Compare commits
No commits in common. "2528fd0afebc612ffb57f45eb873ae89db48aad1" and "b1fcc7f7ae1795d609a1b8f18e8ebfdd23342557" have entirely different histories.
2528fd0afe
...
b1fcc7f7ae
|
@ -3,7 +3,6 @@ package middleware
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/ed25519"
|
"crypto/ed25519"
|
||||||
"errors"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"slices"
|
"slices"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
@ -104,7 +103,6 @@ type AuthMiddlewareOptions struct {
|
||||||
AuthContextKey string
|
AuthContextKey string
|
||||||
Config *config.Manager
|
Config *config.Manager
|
||||||
EmptyAllowed bool
|
EmptyAllowed bool
|
||||||
ExpiredAllowed bool
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handler {
|
func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handler {
|
||||||
|
@ -130,22 +128,17 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
|
||||||
claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
|
claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
|
||||||
aud, _ := claim.GetAudience()
|
aud, _ := claim.GetAudience()
|
||||||
|
|
||||||
if options.Purpose != account.JWTPurposeNone && jwtPurposeEqual(aud, options.Purpose) == false {
|
if options.Purpose != account.JWTPurposeNone && slices.Contains[jwt.ClaimStrings, string](aud, string(options.Purpose)) == false {
|
||||||
|
if !options.EmptyAllowed {
|
||||||
return account.ErrJWTInvalid
|
return account.ErrJWTInvalid
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
})
|
})
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
unauthorized := true
|
|
||||||
if errors.Is(err, jwt.ErrTokenExpired) && options.ExpiredAllowed {
|
|
||||||
unauthorized = false
|
|
||||||
}
|
|
||||||
|
|
||||||
if unauthorized && jwtPurposeEqual(claim.Audience, options.Purpose) == true {
|
|
||||||
http.Error(w, err.Error(), http.StatusUnauthorized)
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
||||||
}
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -222,7 +215,3 @@ func CtxAborted(ctx context.Context) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func jwtPurposeEqual(aud jwt.ClaimStrings, purpose account.JWTPurpose) bool {
|
|
||||||
return slices.Contains[jwt.ClaimStrings, string](aud, string(purpose))
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in New Issue