mirror of
https://github.com/elyby/chrly.git
synced 2025-05-31 14:11:51 +05:30
The configuration file was deleted in favor of using environment variables.
Token generation functionality remove. Secret token now provided via CHRLY_SECRET env variable.
This commit is contained in:
ErickSkrauch
112
auth/jwt.go
112
auth/jwt.go
@@ -1,25 +1,17 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"math"
|
||||
"math/rand"
|
||||
"errors"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/SermoDigital/jose/crypto"
|
||||
"github.com/SermoDigital/jose/jws"
|
||||
"github.com/mitchellh/go-homedir"
|
||||
"github.com/spf13/afero"
|
||||
)
|
||||
|
||||
var fs = afero.NewOsFs()
|
||||
|
||||
var hashAlg = crypto.SigningMethodHS256
|
||||
|
||||
const appHomeDirName = ".minecraft-skinsystem"
|
||||
const scopesClaim = "scopes"
|
||||
|
||||
type Scope string
|
||||
@@ -29,20 +21,19 @@ var (
|
||||
)
|
||||
|
||||
type JwtAuth struct {
|
||||
signingKey []byte
|
||||
Key []byte
|
||||
}
|
||||
|
||||
func (t *JwtAuth) NewToken(scopes ...Scope) ([]byte, error) {
|
||||
key, err := t.getSigningKey()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
if len(t.Key) == 0 {
|
||||
return nil, errors.New("signing key not available")
|
||||
}
|
||||
|
||||
claims := jws.Claims{}
|
||||
claims.Set(scopesClaim, scopes)
|
||||
claims.SetIssuedAt(time.Now())
|
||||
encoder := jws.NewJWT(claims, hashAlg)
|
||||
token, err := encoder.Serialize(key)
|
||||
token, err := encoder.Serialize(t.Key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -50,20 +41,11 @@ func (t *JwtAuth) NewToken(scopes ...Scope) ([]byte, error) {
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func (t *JwtAuth) GenerateSigningKey() error {
|
||||
if err := createAppHomeDir(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
key := generateRandomBytes(64)
|
||||
if err := afero.WriteFile(fs, getKeyPath(), key, 0600); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (t *JwtAuth) Check(req *http.Request) error {
|
||||
if len(t.Key) == 0 {
|
||||
return &Unauthorized{"Signing key not set"}
|
||||
}
|
||||
|
||||
bearerToken := req.Header.Get("Authorization")
|
||||
if bearerToken == "" {
|
||||
return &Unauthorized{"Authentication header not presented"}
|
||||
@@ -79,79 +61,14 @@ func (t *JwtAuth) Check(req *http.Request) error {
|
||||
return &Unauthorized{"Cannot parse passed JWT token"}
|
||||
}
|
||||
|
||||
signKey, err := t.getSigningKey()
|
||||
err = token.Validate(t.Key, hashAlg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = token.Validate(signKey, hashAlg)
|
||||
if err != nil {
|
||||
return &Unauthorized{"JWT token have invalid signature. It corrupted or expired."}
|
||||
return &Unauthorized{"JWT token have invalid signature. It may be corrupted or expired."}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (t *JwtAuth) getSigningKey() ([]byte, error) {
|
||||
if t.signingKey == nil {
|
||||
path := getKeyPath()
|
||||
if _, err := fs.Stat(path); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return nil, &SigningKeyNotAvailable{}
|
||||
}
|
||||
|
||||
return nil, err
|
||||
}
|
||||
|
||||
key, err := afero.ReadFile(fs, path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
t.signingKey = key
|
||||
}
|
||||
|
||||
return t.signingKey, nil
|
||||
}
|
||||
|
||||
func createAppHomeDir() error {
|
||||
path := getAppHomeDirPath()
