niklas/s3browser-backend
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

jwt refresh

Browse Source
This commit is contained in:
Djeeberjr 2021-09-24 01:27:19 +02:00
parent 1337f6ba63
commit a3e66cd351
3 changed files with 91 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
internal/helper.go
View File

@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"path/filepath" "path/filepath"
"strings" "strings"
"time"
"github.com/golang-jwt/jwt" "github.com/golang-jwt/jwt"
"github.com/graph-gophers/dataloader" "github.com/graph-gophers/dataloader"
@ -123,3 +124,18 @@ func isAuth(ctx context.Context) (bool, error) {
return false, extendError("UNAUTHORIZED", "Unauthorized") return false, extendError("UNAUTHORIZED", "Unauthorized")
} }
} }
func createJWT(claims *JWTClaims) *jwt.Token {
claims.ExpiresAt = time.Now().Add(time.Hour * 24).Unix()
return jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
}
func createClaims(username string) *JWTClaims {
return &JWTClaims{
StandardClaims: jwt.StandardClaims{
Subject: username,
},
}
}

123
internal/httpServer.go
View File

@ -7,10 +7,10 @@ import (
"mime" "mime"
"net/http" "net/http"
"path/filepath" "path/filepath"
"strings"
"time" "time"
"github.com/golang-jwt/jwt" "github.com/golang-jwt/jwt"
jwtRequest "github.com/golang-jwt/jwt/request"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/graphql-go/graphql" "github.com/graphql-go/graphql"
"github.com/graphql-go/graphql/gqlerrors" "github.com/graphql-go/graphql/gqlerrors"
@ -24,6 +24,21 @@ type JWTClaims struct {
jwt.StandardClaims jwt.StandardClaims
} }
type CookieExtractor struct {
Name string
}
func (c *CookieExtractor) ExtractToken(req *http.Request) (string, error) {
cookie, err := req.Cookie(c.Name)
if err == nil && len(cookie.Value) != 0 {
return cookie.Value, nil
}
return "", jwtRequest.ErrNoTokenInRequest
}
// initHttp setup and start the http server. Blocking // initHttp setup and start the http server. Blocking
func initHttp(resolveContext context.Context, schema graphql.Schema, address string) error { func initHttp(resolveContext context.Context, schema graphql.Schema, address string) error {
r := mux.NewRouter() r := mux.NewRouter()
@ -47,16 +62,15 @@ func initHttp(resolveContext context.Context, schema graphql.Schema, address str
r.Use(func(h http.Handler) http.Handler { r.Use(func(h http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
token := getTokenFromRequest(r) parsedToken, err := jwtRequest.ParseFromRequestWithClaims(r, jwtRequest.MultiExtractor{
jwtRequest.AuthorizationHeaderExtractor,
&CookieExtractor{Name: "jwt"},
}, &JWTClaims{}, jwtKeyFunc)
if token != "" { if err == nil && parsedToken.Valid {
parsedToken, err := parseJWT(token) newRequest := r.WithContext(context.WithValue(r.Context(), "jwt", parsedToken))
h.ServeHTTP(rw, newRequest)
if err == nil && parsedToken.Valid { return
newRequest := r.WithContext(context.WithValue(r.Context(), "jwt", parsedToken))
h.ServeHTTP(rw, newRequest)
return
}
} }
h.ServeHTTP(rw, r) h.ServeHTTP(rw, r)
@ -80,6 +94,8 @@ func initHttp(resolveContext context.Context, schema graphql.Schema, address str
r.HandleFunc("/api/logout", logout).Methods("POST") r.HandleFunc("/api/logout", logout).Methods("POST")
r.HandleFunc("/api/refresh", refreshToken).Methods("POST")
// Init the embedded static files // Init the embedded static files
initStatic(r) initStatic(r)
@ -161,43 +177,11 @@ func httpPostFile(ctx context.Context, rw http.ResponseWriter, r *http.Request)
rw.WriteHeader(http.StatusCreated) rw.WriteHeader(http.StatusCreated)
} }
//parseJWT parse a JWT. does not check if token is valid. Returns error if non was provided func jwtKeyFunc(t *jwt.Token) (interface{}, error) {
