github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/auth/token.go (about)

     1  // Copyright 2015 Keybase, Inc. All rights reserved. Use of
     2  // this source code is governed by the included BSD license.
     3  
     4  // Code used to support authentication tokens for arbitrary purposes.
     5  package auth
     6  
     7  import (
     8  	"bytes"
     9  	"crypto/rand"
    10  	"encoding/hex"
    11  	"encoding/json"
    12  	"math"
    13  	"time"
    14  
    15  	"github.com/keybase/client/go/kbcrypto"
    16  	libkb "github.com/keybase/client/go/libkb"
    17  	keybase1 "github.com/keybase/client/go/protocol/keybase1"
    18  )
    19  
    20  const (
    21  	TokenType             = "auth"
    22  	CurrentTokenVersion   = 2
    23  	ChallengeLengthBytes  = 32
    24  	ChallengeLengthString = ChallengeLengthBytes * 2 // we use hex encoding
    25  )
    26  
    27  type TokenAuth struct {
    28  	Server    string `json:"server"`
    29  	Challenge string `json:"session"`
    30  }
    31  
    32  type TokenKey struct {
    33  	UID      keybase1.UID             `json:"uid"`
    34  	Username libkb.NormalizedUsername `json:"username"`
    35  	KID      keybase1.KID             `json:"kid"`
    36  }
    37  
    38  type TokenBody struct {
    39  	Auth    TokenAuth `json:"auth"`
    40  	Key     TokenKey  `json:"key"`
    41  	Type    string    `json:"type"`
    42  	Version int       `json:"version"`
    43  }
    44  
    45  type TokenClient struct {
    46  	Name    string `json:"name"`
    47  	Version string `json:"version"`
    48  }
    49  
    50  type Token struct {
    51  	Body         TokenBody   `json:"body"`
    52  	Client       TokenClient `json:"client"`
    53  	CreationTime int64       `json:"ctime"`
    54  	ExpireIn     int         `json:"expire_in"`
    55  	Tag          string      `json:"tag"`
    56  }
    57  
    58  func NewToken(uid keybase1.UID, username libkb.NormalizedUsername, kid keybase1.KID,
    59  	server, challenge string, now int64, expireIn int,
    60  	clientName, clientVersion string) *Token {
    61  	return &Token{
    62  		Body: TokenBody{
    63  			Auth: TokenAuth{
    64  				Server:    server,
    65  				Challenge: challenge,
    66  			},
    67  			Key: TokenKey{
    68  				UID:      uid,
    69  				Username: username,
    70  				KID:      kid,
    71  			},
    72  			Type:    TokenType,
    73  			Version: CurrentTokenVersion,
    74  		},
    75  		Client: TokenClient{
    76  			Name:    clientName,
    77  			Version: clientVersion,
    78  		},
    79  		CreationTime: now,
    80  		ExpireIn:     expireIn,
    81  		Tag:          "signature",
    82  	}
    83  }
    84  
    85  func (t Token) Bytes() []byte {
    86  	bytes, err := json.Marshal(&t)
    87  	if err != nil {
    88  		return []byte{}
    89  	}
    90  	return bytes
    91  }
    92  
    93  func (t Token) String() string {
    94  	return string(t.Bytes())
    95  }
    96  
    97  func VerifyToken(signature, server, challenge string, maxExpireIn int) (*Token, error) {
    98  	var t *Token
    99  	key, token, _, err := kbcrypto.NaclVerifyAndExtract(signature)
   100  	if err != nil {
   101  		return nil, err
   102  	}
   103  	if t, err = parseToken(token); err != nil {
   104  		return nil, err
   105  	}
   106  	if key.GetKID() != t.KID() {
   107  		return nil, InvalidTokenKeyError{
   108  			expected: key.GetKID().String(),
   109  			received: t.KID().String(),
   110  		}
   111  	}
   112  	if TokenType != t.Type() {
   113  		return nil, InvalidTokenTypeError{
   114  			expected: TokenType,
   115  			received: t.Type(),
   116  		}
   117  	}
   118  	if server != t.Server() {
   119  		return nil, InvalidTokenServerError{
   120  			expected: server,
   121  			received: t.Server(),
   122  		}
   123  	}
   124  	if challenge != t.Challenge() {
   125  		return nil, InvalidTokenChallengeError{
   126  			expected: challenge,
   127  			received: t.Challenge(),
   128  		}
   129  	}
   130  	remaining := t.TimeRemaining()
   131  	if remaining > maxExpireIn {
   132  		return nil, MaxTokenExpiresError{
   133  			creationTime: t.CreationTime,
   134  			expireIn:     t.ExpireIn,
   135  			now:          time.Now().Unix(),
   136  			maxExpireIn:  maxExpireIn,
   137  			remaining:    remaining,
   138  		}
   139  	}
   140  	if remaining <= 0 {
   141  		return nil, TokenExpiredError{
   142  			creationTime: t.CreationTime,
   143  			expireIn:     t.ExpireIn,
   144  			now:          time.Now().Unix(),
   145  		}
   146  	}
   147  	return t, nil
   148  }
   149  
   150  func (t Token) TimeRemaining() int {
   151  	ctime := time.Unix(t.CreationTime, 0)
   152  	expires := ctime.Add(time.Duration(t.ExpireIn) * time.Second)
   153  	return int(math.Ceil(time.Until(expires).Seconds()))
   154  }
   155  
   156  func (t Token) Server() string {
   157  	return t.Body.Auth.Server
   158  }
   159  
   160  func (t Token) Challenge() string {
   161  	return t.Body.Auth.Challenge
   162  }
   163  
   164  func (t Token) UID() keybase1.UID {
   165  	return t.Body.Key.UID
   166  }
   167  
   168  func (t Token) KID() keybase1.KID {
   169  	return t.Body.Key.KID
   170  }
   171  
   172  func (t Token) Username() libkb.NormalizedUsername {
   173  	return t.Body.Key.Username
   174  }
   175  
   176  func (t Token) Type() string {
   177  	return t.Body.Type
   178  }
   179  
   180  func (t Token) Version() int {
   181  	return t.Body.Version
   182  }
   183  
   184  func (t Token) ClientName() string {
   185  	return t.Client.Name
   186  }
   187  
   188  func (t Token) ClientVersion() string {
   189  	return t.Client.Version
   190  }
   191  
   192  func parseToken(token []byte) (*Token, error) {
   193  	decoder := json.NewDecoder(bytes.NewReader(token))
   194  	decoder.UseNumber()
   195  	var t Token
   196  	if err := decoder.Decode(&t); err != nil {
   197  		return nil, err
   198  	}
   199  	return &t, nil
   200  }
   201  
   202  // GenerateChallenge returns a cryptographically secure random challenge string.
   203  func GenerateChallenge() (string, error) {
   204  	buf := make([]byte, ChallengeLengthBytes)
   205  	if _, err := rand.Read(buf); err != nil {
   206  		return "", err
   207  	}
   208  	return hex.EncodeToString(buf), nil
   209  }
   210  
   211  // IsValidChallenge returns true if the passed challenge is validly formed.
   212  func IsValidChallenge(challenge string) bool {
   213  	if len(challenge) != ChallengeLengthString {
   214  		return false
   215  	}
   216  	if _, err := hex.DecodeString(challenge); err != nil {
   217  		return false
   218  	}
   219  	return true
   220  }