|
||||
if _, err := fs.Stat(path); os.IsNotExist(err) {
|
||||
err := fs.Mkdir(path, 0755) // rwx r-x r-x
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func getAppHomeDirPath() string {
|
||||
path, err := homedir.Expand("~/" + appHomeDirName)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return path
|
||||
}
|
||||
|
||||
func getKeyPath() string {
|
||||
return getAppHomeDirPath() + "/jwt-key"
|
||||
}
|
||||
|
||||
func generateRandomBytes(n int) []byte {
|
||||
// base64 will increase length in 1.37 times
|
||||
// +1 is needed to ensure, that after base64 we will do not have any '===' characters
|
||||
randLen := int(math.Ceil(float64(n) / 1.37)) + 1
|
||||
randBytes := make([]byte, randLen)
|
||||
rand.Read(randBytes)
|
||||
// +5 is needed to have additional buffer for the next set of XX=== characters
|
||||
resBytes := make([]byte, n + 5)
|
||||
base64.URLEncoding.Encode(resBytes, randBytes)
|
||||
|
||||
return resBytes[:n]
|
||||
}
|
||||
|
||||
type Unauthorized struct {
|
||||
Reason string
|
||||
}
|
||||
@@ -163,10 +80,3 @@ func (e *Unauthorized) Error() string {
|
||||
|
||||
return "Unauthorized"
|
||||
}
|
||||
|
||||
type SigningKeyNotAvailable struct {
|
||||
}
|
||||
|
||||
func (*SigningKeyNotAvailable) Error() string {
|
||||
return "Signing key not available"
|
||||
}
|
||||
|
||||
@@ -2,88 +2,36 @@ package auth
|
||||
|
||||
import (
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/spf13/afero"
|
||||
|
||||
testify "github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
const jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxNTE2NjU4MTkzIiwic2NvcGVzIjoic2tpbiJ9.agbBS0qdyYMBaVfTZJAZcTTRgW1Y0kZty4H3N2JHBO8"
|
||||
|
||||
func TestJwtAuth_NewToken_Success(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
fs.Mkdir(getAppHomeDirPath(), 0755)
|
||||
afero.WriteFile(fs, getKeyPath(), []byte("secret"), 0600)
|
||||
|
||||
jwt := &JwtAuth{}
|
||||
jwt := &JwtAuth{[]byte("secret")}
|
||||
token, err := jwt.NewToken(SkinScope)
|
||||
assert.Nil(err)
|
||||
assert.NotNil(token)
|
||||
}
|
||||
|
||||
func TestJwtAuth_NewToken_KeyNotAvailable(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
fs = afero.NewMemMapFs()
|
||||
|
||||
jwt := &JwtAuth{}
|
||||
token, err := jwt.NewToken(SkinScope)
|
||||
assert.IsType(&SigningKeyNotAvailable{}, err)
|
||||
assert.Error(err, "signing key not available")
|
||||
assert.Nil(token)
|
||||
}
|
||||
|
||||
func TestJwtAuth_GenerateSigningKey_KeyNotExists(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
jwt := &JwtAuth{}
|
||||
err := jwt.GenerateSigningKey()
|
||||
assert.Nil(err)
|
||||
if _, err := fs.Stat(getAppHomeDirPath()); err != nil {
|
||||
assert.Fail("directory not created")
|
||||
}
|
||||
|
||||
if _, err := fs.Stat(getKeyPath()); err != nil {
|
||||
assert.Fail("signing file not created")
|
||||
}
|
||||
|
||||
content, _ := afero.ReadFile(fs, getKeyPath())
|
||||
assert.Len(content, 64)
|
||||
}
|
||||
|
||||
func TestJwtAuth_GenerateSigningKey_KeyExists(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
fs.Mkdir(getAppHomeDirPath(), 0755)
|
||||
afero.WriteFile(fs, getKeyPath(), []byte("secret"), 0600)
|
||||
|
||||
jwt := &JwtAuth{}
|
||||
err := jwt.GenerateSigningKey()
|
||||
assert.Nil(err)
|
||||
if _, err := fs.Stat(getAppHomeDirPath()); err != nil {
|
||||
assert.Fail("directory not created")
