github.com/Cleverse/go-ethereum@v0.0.0-20220927095127-45113064e7f2/node/jwt_handler.go (about) 1 // Copyright 2022 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package node 18 19 import ( 20 "net/http" 21 "strings" 22 "time" 23 24 "github.com/golang-jwt/jwt/v4" 25 ) 26 27 type jwtHandler struct { 28 keyFunc func(token *jwt.Token) (interface{}, error) 29 next http.Handler 30 } 31 32 // newJWTHandler creates a http.Handler with jwt authentication support. 33 func newJWTHandler(secret []byte, next http.Handler) http.Handler { 34 return &jwtHandler{ 35 keyFunc: func(token *jwt.Token) (interface{}, error) { 36 return secret, nil 37 }, 38 next: next, 39 } 40 } 41 42 // ServeHTTP implements http.Handler 43 func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) { 44 var ( 45 strToken string 46 claims jwt.RegisteredClaims 47 ) 48 if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "Bearer ") { 49 strToken = strings.TrimPrefix(auth, "Bearer ") 50 } 51 if len(strToken) == 0 { 52 http.Error(out, "missing token", http.StatusForbidden) 53 return 54 } 55 // We explicitly set only HS256 allowed, and also disables the 56 // claim-check: the RegisteredClaims internally requires 'iat' to 57 // be no later than 'now', but we allow for a bit of drift. 58 token, err := jwt.ParseWithClaims(strToken, &claims, handler.keyFunc, 59 jwt.WithValidMethods([]string{"HS256"}), 60 jwt.WithoutClaimsValidation()) 61 62 switch { 63 case err != nil: 64 http.Error(out, err.Error(), http.StatusForbidden) 65 case !token.Valid: 66 http.Error(out, "invalid token", http.StatusForbidden) 67 case !claims.VerifyExpiresAt(time.Now(), false): // optional 68 http.Error(out, "token is expired", http.StatusForbidden) 69 case claims.IssuedAt == nil: 70 http.Error(out, "missing issued-at", http.StatusForbidden) 71 case time.Since(claims.IssuedAt.Time) > 5*time.Second: 72 http.Error(out, "stale token", http.StatusForbidden) 73 case time.Until(claims.IssuedAt.Time) > 5*time.Second: 74 http.Error(out, "future token", http.StatusForbidden) 75 default: 76 handler.next.ServeHTTP(out, r) 77 } 78 }