github.com/amazechain/amc@v0.1.3/internal/node/jwt_handler.go

github.com/amazechain/amc@v0.1.3/internal/node/jwt_handler.go (about)

     1  // Copyright 2022 The AmazeChain Authors
     2  // This file is part of the AmazeChain library.
     3  //
     4  // The AmazeChain library is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Lesser General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // The AmazeChain library is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12  // GNU Lesser General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Lesser General Public License
    15  // along with the AmazeChain library. If not, see <http://www.gnu.org/licenses/>.
    16  
    17  package node
    18  
    19  import (
    20  	"github.com/golang-jwt/jwt/v4"
    21  	"net/http"
    22  	"strings"
    23  	"time"
    24  )
    25  
    26  const jwtExpiryTimeout = 60 * time.Second
    27  
    28  type jwtHandler struct {
    29  	keyFunc func(token *jwt.Token) (interface{}, error)
    30  	next    http.Handler
    31  }
    32  
    33  // newJWTHandler creates a http.Handler with jwt authentication support.
    34  func newJWTHandler(secret []byte, next http.Handler) http.Handler {
    35  	return &jwtHandler{
    36  		keyFunc: func(token *jwt.Token) (interface{}, error) {
    37  			return secret, nil
    38  		},
    39  		next: next,
    40  	}
    41  }
    42  
    43  // ServeHTTP implements http.Handler
    44  func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) {
    45  	var (
    46  		strToken string
    47  		claims   jwt.RegisteredClaims
    48  	)
    49  	if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "Bearer ") {
    50  		strToken = strings.TrimPrefix(auth, "Bearer ")
    51  	}
    52  	if len(strToken) == 0 {
    53  		http.Error(out, "missing token", http.StatusForbidden)
    54  		return
    55  	}
    56  	// We explicitly set only HS256 allowed, and also disables the
    57  	// claim-check: the RegisteredClaims internally requires 'iat' to
    58  	// be no later than 'now', but we allow for a bit of drift.
    59  	token, err := jwt.ParseWithClaims(strToken, &claims, handler.keyFunc,
    60  		jwt.WithValidMethods([]string{"HS256"}),
    61  		jwt.WithoutClaimsValidation())
    62  
    63  	switch {
    64  	case err != nil:
    65  		http.Error(out, err.Error(), http.StatusForbidden)
    66  	case !token.Valid:
    67  		http.Error(out, "invalid token", http.StatusForbidden)
    68  	case !claims.VerifyExpiresAt(time.Now(), false): // optional
    69  		http.Error(out, "token is expired", http.StatusForbidden)
    70  	case claims.IssuedAt == nil:
    71  		http.Error(out, "missing issued-at", http.StatusForbidden)
    72  	case time.Since(claims.IssuedAt.Time) > jwtExpiryTimeout:
    73  		http.Error(out, "stale token", http.StatusForbidden)
    74  	case time.Until(claims.IssuedAt.Time) > jwtExpiryTimeout:
    75  		http.Error(out, "future token", http.StatusForbidden)
    76  	default:
    77  		handler.next.ServeHTTP(out, r)
    78  	}
    79  }