Compare commits
2 Commits
b1fcc7f7ae
...
2528fd0afe
| Author | SHA1 | Date |
|---|---|---|
 Derrick Hammer
|
2528fd0afe
|
|
|
Derrick Hammer
|
bee80a9981
|
|
|
@ -3,6 +3,7 @@ package middleware
|
|||
import (
|
||||
"context"
|
||||
"crypto/ed25519"
|
||||
"errors"
|
||||
"net/http"
|
||||
"slices"
|
||||
"strconv"
|
||||
|
|
@ -103,6 +104,7 @@ type AuthMiddlewareOptions struct {
|
|||
AuthContextKey string
|
||||
Config *config.Manager
|
||||
EmptyAllowed bool
|
||||
ExpiredAllowed bool
|
||||
}
|
||||
|
||||
func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handler {
|
||||
|
|
@ -128,17 +130,22 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
|
|||
claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
|
||||
aud, _ := claim.GetAudience()
|
||||
|
||||
if options.Purpose != account.JWTPurposeNone && slices.Contains[jwt.ClaimStrings, string](aud, string(options.Purpose)) == false {
|
||||
if !options.EmptyAllowed {
|
||||
if options.Purpose != account.JWTPurposeNone && jwtPurposeEqual(aud, options.Purpose) == false {
|
||||
return account.ErrJWTInvalid
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
unauthorized := true
|
||||
if errors.Is(err, jwt.ErrTokenExpired) && options.ExpiredAllowed {
|
||||
unauthorized = false
|
||||
}
|
||||
|
||||
if unauthorized && jwtPurposeEqual(claim.Audience, options.Purpose) == true {
|
||||
http.Error(w, err.Error(), http.StatusUnauthorized)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
|
@ -215,3 +222,7 @@ func CtxAborted(ctx context.Context) bool {
|
|||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func jwtPurposeEqual(aud jwt.ClaimStrings, purpose account.JWTPurpose) bool {
|
||||
return slices.Contains[jwt.ClaimStrings, string](aud, string(purpose))
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue