jwt refresh
This commit is contained in:
parent
1337f6ba63
commit
a3e66cd351
@ -5,6 +5,7 @@ import (
|
||||
"fmt"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt"
|
||||
"github.com/graph-gophers/dataloader"
|
||||
@ -123,3 +124,18 @@ func isAuth(ctx context.Context) (bool, error) {
|
||||
return false, extendError("UNAUTHORIZED", "Unauthorized")
|
||||
}
|
||||
}
|
||||
|
||||
func createJWT(claims *JWTClaims) *jwt.Token {
|
||||
|
||||
claims.ExpiresAt = time.Now().Add(time.Hour * 24).Unix()
|
||||
|
||||
return jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
}
|
||||
|
||||
func createClaims(username string) *JWTClaims {
|
||||
return &JWTClaims{
|
||||
StandardClaims: jwt.StandardClaims{
|
||||
Subject: username,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
@ -7,10 +7,10 @@ import (
|
||||
"mime"
|
||||
"net/http"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt"
|
||||
jwtRequest "github.com/golang-jwt/jwt/request"
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/graphql-go/graphql"
|
||||
"github.com/graphql-go/graphql/gqlerrors"
|
||||
@ -24,6 +24,21 @@ type JWTClaims struct {
|
||||
jwt.StandardClaims
|
||||
}
|
||||
|
||||
type CookieExtractor struct {
|
||||
Name string
|
||||
}
|
||||
|
||||
func (c *CookieExtractor) ExtractToken(req *http.Request) (string, error) {
|
||||
cookie, err := req.Cookie(c.Name)
|
||||
|
||||
if err == nil && len(cookie.Value) != 0 {
|
||||
return cookie.Value, nil
|
||||
}
|
||||
|
||||
return "", jwtRequest.ErrNoTokenInRequest
|
||||
|
||||
}
|
||||
|
||||
// initHttp setup and start the http server. Blocking
|
||||
func initHttp(resolveContext context.Context, schema graphql.Schema, address string) error {
|
||||
r := mux.NewRouter()
|
||||
@ -47,16 +62,15 @@ func initHttp(resolveContext context.Context, schema graphql.Schema, address str
|
||||
r.Use(func(h http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||
|
||||
token := getTokenFromRequest(r)
|
||||
parsedToken, err := jwtRequest.ParseFromRequestWithClaims(r, jwtRequest.MultiExtractor{
|
||||
jwtRequest.AuthorizationHeaderExtractor,
|
||||
&CookieExtractor{Name: "jwt"},
|
||||
}, &JWTClaims{}, jwtKeyFunc)
|
||||
|
||||
if token != "" {
|
||||
parsedToken, err := parseJWT(token)
|
||||
|
||||
if err == nil && parsedToken.Valid {
|
||||
newRequest := r.WithContext(context.WithValue(r.Context(), "jwt", parsedToken))
|
||||
h.ServeHTTP(rw, newRequest)
|
||||
return
|
||||
}
|
||||
if err == nil && parsedToken.Valid {
|
||||
newRequest := r.WithContext(context.WithValue(r.Context(), "jwt", parsedToken))
|
||||
h.ServeHTTP(rw, newRequest)
|
||||
return
|
||||
}
|
||||
|
||||
h.ServeHTTP(rw, r)
|
||||
@ -80,6 +94,8 @@ func initHttp(resolveContext context.Context, schema graphql.Schema, address str
|
||||
|
||||
r.HandleFunc("/api/logout", logout).Methods("POST")
|
||||
|
||||
r.HandleFunc("/api/refresh", refreshToken).Methods("POST")
|
||||
|
||||
// Init the embedded static files
|
||||
initStatic(r)
|
||||
|
||||
@ -161,43 +177,11 @@ func httpPostFile(ctx context.Context, rw http.ResponseWriter, r *http.Request)
|
||||
rw.WriteHeader(http.StatusCreated)
|
||||
}
|
||||
|
||||
//parseJWT parse a JWT. does not check if token is valid. Returns error if non was provided
|
||||
func parseJWT(token string) (*jwt.Token, error) {
|
||||
if token == "" {
|
||||
return nil, fmt.Errorf("No token provided")
|
||||
func jwtKeyFunc(t *jwt.Token) (interface{}, error) {
|
||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("Unexpected signing method: %v", t.Header["alg"])
|
||||
}
|
||||
|
||||
parsed, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
