Mainflux.mainflux/authn/jwt/tokenizer.go

97 lines
2.0 KiB
Go

// Copyright (c) Mainflux
// SPDX-License-Identifier: Apache-2.0
package jwt
import (
"time"
"github.com/dgrijalva/jwt-go"
"github.com/mainflux/mainflux/authn"
)
type claims struct {
jwt.StandardClaims
Type *uint32 `json:"type,omitempty"`
}
func (c claims) Valid() error {
if c.Type == nil || *c.Type > authn.APIKey {
return authn.ErrMalformedEntity
}
return c.StandardClaims.Valid()
}
type tokenizer struct {
secret string
}
// New returns new JWT Tokenizer.
func New(secret string) authn.Tokenizer {
return tokenizer{secret: secret}
}
func (svc tokenizer) Issue(key authn.Key) (string, error) {
claims := claims{
StandardClaims: jwt.StandardClaims{
Issuer: key.Issuer,
Subject: key.Secret,
IssuedAt: key.IssuedAt.UTC().Unix(),
},
Type: &key.Type,
}
if !key.ExpiresAt.IsZero() {
claims.ExpiresAt = key.ExpiresAt.UTC().Unix()
}
if key.ID != "" {
claims.Id = key.ID
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString([]byte(svc.secret))
}
func (svc tokenizer) Parse(token string) (authn.Key, error) {
c := claims{}
_, err := jwt.ParseWithClaims(token, &c, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, authn.ErrUnauthorizedAccess
}
return []byte(svc.secret), nil
})
if err != nil {
if e, ok := err.(*jwt.ValidationError); ok && e.Errors == jwt.ValidationErrorExpired {
// Expired User key needs to be revoked.
if c.Type != nil && *c.Type == authn.APIKey {
return c.toKey(), nil
}
return authn.Key{}, authn.ErrKeyExpired
}
return authn.Key{}, authn.ErrUnauthorizedAccess
}
return c.toKey(), nil
}
func (c claims) toKey() authn.Key {
key := authn.Key{
ID: c.Id,
Issuer: c.Issuer,
Secret: c.Subject,
IssuedAt: time.Unix(c.IssuedAt, 0).UTC(),
}
if c.ExpiresAt != 0 {
key.ExpiresAt = time.Unix(c.ExpiresAt, 0).UTC()
}
// Default type is 0.
if c.Type != nil {
key.Type = *c.Type
}
return key
}