func parseJWT(token string) (*jwt.Token, error) { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
if token == "" { return nil, fmt.Errorf("Unexpected signing method: %v", t.Header["alg"])
return nil, fmt.Errorf("No token provided")
} }
return []byte("TODO"), nil
parsed, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return []byte("TODO"), nil
})
if err != nil {
return nil, err
}
return parsed, nil
}
//getTokenFromRequest looks for a JWT in the "Authorization" header or in the cookies
func getTokenFromRequest(r *http.Request) string {
// get token from header
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
if len(authHeader) == 2 {
return authHeader[1]
}
// Get cookie from cookie
cookie, err := r.Cookie("jwt") //TODO: change cookie name
if err == nil && len(cookie.Value) != 0 {
return cookie.Value
}
return ""
} }
//setLoginCookie if provieded a valid JWT in the body then set a httpOnly cookie with the token //setLoginCookie if provieded a valid JWT in the body then set a httpOnly cookie with the token
@ -212,7 +196,7 @@ func setLoginCookie(rw http.ResponseWriter, r *http.Request) {
tokenString := string(body) tokenString := string(body)
token, err := parseJWT(tokenString) token, err := jwt.ParseWithClaims(tokenString, &JWTClaims{}, jwtKeyFunc)
if err != nil { if err != nil {
rw.WriteHeader(http.StatusInternalServerError) rw.WriteHeader(http.StatusInternalServerError)
@ -224,7 +208,7 @@ func setLoginCookie(rw http.ResponseWriter, r *http.Request) {
return return
} }
claims, ok := token.Claims.(jwt.MapClaims) claims, ok := token.Claims.(*JWTClaims)
if !ok { if !ok {
rw.WriteHeader(http.StatusInternalServerError) rw.WriteHeader(http.StatusInternalServerError)
@ -237,7 +221,7 @@ func setLoginCookie(rw http.ResponseWriter, r *http.Request) {
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteStrictMode, SameSite: http.SameSiteStrictMode,
Path: "/api", Path: "/api",
Expires: time.Unix(int64(claims["exp"].(float64)), 0), Expires: time.Unix(claims.ExpiresAt, 0),
} }
http.SetCookie(rw, cookie) http.SetCookie(rw, cookie)
@ -260,3 +244,44 @@ func logout(rw http.ResponseWriter, r *http.Request) {
rw.WriteHeader(http.StatusNoContent) rw.WriteHeader(http.StatusNoContent)
} }
func refreshToken(rw http.ResponseWriter, r *http.Request) {
if is, _ := isAuth(r.Context()); !is {
rw.WriteHeader(http.StatusUnauthorized)
return
}
oldToken, ok := r.Context().Value("jwt").(*jwt.Token)
if !ok {
rw.WriteHeader(http.StatusInternalServerError)
return
}
claims, ok := oldToken.Claims.(*JWTClaims)
if !ok {
rw.WriteHeader(http.StatusInternalServerError)
return
}
token := createJWT(claims)
tokenString, err := token.SignedString([]byte("TODO"))
if err != nil {
rw.WriteHeader(http.StatusInternalServerError)
return
}
cookie := &http.Cookie{
Name: "jwt",
Value: tokenString,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Path: "/api",
Expires: time.Unix(int64(claims.ExpiresAt), 0),
}
http.SetCookie(rw, cookie)
}

9
internal/mutations.go
View File

@ -4,9 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"strings" "strings"
"time"
"github.com/golang-jwt/jwt"
"github.com/graph-gophers/dataloader" "github.com/graph-gophers/dataloader"
"github.com/minio/minio-go/v7" "github.com/minio/minio-go/v7"
) )
@ -202,12 +200,7 @@ func login(ctx context.Context, username, password string) (LoginResult, error)
}, nil }, nil
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, JWTClaims{ token := createJWT(createClaims(username))
StandardClaims: jwt.StandardClaims{
Subject: username,
ExpiresAt: time.Now().Add(time.Hour * 24).Unix(),
},
})
tokenString, err := token.SignedString([]byte("TODO")) tokenString, err := token.SignedString([]byte("TODO"))