refactor: add optionExpiredAllowed to AuthMiddlewareOptions, add jwtPurposeEqual helper, don't error if expired with ExpiredAllowed and the purposes are different

Revert "refactor: if the token doesn't match our purpose only error if EmptyAllowed is off"
This reverts commit b1fcc7f7ae.
2024-03-20 14:09:41 -04:00 · 2024-03-20 13:55:35 -04:00
1 changed files with 16 additions and 5 deletions
--- a/api/middleware/middleware.go
+++ b/api/middleware/middleware.go
@ -3,6 +3,7 @@ package middleware
 import (
 	"context"
 	"crypto/ed25519"
+	"errors"
 	"net/http"
 	"slices"
 	"strconv"
@ -103,6 +104,7 @@ type AuthMiddlewareOptions struct {
 	AuthContextKey string
 	Config         *config.Manager
 	EmptyAllowed   bool
+	ExpiredAllowed bool
 }

 func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handler {
@ -128,17 +130,22 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 			claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
 				aud, _ := claim.GetAudience()

-				if options.Purpose != account.JWTPurposeNone && slices.Contains[jwt.ClaimStrings, string](aud, string(options.Purpose)) == false {
-					if !options.EmptyAllowed {
-						return account.ErrJWTInvalid
-					}
+				if options.Purpose != account.JWTPurposeNone && jwtPurposeEqual(aud, options.Purpose) == false {
+					return account.ErrJWTInvalid
 				}

 				return nil
 			})

 			if err != nil {
-				http.Error(w, err.Error(), http.StatusUnauthorized)
+				unauthorized := true
+				if errors.Is(err, jwt.ErrTokenExpired) && options.ExpiredAllowed {
+					unauthorized = false
+				}
+
+				if unauthorized && jwtPurposeEqual(claim.Audience, options.Purpose) == true {
+					http.Error(w, err.Error(), http.StatusUnauthorized)
+				}
 				return
 			}

@ -215,3 +222,7 @@ func CtxAborted(ctx context.Context) bool {
 		return false
 	}
 }
+
+func jwtPurposeEqual(aud jwt.ClaimStrings, purpose account.JWTPurpose) bool {
+	return slices.Contains[jwt.ClaimStrings, string](aud, string(purpose))
+}
Author	SHA1	Message	Date
Derrick Hammer	2528fd0afe	refactor: add optionExpiredAllowed to AuthMiddlewareOptions, add jwtPurposeEqual helper, don't error if expired with ExpiredAllowed and the purposes are different	2024-03-20 14:09:41 -04:00
Derrick Hammer	bee80a9981	Revert "refactor: if the token doesn't match our purpose only error if EmptyAllowed is off" This reverts commit `b1fcc7f7ae`.	2024-03-20 13:55:35 -04:00