influxdb/oauth2/jwt.go

package oauth2

import (
	"context"
	"fmt"
	"time"

	gojwt "github.com/dgrijalva/jwt-go"
)

// Test if JWT implements Authenticator
var _ Authenticator = &JWT{}

// JWT represents a javascript web token that can be validated or marshaled into string.
type JWT struct {
	Secret string
	Now    func() time.Time
}

// NewJWT creates a new JWT using time.Now; secret is used for signing and validating.
func NewJWT(secret string) JWT {
	return JWT{
		Secret: secret,
		Now:    time.Now,
	}
}

// Ensure Claims implements the jwt.Claims interface
var _ gojwt.Claims = &Claims{}

// Claims extends jwt.StandardClaims Valid to make sure claims has a subject.
type Claims struct {
	gojwt.StandardClaims
}

// Valid adds an empty subject test to the StandardClaims checks.
func (c *Claims) Valid() error {
	if err := c.StandardClaims.Valid(); err != nil {
		return err
	} else if c.StandardClaims.Subject == "" {
		return fmt.Errorf("claim has no subject")
	}
	return nil
}

// Authenticate checks if the jwtToken is signed correctly and validates with Claims.
func (j *JWT) Authenticate(ctx context.Context, jwtToken string) (Principal, error) {
	gojwt.TimeFunc = j.Now

	// Check for expected signing method.
	alg := func(token *gojwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*gojwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}
		return []byte(j.Secret), nil
	}

	// 1. Checks for expired tokens
	// 2. Checks if time is after the issued at
	// 3. Check if time is after not before (nbf)
	// 4. Check if subject is not empty
	token, err := gojwt.ParseWithClaims(jwtToken, &Claims{}, alg)
	if err != nil {
		return "", err
	} else if !token.Valid {
		return "", err
	}

	claims, ok := token.Claims.(*Claims)
	if !ok {
		return "", fmt.Errorf("unable to convert claims to standard claims")
	}

	return Principal(claims.Subject), nil
}

// Token creates a signed JWT token from user that expires at Now + duration
func (j *JWT) Token(ctx context.Context, user Principal, duration time.Duration) (string, error) {
	// Create a new token object, specifying signing method and the claims
	// you would like it to contain.
	now := j.Now().UTC()
	claims := &Claims{
		gojwt.StandardClaims{
			Subject:   string(user),
			ExpiresAt: now.Add(duration).Unix(),
			IssuedAt:  now.Unix(),
			NotBefore: now.Unix(),
		},
	}
	token := gojwt.NewWithClaims(gojwt.SigningMethodHS256, claims)

	// Sign and get the complete encoded token as a string using the secret
	return token.SignedString([]byte(j.Secret))
}
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`package oauth2`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00
			`import (`
Refactor to remove autogenerated code. 2016-10-25 15:20:06 +00:00			`"context"`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`"fmt"`
			`"time"`

			`gojwt "github.com/dgrijalva/jwt-go"`
			`)`

			`// Test if JWT implements Authenticator`
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`var _ Authenticator = &JWT{}`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00
			`// JWT represents a javascript web token that can be validated or marshaled into string.`
			`type JWT struct {`
			`Secret string`
			`Now func() time.Time`
			`}`

			`// NewJWT creates a new JWT using time.Now; secret is used for signing and validating.`
Fix NewJWT to return JWT rather than mrfusion.Authenticator 2016-10-19 22:56:58 +00:00			`func NewJWT(secret string) JWT {`
			`return JWT{`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`Secret: secret,`
			`Now: time.Now,`
			`}`
			`}`

			`// Ensure Claims implements the jwt.Claims interface`
			`var _ gojwt.Claims = &Claims{}`

			`// Claims extends jwt.StandardClaims Valid to make sure claims has a subject.`
			`type Claims struct {`
			`gojwt.StandardClaims`
			`}`

			`// Valid adds an empty subject test to the StandardClaims checks.`
			`func (c *Claims) Valid() error {`
			`if err := c.StandardClaims.Valid(); err != nil {`
			`return err`
			`} else if c.StandardClaims.Subject == "" {`
			`return fmt.Errorf("claim has no subject")`
			`}`
			`return nil`
			`}`

			`// Authenticate checks if the jwtToken is signed correctly and validates with Claims.`
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`func (j *JWT) Authenticate(ctx context.Context, jwtToken string) (Principal, error) {`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`gojwt.TimeFunc = j.Now`

			`// Check for expected signing method.`
			`alg := func(token *gojwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*gojwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])`
			`}`
			`return []byte(j.Secret), nil`
			`}`

			`// 1. Checks for expired tokens`
			`// 2. Checks if time is after the issued at`
			`// 3. Check if time is after not before (nbf)`
			`// 4. Check if subject is not empty`
			`token, err := gojwt.ParseWithClaims(jwtToken, &Claims{}, alg)`
			`if err != nil {`
			`return "", err`
			`} else if !token.Valid {`
			`return "", err`
			`}`

			`claims, ok := token.Claims.(*Claims)`
			`if !ok {`
			`return "", fmt.Errorf("unable to convert claims to standard claims")`
			`}`

Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`return Principal(claims.Subject), nil`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`}`

			`// Token creates a signed JWT token from user that expires at Now + duration`
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`func (j *JWT) Token(ctx context.Context, user Principal, duration time.Duration) (string, error) {`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`// Create a new token object, specifying signing method and the claims`
			`// you would like it to contain.`
Refactor to remove autogenerated code. 2016-10-25 15:20:06 +00:00			`now := j.Now().UTC()`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`claims := &Claims{`
			`gojwt.StandardClaims{`
			`Subject: string(user),`
			`ExpiresAt: now.Add(duration).Unix(),`
			`IssuedAt: now.Unix(),`
			`NotBefore: now.Unix(),`
			`},`
			`}`
			`token := gojwt.NewWithClaims(gojwt.SigningMethodHS256, claims)`

			`// Sign and get the complete encoded token as a string using the secret`
			`return token.SignedString([]byte(j.Secret))`
			`}`