|
||||
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
return []byte("TODO"), nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return parsed, nil
|
||||
|
||||
}
|
||||
|
||||
//getTokenFromRequest looks for a JWT in the "Authorization" header or in the cookies
|
||||
func getTokenFromRequest(r *http.Request) string {
|
||||
// get token from header
|
||||
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
|
||||
if len(authHeader) == 2 {
|
||||
return authHeader[1]
|
||||
}
|
||||
|
||||
// Get cookie from cookie
|
||||
cookie, err := r.Cookie("jwt") //TODO: change cookie name
|
||||
|
||||
if err == nil && len(cookie.Value) != 0 {
|
||||
return cookie.Value
|
||||
}
|
||||
|
||||
return ""
|
||||
return []byte("TODO"), nil
|
||||
}
|
||||
|
||||
//setLoginCookie if provieded a valid JWT in the body then set a httpOnly cookie with the token
|
||||
@ -212,7 +196,7 @@ func setLoginCookie(rw http.ResponseWriter, r *http.Request) {
|
||||
|
||||
tokenString := string(body)
|
||||
|
||||
token, err := parseJWT(tokenString)
|
||||
token, err := jwt.ParseWithClaims(tokenString, &JWTClaims{}, jwtKeyFunc)
|
||||
|
||||
if err != nil {
|
||||
rw.WriteHeader(http.StatusInternalServerError)
|
||||
@ -224,7 +208,7 @@ func setLoginCookie(rw http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
claims, ok := token.Claims.(jwt.MapClaims)
|
||||
claims, ok := token.Claims.(*JWTClaims)
|
||||
|
||||
if !ok {
|
||||
rw.WriteHeader(http.StatusInternalServerError)
|
||||
@ -237,7 +221,7 @@ func setLoginCookie(rw http.ResponseWriter, r *http.Request) {
|
||||
HttpOnly: true,
|
||||
SameSite: http.SameSiteStrictMode,
|
||||
Path: "/api",
|
||||
Expires: time.Unix(int64(claims["exp"].(float64)), 0),
|
||||
Expires: time.Unix(claims.ExpiresAt, 0),
|
||||
}
|
||||
|
||||
http.SetCookie(rw, cookie)
|
||||
@ -260,3 +244,44 @@ func logout(rw http.ResponseWriter, r *http.Request) {
|
||||
|
||||
rw.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
func refreshToken(rw http.ResponseWriter, r *http.Request) {
|
||||
if is, _ := isAuth(r.Context()); !is {
|
||||
rw.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
oldToken, ok := r.Context().Value("jwt").(*jwt.Token)
|
||||
|
||||
if !ok {
|
||||
rw.WriteHeader(http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
claims, ok := oldToken.Claims.(*JWTClaims)
|
||||
|
||||
if !ok {
|
||||
rw.WriteHeader(http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
token := createJWT(claims)
|
||||
|
||||
tokenString, err := token.SignedString([]byte("TODO"))
|
||||
|
||||
if err != nil {
|
||||
rw.WriteHeader(http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
cookie := &http.Cookie{
|
||||
Name: "jwt",
|
||||
Value: tokenString,
|
||||
HttpOnly: true,
|
||||
SameSite: http.SameSiteStrictMode,
|
||||
Path: "/api",
|
||||
Expires: time.Unix(int64(claims.ExpiresAt), 0),
|
||||
}
|
||||
|
||||
http.SetCookie(rw, cookie)
|
||||
}
|
||||
|
||||
@ -4,9 +4,7 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt"
|
||||
"github.com/graph-gophers/dataloader"
|
||||
"github.com/minio/minio-go/v7"
|
||||
)
|
||||
@ -202,12 +200,7 @@ func login(ctx context.Context, username, password string) (LoginResult, error)
|
||||
}, nil
|
||||
}
|
||||
|
||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, JWTClaims{
|
||||
StandardClaims: jwt.StandardClaims{
|
||||
Subject: username,
|
||||
ExpiresAt: time.Now().Add(time.Hour * 24).Unix(),
|
||||
},
|
||||
})
|
||||
token := createJWT(createClaims(username))
|
||||
|
||||
tokenString, err := token.SignedString([]byte("TODO"))
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user