Updated auth interface (#1384)

* Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu>
2020-03-23 16:19:30 +00:00
parent 9826ddbd64
commit e0e77f3983
23 changed files with 1842 additions and 649 deletions
--- a/auth/token/jwt/jwt.go
+++ b/auth/token/jwt/jwt.go
@@ -0,0 +1,111 @@
+package jwt
+
+import (
+	"encoding/base64"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/micro/go-micro/v2/auth"
+	"github.com/micro/go-micro/v2/auth/token"
+)
+
+// authClaims to be encoded in the JWT
+type authClaims struct {
+	Roles    []string          `json:"roles"`
+	Metadata map[string]string `json:"metadata"`
+
+	jwt.StandardClaims
+}
+
+// JWT implementation of token provider
+type JWT struct {
+	opts token.Options
+}
+
+// NewTokenProvider returns an initialized basic provider
+func NewTokenProvider(opts ...token.Option) token.Provider {
+	return &JWT{
+		opts: token.NewOptions(opts...),
+	}
+}
+
+// Generate a new JWT
+func (j *JWT) Generate(subject string, opts ...token.GenerateOption) (*auth.Token, error) {
+	// decode the private key
+	priv, err := base64.StdEncoding.DecodeString(j.opts.PrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// parse the private key
+	key, err := jwt.ParseRSAPrivateKeyFromPEM(priv)
+	if err != nil {
+		return nil, token.ErrEncodingToken
+	}
+
+	// parse the options
+	options := token.NewGenerateOptions(opts...)
+
+	// generate the JWT
+	expiry := time.Now().Add(options.Expiry)
+	t := jwt.NewWithClaims(jwt.SigningMethodRS256, authClaims{
+		options.Roles, options.Metadata, jwt.StandardClaims{
+			Subject:   subject,
+			ExpiresAt: expiry.Unix(),
+		},
+	})
+	tok, err := t.SignedString(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// return the token
+	return &auth.Token{
+		Subject:  subject,
+		Token:    tok,
+		Type:     j.String(),
+		Created:  time.Now(),
+		Expiry:   expiry,
+		Roles:    options.Roles,
+		Metadata: options.Metadata,
+	}, nil
+}
+
+// Inspect a JWT
+func (j *JWT) Inspect(t string) (*auth.Token, error) {
+	// decode the public key
+	pub, err := base64.StdEncoding.DecodeString(j.opts.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// parse the public key
+	res, err := jwt.ParseWithClaims(t, &authClaims{}, func(token *jwt.Token) (interface{}, error) {
+		return jwt.ParseRSAPublicKeyFromPEM(pub)
+	})
+	if err != nil {
+		return nil, token.ErrInvalidToken
+	}
+
+	// validate the token
+	if !res.Valid {
+		return nil, token.ErrInvalidToken
+	}
+	claims, ok := res.Claims.(*authClaims)
+	if !ok {
+		return nil, token.ErrInvalidToken
+	}
+
+	// return the token
+	return &auth.Token{
+		Token:    t,
+		Subject:  claims.Subject,
+		Metadata: claims.Metadata,
+		Roles:    claims.Roles,
+	}, nil
+}
+
+// String returns JWT
+func (j *JWT) String() string {
+	return "jwt"
+}