package jwt import ( "encoding/base64" "errors" "github.com/dgrijalva/jwt-go" "github.com/micro/go-micro/v2/auth" ) var ( // ErrInvalidPrivateKey is returned when the service provided an invalid private key ErrInvalidPrivateKey = errors.New("An invalid private key was provided") // ErrEncodingToken is returned when the service encounters an error during encoding ErrEncodingToken = errors.New("An error occured while encoding the JWT") // ErrInvalidToken is returned when the token provided is not valid ErrInvalidToken = errors.New("An invalid token was provided") // ErrMissingToken is returned when no token is provided ErrMissingToken = errors.New("A valid JWT is required") ) // NewAuth returns a new instance of the Auth service func NewAuth(opts ...auth.Option) auth.Auth { svc := new(svc) svc.Init(opts...) return svc } // svc is the JWT implementation of the Auth interface type svc struct { options auth.Options } func (s *svc) String() string { return "jwt" } func (s *svc) Options() auth.Options { return s.options } func (s *svc) Init(opts ...auth.Option) error { for _, o := range opts { o(&s.options) } return nil } // AuthClaims to be encoded in the JWT type AuthClaims struct { Id string `json:"id"` Roles []*auth.Role `json:"roles"` Metadata map[string]string `json:"metadata"` jwt.StandardClaims } // Generate a new JWT func (s *svc) Generate(id string, ops ...auth.GenerateOption) (*auth.Account, error) { // decode the private key priv, err := base64.StdEncoding.DecodeString(s.options.PrivateKey) if err != nil { return nil, err } key, err := jwt.ParseRSAPrivateKeyFromPEM(priv) if err != nil { return nil, ErrEncodingToken } options := auth.NewGenerateOptions(ops...) account := jwt.NewWithClaims(jwt.SigningMethodRS256, AuthClaims{ id, options.Roles, options.Metadata, jwt.StandardClaims{ Subject: id, ExpiresAt: options.Expiry.Unix(), }, }) token, err := account.SignedString(key) if err != nil { return nil, err } return &auth.Account{ Id: id, Token: token, Roles: options.Roles, Metadata: options.Metadata, }, nil } // Revoke an authorization account func (s *svc) Revoke(token string) error { return nil } // Verify a JWT func (s *svc) Verify(token string) (*auth.Account, error) { if token == "" { return nil, ErrMissingToken } // decode the public key pub, err := base64.StdEncoding.DecodeString(s.options.PublicKey) if err != nil { return nil, err } res, err := jwt.ParseWithClaims(token, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) { return jwt.ParseRSAPublicKeyFromPEM(pub) }) if err != nil { return nil, err } if !res.Valid { return nil, ErrInvalidToken } claims, ok := res.Claims.(*AuthClaims) if !ok { return nil, ErrInvalidToken } return &auth.Account{ Id: claims.Id, Metadata: claims.Metadata, Roles: claims.Roles, }, nil }