|
||||
}
|
||||
|
||||
if _, err := fs.Stat(getKeyPath()); err != nil {
|
||||
assert.Fail("signing file not created")
|
||||
}
|
||||
|
||||
content, _ := afero.ReadFile(fs, getKeyPath())
|
||||
assert.NotEqual([]byte("secret"), content)
|
||||
}
|
||||
|
||||
func TestJwtAuth_Check_EmptyRequest(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
req := httptest.NewRequest("POST", "http://localhost", nil)
|
||||
jwt := &JwtAuth{}
|
||||
jwt := &JwtAuth{[]byte("secret")}
|
||||
|
||||
err := jwt.Check(req)
|
||||
assert.IsType(&Unauthorized{}, err)
|
||||
@@ -91,12 +39,11 @@ func TestJwtAuth_Check_EmptyRequest(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestJwtAuth_Check_NonBearer(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
req := httptest.NewRequest("POST", "http://localhost", nil)
|
||||
req.Header.Add("Authorization", "this is not jwt")
|
||||
jwt := &JwtAuth{}
|
||||
jwt := &JwtAuth{[]byte("secret")}
|
||||
|
||||
err := jwt.Check(req)
|
||||
assert.IsType(&Unauthorized{}, err)
|
||||
@@ -104,12 +51,11 @@ func TestJwtAuth_Check_NonBearer(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestJwtAuth_Check_BearerButNotJwt(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
req := httptest.NewRequest("POST", "http://localhost", nil)
|
||||
req.Header.Add("Authorization", "Bearer thisIs.Not.Jwt")
|
||||
jwt := &JwtAuth{}
|
||||
jwt := &JwtAuth{[]byte("secret")}
|
||||
|
||||
err := jwt.Check(req)
|
||||
assert.IsType(&Unauthorized{}, err)
|
||||
@@ -117,7 +63,6 @@ func TestJwtAuth_Check_BearerButNotJwt(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestJwtAuth_Check_SecretNotAvailable(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
req := httptest.NewRequest("POST", "http://localhost", nil)
|
||||
@@ -125,11 +70,10 @@ func TestJwtAuth_Check_SecretNotAvailable(t *testing.T) {
|
||||
jwt := &JwtAuth{}
|
||||
|
||||
err := jwt.Check(req)
|
||||
assert.IsType(&SigningKeyNotAvailable{}, err)
|
||||
assert.Error(err, "Signing key not set")
|
||||
}
|
||||
|
||||
func TestJwtAuth_Check_SecretInvalid(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
req := httptest.NewRequest("POST", "http://localhost", nil)
|
||||
@@ -138,11 +82,10 @@ func TestJwtAuth_Check_SecretInvalid(t *testing.T) {
|
||||
|
||||
err := jwt.Check(req)
|
||||
assert.IsType(&Unauthorized{}, err)
|
||||
assert.EqualError(err, "JWT token have invalid signature. It corrupted or expired.")
|
||||
assert.EqualError(err, "JWT token have invalid signature. It may be corrupted or expired.")
|
||||
}
|
||||
|
||||
func TestJwtAuth_Check_Valid(t *testing.T) {
|
||||
clearFs()
|
||||
assert := testify.New(t)
|
||||
|
||||
req := httptest.NewRequest("POST", "http://localhost", nil)
|
||||
@@ -152,17 +95,3 @@ func TestJwtAuth_Check_Valid(t *testing.T) {
|
||||
err := jwt.Check(req)
|
||||
assert.Nil(err)
|
||||
}
|
||||
|
||||
func TestJwtAuth_generateRandomBytes(t *testing.T) {
|
||||
assert := testify.New(t)
|
||||
lengthMap := []int{12, 20, 24, 30, 32, 48, 50, 64}
|
||||
for _, length := range lengthMap {
|
||||
bytes := generateRandomBytes(length)
|
||||
assert.Len(bytes, length)
|
||||
assert.False(strings.HasSuffix(string(bytes), "="), "secret key should not ends with '=' character")
|
||||
}
|
||||
}
|
||||
|
||||
func clearFs() {
|
||||
fs = afero.NewMemMapFs()
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user