Add custom claims
This commit is contained in:
parent
e0850233dc
commit
6fdd55def8
@ -16,6 +16,7 @@ type authCtxKey int
|
|||||||
const (
|
const (
|
||||||
authCtxUsername authCtxKey = iota
|
authCtxUsername authCtxKey = iota
|
||||||
authCtxAuthLevel
|
authCtxAuthLevel
|
||||||
|
authCtxClaims
|
||||||
)
|
)
|
||||||
|
|
||||||
func (s *HTTPServer) MiddlewareAccessLogger(next http.Handler) http.Handler {
|
func (s *HTTPServer) MiddlewareAccessLogger(next http.Handler) http.Handler {
|
||||||
@ -66,7 +67,8 @@ func (s *HTTPServer) MiddlewareAuthentication(next http.Handler) http.Handler {
|
|||||||
}
|
}
|
||||||
|
|
||||||
ctx := context.WithValue(r.Context(), authCtxUsername, claims.Subject)
|
ctx := context.WithValue(r.Context(), authCtxUsername, claims.Subject)
|
||||||
ctx = context.WithValue(ctx, authCtxAuthLevel, gpaste.AuthLevelUser)
|
ctx = context.WithValue(ctx, authCtxAuthLevel, claims.Role)
|
||||||
|
ctx = context.WithValue(ctx, authCtxClaims, claims)
|
||||||
withCtx := r.WithContext(ctx)
|
withCtx := r.WithContext(ctx)
|
||||||
s.Logger.Debugw("Request is authenticated.", "req_id", reqID, "username", claims.Subject)
|
s.Logger.Debugw("Request is authenticated.", "req_id", reqID, "username", claims.Subject)
|
||||||
|
|
||||||
@ -79,7 +81,6 @@ func (s *HTTPServer) MiddlewareAuthentication(next http.Handler) http.Handler {
|
|||||||
func UsernameFromRequest(r *http.Request) (string, error) {
|
func UsernameFromRequest(r *http.Request) (string, error) {
|
||||||
rawUsername := r.Context().Value(authCtxUsername)
|
rawUsername := r.Context().Value(authCtxUsername)
|
||||||
if rawUsername == nil {
|
if rawUsername == nil {
|
||||||
|
|
||||||
return "", fmt.Errorf("no username")
|
return "", fmt.Errorf("no username")
|
||||||
}
|
}
|
||||||
username, ok := rawUsername.(string)
|
username, ok := rawUsername.(string)
|
||||||
@ -100,3 +101,15 @@ func AuthLevelFromRequest(r *http.Request) (gpaste.AuthLevel, error) {
|
|||||||
}
|
}
|
||||||
return level, nil
|
return level, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func ClaimsFromRequest(r *http.Request) *gpaste.Claims {
|
||||||
|
rawClaims := r.Context().Value(authCtxAuthLevel)
|
||||||
|
if rawClaims == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
claims, ok := rawClaims.(*gpaste.Claims)
|
||||||
|
if !ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return claims
|
||||||
|
}
|
||||||
|
|||||||
24
auth.go
24
auth.go
@ -22,6 +22,12 @@ type AuthService struct {
|
|||||||
hmacSecret []byte
|
hmacSecret []byte
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type Claims struct {
|
||||||
|
Role users.Role `json:"role,omitempty"`
|
||||||
|
|
||||||
|
jwt.StandardClaims
|
||||||
|
}
|
||||||
|
|
||||||
func NewAuthService(store users.UserStore, signingSecret []byte) *AuthService {
|
func NewAuthService(store users.UserStore, signingSecret []byte) *AuthService {
|
||||||
return &AuthService{users: store, hmacSecret: signingSecret}
|
return &AuthService{users: store, hmacSecret: signingSecret}
|
||||||
}
|
}
|
||||||
@ -37,13 +43,13 @@ func (as *AuthService) Login(username, password string) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Set iss and aud
|
// TODO: Set iss and aud
|
||||||
claims := jwt.StandardClaims{
|
claims := new(Claims)
|
||||||
Subject: user.Username,
|
claims.Subject = user.Username
|
||||||
ExpiresAt: time.Now().Add(7 * 24 * time.Hour).Unix(),
|
claims.ExpiresAt = time.Now().Add(7 * 24 * time.Hour).Unix()
|
||||||
NotBefore: time.Now().Unix(),
|
claims.NotBefore = time.Now().Unix()
|
||||||
IssuedAt: time.Now().Unix(),
|
claims.IssuedAt = time.Now().Unix()
|
||||||
Id: uuid.NewString(),
|
claims.Id = uuid.NewString()
|
||||||
}
|
claims.Role = user.Role
|
||||||
|
|
||||||
