github.com/Cleverse/go-ethereum@v0.0.0-20220927095127-45113064e7f2/node/jwt_handler.go

github.com/Cleverse/go-ethereum@v0.0.0-20220927095127-45113064e7f2/node/jwt_handler.go (about)

     1  // Copyright 2022 The go-ethereum Authors
     2  // This file is part of the go-ethereum library.
     3  //
     4  // The go-ethereum library is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Lesser General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // The go-ethereum library is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12  // GNU Lesser General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Lesser General Public License
    15  // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
    16  
    17  package node
    18  
    19  import (
    20  	"net/http"
    21  	"strings"
    22  	"time"
    23  
    24  	"github.com/golang-jwt/jwt/v4"
    25  )
    26  
    27  type jwtHandler struct {
    28  	keyFunc func(token *jwt.Token) (interface{}, error)
    29  	next    http.Handler
    30  }
    31  
    32  // newJWTHandler creates a http.Handler with jwt authentication support.
    33  func newJWTHandler(secret []byte, next http.Handler) http.Handler {
    34  	return &jwtHandler{
    35  		keyFunc: func(token *jwt.Token) (interface{}, error) {
    36  			return secret, nil
    37  		},
    38  		next: next,
    39  	}
    40  }
    41  
    42  // ServeHTTP implements http.Handler
    43  func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) {
    44  	var (
    45  		strToken string
    46  		claims   jwt.RegisteredClaims
    47  	)
    48  	if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "Bearer ") {
    49  		strToken = strings.TrimPrefix(auth, "Bearer ")
    50  	}
    51  	if len(strToken) == 0 {
    52  		http.Error(out, "missing token", http.StatusForbidden)
    53  		return
    54  	}
    55  	// We explicitly set only HS256 allowed, and also disables the
    56  	// claim-check: the RegisteredClaims internally requires 'iat' to
    57  	// be no later than 'now', but we allow for a bit of drift.
    58  	token, err := jwt.ParseWithClaims(strToken, &claims, handler.keyFunc,
    59  		jwt.WithValidMethods([]string{"HS256"}),
    60  		jwt.WithoutClaimsValidation())
    61  
    62  	switch {
    63  	case err != nil:
    64  		http.Error(out, err.Error(), http.StatusForbidden)
    65  	case !token.Valid:
    66  		http.Error(out, "invalid token", http.StatusForbidden)
    67  	case !claims.VerifyExpiresAt(time.Now(), false): // optional
    68  		http.Error(out, "token is expired", http.StatusForbidden)
    69  	case claims.IssuedAt == nil:
    70  		http.Error(out, "missing issued-at", http.StatusForbidden)
    71  	case time.Since(claims.IssuedAt.Time) > 5*time.Second:
    72  		http.Error(out, "stale token", http.StatusForbidden)
    73  	case time.Until(claims.IssuedAt.Time) > 5*time.Second:
    74  		http.Error(out, "future token", http.StatusForbidden)
    75  	default:
    76  		handler.next.ServeHTTP(out, r)
    77  	}
    78  }