188 lines
4.6 KiB
Go
188 lines
4.6 KiB
Go
package account
|
|
|
|
import (
|
|
"crypto/ed25519"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"strconv"
|
|
"time"
|
|
|
|
"git.lumeweb.com/LumeWeb/portal/config"
|
|
|
|
"github.com/samber/lo"
|
|
|
|
"go.sia.tech/jape"
|
|
|
|
"git.lumeweb.com/LumeWeb/portal/api/router"
|
|
|
|
apiRegistry "git.lumeweb.com/LumeWeb/portal/api/registry"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
const AUTH_COOKIE_NAME = "auth_token"
|
|
|
|
type JWTPurpose string
|
|
type VerifyTokenFunc func(claim *jwt.RegisteredClaims) error
|
|
|
|
var (
|
|
nopVerifyFunc VerifyTokenFunc = func(claim *jwt.RegisteredClaims) error {
|
|
return nil
|
|
}
|
|
|
|
ErrJWTUnexpectedClaimsType = errors.New("unexpected claims type")
|
|
ErrJWTUnexpectedIssuer = errors.New("unexpected issuer")
|
|
ErrJWTInvalid = errors.New("invalid JWT")
|
|
)
|
|
|
|
const (
|
|
JWTPurposeLogin JWTPurpose = "login"
|
|
JWTPurpose2FA JWTPurpose = "2fa"
|
|
JWTPurposeNone JWTPurpose = ""
|
|
)
|
|
|
|
func JWTGenerateToken(domain string, privateKey ed25519.PrivateKey, userID uint, purpose JWTPurpose) (string, error) {
|
|
return JWTGenerateTokenWithDuration(domain, privateKey, userID, time.Hour*24, purpose)
|
|
}
|
|
|
|
func JWTGenerateTokenWithDuration(domain string, privateKey ed25519.PrivateKey, userID uint, duration time.Duration, purpose JWTPurpose) (string, error) {
|
|
|
|
// Define the claims
|
|
claims := jwt.RegisteredClaims{
|
|
Issuer: domain,
|
|
Subject: strconv.Itoa(int(userID)),
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(duration)),
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
Audience: []string{string(purpose)},
|
|
}
|
|
|
|
// Create the token
|
|
token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
|
|
|
|
// Sign the token with the Ed25519 private key
|
|
tokenString, err := token.SignedString(privateKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return tokenString, nil
|
|
}
|
|
|
|
func JWTVerifyToken(token string, domain string, privateKey ed25519.PrivateKey, verifyFunc VerifyTokenFunc) (*jwt.RegisteredClaims, error) {
|
|
validatedToken, err := jwt.ParseWithClaims(token, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
|
|
if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
|
|
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
|
}
|
|
|
|
publicKey := privateKey.Public()
|
|
|
|
return publicKey, nil
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if verifyFunc == nil {
|
|
verifyFunc = nopVerifyFunc
|
|
}
|
|
|
|
claim, ok := validatedToken.Claims.(*jwt.RegisteredClaims)
|
|
|
|
if !ok {
|
|
return nil, fmt.Errorf("%w: %s", ErrJWTUnexpectedClaimsType, validatedToken.Claims)
|
|
}
|
|
|
|
if domain != claim.Issuer {
|
|
return nil, fmt.Errorf("%w: %s", ErrJWTUnexpectedIssuer, claim.Issuer)
|
|
}
|
|
|
|
err = verifyFunc(claim)
|
|
|
|
return claim, err
|
|
}
|
|
|
|
func SetAuthCookie(jc jape.Context, c *config.Manager, jwt string) {
|
|
|
|
for _, api := range apiRegistry.GetAllAPIs() {
|
|
routeableApi, ok := api.(router.RoutableAPI)
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
http.SetCookie(jc.ResponseWriter, &http.Cookie{
|
|
Name: routeableApi.AuthTokenName(),
|
|
Value: jwt,
|
|
MaxAge: int((24 * time.Hour).Seconds()),
|
|
Secure: true,
|
|
HttpOnly: true,
|
|
Path: "/",
|
|
Domain: c.Config().Core.Domain,
|
|
})
|
|
}
|
|
}
|
|
|
|
func EchoAuthCookie(jc jape.Context, config *config.Manager) {
|
|
for _, api := range apiRegistry.GetAllAPIs() {
|
|
routeableApi, ok := api.(router.RoutableAPI)
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
cookies := lo.Filter(jc.Request.Cookies(), func(item *http.Cookie, _ int) bool {
|
|
return item.Name == routeableApi.AuthTokenName()
|
|
})
|
|
|
|
if len(cookies) == 0 {
|
|
continue
|
|
}
|
|
|
|
unverified, _, err := jwt.NewParser().ParseUnverified(cookies[0].Value, &jwt.RegisteredClaims{})
|
|
if err != nil {
|
|
http.Error(jc.ResponseWriter, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
exp, err := unverified.Claims.GetExpirationTime()
|
|
if err != nil {
|
|
http.Error(jc.ResponseWriter, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
http.SetCookie(jc.ResponseWriter, &http.Cookie{
|
|
Name: cookies[0].Name,
|
|
Value: cookies[0].Value,
|
|
MaxAge: int(exp.Time.Sub(time.Now()).Seconds()),
|
|
Secure: true,
|
|
HttpOnly: true,
|
|
Path: "/",
|
|
Domain: config.Config().Core.Domain,
|
|
})
|
|
}
|
|
}
|
|
|
|
func ClearAuthCookie(jc jape.Context, config *config.Manager) {
|
|
for _, api := range apiRegistry.GetAllAPIs() {
|
|
routeableApi, ok := api.(router.RoutableAPI)
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
jc.ResponseWriter.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
|
|
jc.ResponseWriter.Header().Set("Pragma", "no-cache")
|
|
jc.ResponseWriter.Header().Set("Expires", "0")
|
|
|
|
http.SetCookie(jc.ResponseWriter, &http.Cookie{
|
|
Name: routeableApi.AuthTokenName(),
|
|
Value: "",
|
|
Expires: time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC),
|
|
MaxAge: -1,
|
|
Secure: true,
|
|
HttpOnly: true,
|
|
Path: "/",
|
|
Domain: config.Config().Core.Domain,
|
|
})
|
|
}
|
|
}
|