{string(purpose)},`
feat: implement EmailExists, PubkeyExists, CreateAccount,AddPubkeyToAccount, LoginPassword, LoginPubkey 2024-01-16 18:30:36 +00:00			`}`

			`// Create the token`
			`token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)`

			`// Sign the token with the Ed25519 private key`
			`tokenString, err := token.SignedString(privateKey)`
			`if err != nil {`
			`return "", err`
			`}`

			`return tokenString, nil`
			`}`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00
refactor: prefix all jwt helpers 2024-02-14 03:31:44 +00:00			`func JWTVerifyToken(token string, domain string, privateKey ed25519.PrivateKey, verifyFunc VerifyTokenFunc) (*jwt.RegisteredClaims, error) {`
fix: need to use the claim by ref 2024-02-18 01:07:43 +00:00			`validatedToken, err := jwt.ParseWithClaims(token, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00			`if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {`
			`return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])`
			`}`

			`publicKey := privateKey.Public()`

			`return publicKey, nil`
			`})`

			`if err != nil {`
			`return nil, err`
			`}`

			`if verifyFunc == nil {`
			`verifyFunc = nopVerifyFunc`
			`}`

fix: need to use the claim by ref 2024-02-18 01:07:43 +00:00			`claim, ok := validatedToken.Claims.(*jwt.RegisteredClaims)`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00
			`if !ok {`
			`return nil, fmt.Errorf("%w: %s", ErrJWTUnexpectedClaimsType, validatedToken.Claims)`
			`}`

			`if domain != claim.Issuer {`
			`return nil, fmt.Errorf("%w: %s", ErrJWTUnexpectedIssuer, claim.Issuer)`
			`}`

fix: need to pass the claim by ref 2024-02-18 01:11:43 +00:00			`err = verifyFunc(claim)`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00
fix: missing returning the claim 2024-02-18 01:16:19 +00:00			`return claim, err`
refactor: major middleware refactor 2024-02-14 03:17:34 +00:00			`}`
feat: add SetAuthCookie helper 2024-03-17 12:15:27 +00:00
refactor: set auth cookie for every api, and optionally pass a specific api name to only set instead 2024-03-17 12:59:34 +00:00			`func SetAuthCookie(w http.ResponseWriter, token string, apiName string) {`
			`for name, api := range apiRegistry.GetAllAPIs() {`
			`routeableApi, ok := api.(router.RoutableAPI)`
			`if !ok {`
			`continue`
			`}`

			`if len(apiName) > 0 && apiName != name {`
			`continue`
			`}`

			`http.SetCookie(w, &http.Cookie{`
			`Name: name,`
			`Value: token,`
			`Expires: time.Now().Add(24 * time.Hour),`
			`Secure: true,`
			`HttpOnly: true,`
			`Path: "/",`
			`Domain: routeableApi.Domain(),`
			`})`
			`}`
feat: add SetAuthCookie helper 2024-03-17 12:15:27 +00:00			`}`