Fetch pubkey on each request for authmw

This commit is contained in:
Torjus Håkestad 2023-10-23 23:48:32 +02:00
parent d4ecf80f94
commit 2888905ab1
2 changed files with 71 additions and 26 deletions

View File

@ -8,37 +8,14 @@ import (
"net/http" "net/http"
"slices" "slices"
"strings" "strings"
"time"
"git.t-juice.club/microfilm/auth" "git.t-juice.club/microfilm/auth"
"github.com/golang-jwt/jwt/v5" "github.com/golang-jwt/jwt/v5"
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
) )
func VerifyToken(authURL string, permittedRoles []string) func(http.Handler) http.Handler { func VerifyToken(authURL string, permittedRoles []string) func(http.Handler) http.Handler {
// Fetch current pubkey
url := fmt.Sprintf("%s/key", authURL)
req, err := http.NewRequest(http.MethodGet, url, nil)
if err != nil {
panic(err)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
var authResponse auth.PubkeyResponse
decoder := json.NewDecoder(resp.Body)
if err := decoder.Decode(&authResponse); err != nil {
panic(err)
}
// Parse pubkey
pub, err := x509.ParsePKIXPublicKey(authResponse.PubKey)
if err != nil {
panic(err)
}
fn := func(next http.Handler) http.Handler { fn := func(next http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) { fn := func(w http.ResponseWriter, r *http.Request) {
authHeader := r.Header.Get("Authorization") authHeader := r.Header.Get("Authorization")
@ -61,6 +38,74 @@ func VerifyToken(authURL string, permittedRoles []string) func(http.Handler) htt
return return
} }
// Fetch current pubkey
url := fmt.Sprintf("%s/key", authURL)
ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
defer cancel()
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
if err != nil {
// TODO: Should log
w.WriteHeader(http.StatusInternalServerError)
errResp := &auth.ErrorResponse{
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
Status: http.StatusUnauthorized,
}
encoder := json.NewEncoder(w)
_ = encoder.Encode(&errResp)
return
}
client := &http.Client{
Transport: otelhttp.NewTransport(http.DefaultTransport),
}
resp, err := client.Do(req)
if err != nil {
// TODO: Should log
w.WriteHeader(http.StatusInternalServerError)
errResp := &auth.ErrorResponse{
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
Status: http.StatusUnauthorized,
}
encoder := json.NewEncoder(w)
_ = encoder.Encode(&errResp)
return
}
defer resp.Body.Close()
var authResponse auth.PubkeyResponse
decoder := json.NewDecoder(resp.Body)
if err := decoder.Decode(&authResponse); err != nil {
// TODO: Should log
w.WriteHeader(http.StatusInternalServerError)
errResp := &auth.ErrorResponse{
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
Status: http.StatusUnauthorized,
}
encoder := json.NewEncoder(w)
_ = encoder.Encode(&errResp)
return
}
// Parse pubkey
pub, err := x509.ParsePKIXPublicKey(authResponse.PubKey)
if err != nil {
// TODO: Should log
w.WriteHeader(http.StatusInternalServerError)
errResp := &auth.ErrorResponse{
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
Status: http.StatusUnauthorized,
}
encoder := json.NewEncoder(w)
_ = encoder.Encode(&errResp)
return
}
// Validate token // Validate token
tokenString := strings.Split(authHeader, " ")[1] tokenString := strings.Split(authHeader, " ")[1]
token, err := jwt.ParseWithClaims(tokenString, &auth.MicrofilmClaims{}, func(t *jwt.Token) (interface{}, error) { return pub, nil }) token, err := jwt.ParseWithClaims(tokenString, &auth.MicrofilmClaims{}, func(t *jwt.Token) (interface{}, error) { return pub, nil })

View File

@ -1,3 +1,3 @@
package auth package auth
const Version = "v0.1.3" const Version = "v0.1.4"