token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
|
token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
|
||||||
signed, err := token.SignedString(as.hmacSecret)
|
signed, err := token.SignedString(as.hmacSecret)
|
||||||
@ -54,8 +60,8 @@ func (as *AuthService) Login(username, password string) (string, error) {
|
|||||||
return signed, nil
|
return signed, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (as *AuthService) ValidateToken(rawToken string) (*jwt.StandardClaims, error) {
|
func (as *AuthService) ValidateToken(rawToken string) (*Claims, error) {
|
||||||
claims := &jwt.StandardClaims{}
|
claims := &Claims{}
|
||||||
token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) {
|
token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) {
|
||||||
return as.hmacSecret, nil
|
return as.hmacSecret, nil
|
||||||
})
|
})
|
||||||
|
|||||||
@ -6,6 +6,7 @@ import (
|
|||||||
|
|
||||||
"git.t-juice.club/torjus/gpaste"
|
"git.t-juice.club/torjus/gpaste"
|
||||||
"git.t-juice.club/torjus/gpaste/users"
|
"git.t-juice.club/torjus/gpaste/users"
|
||||||
|
"github.com/google/go-cmp/cmp"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestAuth(t *testing.T) {
|
func TestAuth(t *testing.T) {
|
||||||
@ -17,7 +18,7 @@ func TestAuth(t *testing.T) {
|
|||||||
username := randomString(8)
|
username := randomString(8)
|
||||||
password := randomString(16)
|
password := randomString(16)
|
||||||
|
|
||||||
user := &users.User{Username: username}
|
user := &users.User{Username: username, Role: users.RoleAdmin}
|
||||||
if err := user.SetPassword(password); err != nil {
|
if err := user.SetPassword(password); err != nil {
|
||||||
t.Fatalf("error setting user password: %s", err)
|
t.Fatalf("error setting user password: %s", err)
|
||||||
}
|
}
|
||||||
@ -30,9 +31,13 @@ func TestAuth(t *testing.T) {
|
|||||||
t.Fatalf("Error creating token: %s", err)
|
t.Fatalf("Error creating token: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, err := as.ValidateToken(token); err != nil {
|
claims, err := as.ValidateToken(token)
|
||||||
|
if err != nil {
|
||||||
t.Fatalf("Error validating token: %s", err)
|
t.Fatalf("Error validating token: %s", err)
|
||||||
}
|
}
|
||||||
|
if claims.Role != user.Role {
|
||||||
|
t.Fatalf("Token role is not correct: %s", cmp.Diff(claims.Role, user.Role))
|
||||||
|
}
|
||||||
invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8`
|
invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8`
|
||||||
if _, err := as.ValidateToken(invalidToken); err == nil {
|
if _, err := as.ValidateToken(invalidToken); err == nil {
|
||||||
t.Fatalf("Invalid token passed validation")
|
t.Fatalf("Invalid token passed validation")
|
||||||
|
|||||||
@ -13,7 +13,7 @@ const (
|
|||||||
type User struct {
|
type User struct {
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
HashedPassword []byte `json:"hashed_password"`
|
HashedPassword []byte `json:"hashed_password"`
|
||||||
Roles []Role `json:"roles"`
|
Role Role `json:"role"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type UserStore interface {
|
type UserStore interface {
|
||||||
|
|||||||
@ -20,7 +20,7 @@ func RunUserStoreTest(newFunc func() (func(), users.UserStore), t *testing.T) {
|
|||||||
passwordMap[username] = password
|
passwordMap[username] = password
|
||||||
user := &users.User{
|
user := &users.User{
|
||||||
Username: username,
|
Username: username,
|
||||||
Roles: []users.Role{users.RoleAdmin},
|
Role: users.RoleAdmin,
|
||||||
}
|
}
|
||||||
if err := user.SetPassword(password); err != nil {
|
if err := user.SetPassword(password); err != nil {
|
||||||
t.Fatalf("Error setting password: %s", err)
|
t.Fatalf("Error setting password: %s", err)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user