Skip to content
Snippets Groups Projects
Normal view Permalink
jwt.go 5.5 KiB
Newer Older
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 
package auth

import (
	"encoding/json"
	"github.com/golang-jwt/jwt/v4"
	"gitlab.bob.co.za/bob-public-utils/bobgroup-go-utils/date_utils"
	"gitlab.bob.co.za/bob-public-utils/bobgroup-go-utils/errors"
	"net/http"
	"time"
)

type JsonWebToken struct {
	UserID     string    `json:"user_id"`
	ProviderID int64     `json:"provider_id,omitempty"`
	ExpiryDate time.Time `json:"expiry_date"`
}
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
18 19 20 21 22 23 24 
// GenerateJWTWithSessionToken first signs the session token with the secret key, then takes the payload and generates a
// signed JWT using the resulting signed session token
func GenerateJWTWithSessionToken(payload JsonWebToken, secretKey string, sessionToken string) (string, error) {
	signedSessionToken := SignSessionTokenWithKey(secretKey, sessionToken)
	return GenerateJWT(payload, signedSessionToken)
}
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
25 
// GenerateJWT takes the payload and generates a signed JWT using the provided secret
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
26 
func GenerateJWT(payload JsonWebToken, secretKey string) (string, error) {
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
27 28 29 30 31 32 33 34 35 36 37 38 39 40 
	// Convert the JsonWebToken to a map[string]interface{}
	tokenBytes, err := json.Marshal(payload)
	if err != nil {
		return "", err
	}

	tokenMap := make(map[string]interface{})
	err = json.Unmarshal(tokenBytes, &tokenMap)
	if err != nil {
		return "", err
	}

	// Create the signed token
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims(tokenMap))
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
41 
	tokenString, err := token.SignedString([]byte(secretKey))
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
42 43 44 45 46 47 48 
	if err != nil {
		return "", err
	}

	return tokenString, nil
}
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
49 
func getJsonWebTokenFromTokenClaims(token *jwt.Token, checkValidity bool) (JsonWebToken, error) {
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
50 51 52 53 54 
	if token == nil {
		return JsonWebToken{}, errors.Error("could not get token from token string")
	}

	claims, ok := token.Claims.(jwt.MapClaims)
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
55 
	if !ok || (checkValidity && token.Valid == false) {
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 
		return JsonWebToken{}, errors.Error("invalid token")
	}

	// Convert the MapClaims to a JsonWebToken
	claimsBytes, err := json.Marshal(claims)
	if err != nil {
		return JsonWebToken{}, err
	}

	var jsonWebToken JsonWebToken
	err = json.Unmarshal(claimsBytes, &jsonWebToken)
	if err != nil {
		return JsonWebToken{}, err
	}
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 
	return jsonWebToken, nil
}

// ValidateJWTWithSessionToken first signs the session token using the secret key, then parses the JWT and validates
// that it is signed correctly
func ValidateJWTWithSessionToken(jsonWebTokenString string, secretKey string, sessionToken string) (JsonWebToken, error) {
	// Sign the session token with the secret key - this prevents the JWT from being used by other sessions
	signedSecret := SignSessionTokenWithKey(secretKey, sessionToken)
	return ValidateJWT(jsonWebTokenString, signedSecret)
}

// ValidateJWT parses the JWT and validates that it is signed correctly
func ValidateJWT(jsonWebTokenString string, secretKey string) (JsonWebToken, error) {
	// Validate the
	token, err := jwt.Parse(jsonWebTokenString, func(token *jwt.Token) (interface{}, error) {
		// Validate the signing method
		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, errors.Errorf("unexpected signing method: %v", token.Header["alg"])
		}

		return []byte(secretKey), nil
	})
	if err != nil {
		return JsonWebToken{}, err
	}

	jsonWebToken, err := getJsonWebTokenFromTokenClaims(token, true)
	if err != nil {
		return JsonWebToken{}, err
	}
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
102 103 104 105 106 107 108 109 110 111 112 113 
	// Validate the expiry date
	if jsonWebToken.ExpiryDate.Before(date_utils.CurrentDate()) {
		return jsonWebToken, errors.Error("token has expired")
	}

	return jsonWebToken, nil
}

// LoginWithPassword checks that the provided password is correct. If the password is correct, a signed JWT is returned
// using the provided encryption key.
func LoginWithPassword(password string, hashedPassword string, jsonWebToken JsonWebToken, jwtEncryptionKey string) (string, error) {
	if PasswordIsCorrect(password, hashedPassword) {
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
114 115 116 117 118 119 120 121 122 123 124 
		return GenerateJWT(jsonWebToken, jwtEncryptionKey)
	}

	return "", errors.HTTPWithMsg(http.StatusBadRequest, "password is incorrect")
}

// LoginSessionWithPassword checks that the provided password is correct. If the password is correct, the session token
// is signed using the secret key, and a JWT is returned using the signed session token
func LoginSessionWithPassword(password string, hashedPassword string, jsonWebToken JsonWebToken, secretKey string, sessionToken string) (string, error) {
	if PasswordIsCorrect(password, hashedPassword) {
		return GenerateJWTWithSessionToken(jsonWebToken, secretKey, sessionToken)
Jano Hendriks's avatar
Add JWT functions
Jano Hendriks committed
125 126 127 128 
	}

	return "", errors.HTTPWithMsg(http.StatusBadRequest, "password is incorrect")
}
Jano Hendriks's avatar
Add session token functions for JWT  
Jano Hendriks committed
129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 

// GetUserIDFromJWTWithoutValidation gets the userID from the jsonWebTokenString without validating the signature.
// Successful execution of this function DOES NOT indicate that the JWT is valid in any way.
func GetUserIDFromJWTWithoutValidation(jsonWebTokenString string) string {
	token, _, err := jwt.NewParser().ParseUnverified(jsonWebTokenString, jwt.MapClaims{})
	if err != nil {
		return ""
	}

	jsonWebToken, err := getJsonWebTokenFromTokenClaims(token, false)
	if err != nil {
		return ""
	}
	return jsonWebToken.UserID
}
Jano Hendriks's avatar
Add function to get user and provider ID from JWT  
Jano Hendriks committed
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 

// GetUserAndProviderIDFromJWTWithoutValidation gets the userID and providerID from the jsonWebTokenString without validating the
// signature. Successful execution of this function DOES NOT indicate that the JWT is valid in any way.
func GetUserAndProviderIDFromJWTWithoutValidation(jsonWebTokenString string) (string, int64) {
	token, _, err := jwt.NewParser().ParseUnverified(jsonWebTokenString, jwt.MapClaims{})
	if err != nil {
		return "", 0
	}

	jsonWebToken, err := getJsonWebTokenFromTokenClaims(token, false)
	if err != nil {
		return "", 0
	}
	return jsonWebToken.UserID, jsonWebToken.ProviderID
}