wip
This commit is contained in:
Magnus Åhall
parent
515c748e14
commit
bd4a475923
23 changed files with 1217 additions and 192 deletions
|
|
@ -51,6 +51,25 @@ func NewManager(db *sqlx.DB, log *slog.Logger, secret string, expireDays int) (m
|
|||
mngr.ExpireDays = expireDays
|
||||
return
|
||||
} // }}}
|
||||
func validateTokenTimestamps(claims jwt.MapClaims) error { // {{{
|
||||
now := time.Now()
|
||||
|
||||
if issuedAt, ok := claims["iat"].(float64); ok {
|
||||
if now.Unix() < int64(issuedAt) {
|
||||
return errors.New("Token is not valid yet")
|
||||
}
|
||||
} else {
|
||||
return errors.New("Token is missing iat")
|
||||
}
|
||||
|
||||
if expires, ok := claims["exp"].(float64); ok {
|
||||
if now.Unix() > int64(expires) {
|
||||
return errors.New("Token has expired")
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
} // }}}
|
||||
|
||||
func (mngr *Manager) GenerateToken(data map[string]any) (string, error) { // {{{
|
||||
// Create a new token object, specifying signing method and the claims
|
||||
|
|
@ -64,7 +83,7 @@ func (mngr *Manager) GenerateToken(data map[string]any) (string, error) { // {{{
|
|||
// Sign and get the complete encoded token as a string using the secret.
|
||||
return token.SignedString(mngr.secret)
|
||||
} // }}}
|
||||
func (mngr *Manager) VerifyToken(tokenString string) (jwt.Claims, error) { // {{{
|
||||
func (mngr *Manager) VerifyToken(tokenString string) (jwt.MapClaims, error) { // {{{
|
||||
// Parse takes the token string and a function for looking up the key. The latter is especially
|
||||
// useful if you use multiple keys for your application. The standard is to use 'kid' in the
|
||||
// head of the token to identify which key to use, but the parsed token (head and claims) is provided
|
||||
|
|
@ -79,10 +98,15 @@ func (mngr *Manager) VerifyToken(tokenString string) (jwt.Claims, error) { // {{
|
|||
return mngr.secret, nil
|
||||
})
|
||||
if err != nil {
|
||||
mngr.log.Error("jwt", "error", err)
|
||||
mngr.log.Error("authentication", "error", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if claims, ok := token.Claims.(jwt.MapClaims); ok {
|
||||
err = validateTokenTimestamps(claims)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return claims, nil
|
||||
} else {
|
||||
return nil, err
|
||||
|
|
@ -97,6 +121,7 @@ func (mngr *Manager) AuthenticationHandler(w http.ResponseWriter, r *http.Reques
|
|||
body, _ := io.ReadAll(r.Body)
|
||||
err := json.Unmarshal(body, &request)
|
||||
if err != nil {
|
||||
mngr.log.Debug("authentication", "error", err)
|
||||
httpError(w, err)
|
||||
return
|
||||
}
|
||||
|
|
@ -104,11 +129,13 @@ func (mngr *Manager) AuthenticationHandler(w http.ResponseWriter, r *http.Reques
|
|||
// Verify username and password against the db user table.
|
||||
authenticated, user, err := mngr.Authenticate(request.Username, request.Password)
|
||||
if err != nil {
|
||||
mngr.log.Error("authentication", "error", err)
|
||||
httpError(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
if !authenticated {
|
||||
mngr.log.Info("authentication", "username", request.Username, "status", "failed")
|
||||
httpError(w, errors.New("Authentication failed"))
|
||||
return
|
||||
}
|
||||
|
|
@ -121,10 +148,12 @@ func (mngr *Manager) AuthenticationHandler(w http.ResponseWriter, r *http.Reques
|
|||
data["name"] = user.Name
|
||||
token, err = mngr.GenerateToken(data)
|
||||
if err != nil {
|
||||
mngr.log.Error("authentication", "error", err)
|
||||
httpError(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
mngr.log.Info("authentication", "username", request.Username, "status", "accepted")
|
||||
j, _ := json.Marshal(struct {
|
||||
OK bool
|
||||
User User
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue