Add custom claims #5

Merged
torjus merged 1 commits from feature/4-custom-claims into master 2022-01-20 12:34:27 +00:00
5 changed files with 39 additions and 15 deletions

View File

@ -16,6 +16,7 @@ type authCtxKey int
const ( const (
authCtxUsername authCtxKey = iota authCtxUsername authCtxKey = iota
authCtxAuthLevel authCtxAuthLevel
authCtxClaims
) )
func (s *HTTPServer) MiddlewareAccessLogger(next http.Handler) http.Handler { func (s *HTTPServer) MiddlewareAccessLogger(next http.Handler) http.Handler {
@ -66,7 +67,8 @@ func (s *HTTPServer) MiddlewareAuthentication(next http.Handler) http.Handler {
} }
ctx := context.WithValue(r.Context(), authCtxUsername, claims.Subject) ctx := context.WithValue(r.Context(), authCtxUsername, claims.Subject)
ctx = context.WithValue(ctx, authCtxAuthLevel, gpaste.AuthLevelUser) ctx = context.WithValue(ctx, authCtxAuthLevel, claims.Role)
ctx = context.WithValue(ctx, authCtxClaims, claims)
withCtx := r.WithContext(ctx) withCtx := r.WithContext(ctx)
s.Logger.Debugw("Request is authenticated.", "req_id", reqID, "username", claims.Subject) s.Logger.Debugw("Request is authenticated.", "req_id", reqID, "username", claims.Subject)
@ -79,7 +81,6 @@ func (s *HTTPServer) MiddlewareAuthentication(next http.Handler) http.Handler {
func UsernameFromRequest(r *http.Request) (string, error) { func UsernameFromRequest(r *http.Request) (string, error) {
rawUsername := r.Context().Value(authCtxUsername) rawUsername := r.Context().Value(authCtxUsername)
if rawUsername == nil { if rawUsername == nil {
return "", fmt.Errorf("no username") return "", fmt.Errorf("no username")
} }
username, ok := rawUsername.(string) username, ok := rawUsername.(string)
@ -100,3 +101,15 @@ func AuthLevelFromRequest(r *http.Request) (gpaste.AuthLevel, error) {
} }
return level, nil return level, nil
} }
func ClaimsFromRequest(r *http.Request) *gpaste.Claims {
rawClaims := r.Context().Value(authCtxAuthLevel)
if rawClaims == nil {
return nil
}
claims, ok := rawClaims.(*gpaste.Claims)
if !ok {
return nil
}
return claims
}

24
auth.go
View File

@ -22,6 +22,12 @@ type AuthService struct {
hmacSecret []byte hmacSecret []byte
} }
type Claims struct {
Role users.Role `json:"role,omitempty"`
jwt.StandardClaims
}
func NewAuthService(store users.UserStore, signingSecret []byte) *AuthService { func NewAuthService(store users.UserStore, signingSecret []byte) *AuthService {
return &AuthService{users: store, hmacSecret: signingSecret} return &AuthService{users: store, hmacSecret: signingSecret}
} }
@ -37,13 +43,13 @@ func (as *AuthService) Login(username, password string) (string, error) {
} }
// TODO: Set iss and aud // TODO: Set iss and aud
claims := jwt.StandardClaims{ claims := new(Claims)
Subject: user.Username, claims.Subject = user.Username
ExpiresAt: time.Now().Add(7 * 24 * time.Hour).Unix(), claims.ExpiresAt = time.Now().Add(7 * 24 * time.Hour).Unix()
NotBefore: time.Now().Unix(), claims.NotBefore = time.Now().Unix()
IssuedAt: time.Now().Unix(), claims.IssuedAt = time.Now().Unix()
Id: uuid.NewString(), claims.Id = uuid.NewString()
} claims.Role = user.Role
token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims) token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
signed, err := token.SignedString(as.hmacSecret) signed, err := token.SignedString(as.hmacSecret)
@ -54,8 +60,8 @@ func (as *AuthService) Login(username, password string) (string, error) {
return signed, nil return signed, nil
} }
func (as *AuthService) ValidateToken(rawToken string) (*jwt.StandardClaims, error) { func (as *AuthService) ValidateToken(rawToken string) (*Claims, error) {
claims := &jwt.StandardClaims{} claims := &Claims{}
token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) { token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) {
return as.hmacSecret, nil return as.hmacSecret, nil
}) })

View File

@ -6,6 +6,7 @@ import (
"git.t-juice.club/torjus/gpaste" "git.t-juice.club/torjus/gpaste"
"git.t-juice.club/torjus/gpaste/users" "git.t-juice.club/torjus/gpaste/users"
"github.com/google/go-cmp/cmp"
) )
func TestAuth(t *testing.T) { func TestAuth(t *testing.T) {
@ -17,7 +18,7 @@ func TestAuth(t *testing.T) {
username := randomString(8) username := randomString(8)
password := randomString(16) password := randomString(16)
user := &users.User{Username: username} user := &users.User{Username: username, Role: users.RoleAdmin}
if err := user.SetPassword(password); err != nil { if err := user.SetPassword(password); err != nil {
t.Fatalf("error setting user password: %s", err) t.Fatalf("error setting user password: %s", err)
} }
@ -30,9 +31,13 @@ func TestAuth(t *testing.T) {
t.Fatalf("Error creating token: %s", err) t.Fatalf("Error creating token: %s", err)
} }
if _, err := as.ValidateToken(token); err != nil { claims, err := as.ValidateToken(token)
if err != nil {
t.Fatalf("Error validating token: %s", err) t.Fatalf("Error validating token: %s", err)
} }
if claims.Role != user.Role {
t.Fatalf("Token role is not correct: %s", cmp.Diff(claims.Role, user.Role))
}
invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8` invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8`
if _, err := as.ValidateToken(invalidToken); err == nil { if _, err := as.ValidateToken(invalidToken); err == nil {
t.Fatalf("Invalid token passed validation") t.Fatalf("Invalid token passed validation")

View File

@ -13,7 +13,7 @@ const (
type User struct { type User struct {
Username string `json:"username"` Username string `json:"username"`
HashedPassword []byte `json:"hashed_password"` HashedPassword []byte `json:"hashed_password"`
Roles []Role `json:"roles"` Role Role `json:"role"`
} }
type UserStore interface { type UserStore interface {

View File

@ -20,7 +20,7 @@ func RunUserStoreTest(newFunc func() (func(), users.UserStore), t *testing.T) {
passwordMap[username] = password passwordMap[username] = password
user := &users.User{ user := &users.User{
Username: username, Username: username,
Roles: []users.Role{users.RoleAdmin}, Role: users.RoleAdmin,
} }
if err := user.SetPassword(password); err != nil { if err := user.SetPassword(password); err != nil {
t.Fatalf("Error setting password: %s", err) t.Fatalf("Error setting password: %s", err)