package auth import ( "errors" "time" "github.com/gofiber/fiber/v3" "github.com/golang-jwt/jwt/v5" ) type AuthService struct { cfg Config secret []byte accessExpiry time.Duration refreshExpiry time.Duration } const ( tokenTypeAccess = "access" tokenTypeRefresh = "refresh" ) func NewAuthService(cfg Config) (*AuthService, error) { if cfg.Secret == "" { return nil, errors.New("jwt secret is required") } if cfg.AccessTokenExpiry <= 0 { return nil, errors.New("access token expiry must be positive") } if cfg.RefreshTokenExpiry <= 0 { return nil, errors.New("refresh token expiry must be positive") } return &AuthService{ cfg: cfg, secret: []byte(cfg.Secret), accessExpiry: cfg.AccessTokenExpiry, refreshExpiry: cfg.RefreshTokenExpiry, }, nil } func (s *AuthService) GenerateTokenPair(username string) (TokenPair, error) { access, err := s.generateToken(username, tokenTypeAccess, s.accessExpiry) if err != nil { return TokenPair{}, err } refresh, err := s.generateToken(username, tokenTypeRefresh, s.refreshExpiry) if err != nil { return TokenPair{}, err } return TokenPair{ AccessToken: access, RefreshToken: refresh, }, nil } func (s *AuthService) AccessExpiry() time.Duration { return s.accessExpiry } func (s *AuthService) RefreshExpiry() time.Duration { return s.refreshExpiry } func (s *AuthService) Middleware() fiber.Handler { return func(c fiber.Ctx) error { tokenString := c.Get("Auth-Token") if tokenString == "" { return fiber.NewError(fiber.StatusUnauthorized, "missing token header") } claims, err := s.parseToken(tokenString) if err != nil { return fiber.NewError(fiber.StatusUnauthorized, err.Error()) } if claims.TokenType != tokenTypeAccess { return fiber.NewError(fiber.StatusUnauthorized, "access token required") } c.Locals("authClaims", claims) return c.Next() } } func (s *AuthService) Refresh(refreshToken string) (TokenPair, error) { claims, err := s.parseToken(refreshToken) if err != nil { return TokenPair{}, err } if claims.TokenType != tokenTypeRefresh { return TokenPair{}, errors.New("refresh token required") } return s.GenerateTokenPair(claims.Username) } func (s *AuthService) ValidateAccessToken(tokenString string) (*Claims, error) { claims, err := s.parseToken(tokenString) if err != nil { return nil, err } if claims.TokenType != tokenTypeAccess { return nil, errors.New("access token required") } return claims, nil } func ClaimsFromCtx(c fiber.Ctx) (*Claims, bool) { val := c.Locals("authClaims") if val == nil { return nil, false } claims, ok := val.(*Claims) return claims, ok } func (s *AuthService) parseToken(tokenString string) (*Claims, error) { claims := &Claims{} token, err := jwt.ParseWithClaims(tokenString, claims, func(t *jwt.Token) (interface{}, error) { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fiber.ErrUnauthorized } return s.secret, nil }) if err != nil || !token.Valid { return nil, errors.New("invalid or expired token") } if s.cfg.Issuer != "" && claims.Issuer != "" && claims.Issuer != s.cfg.Issuer { return nil, errors.New("invalid token issuer") } return claims, nil } func (s *AuthService) generateToken(username, tokenType string, expiry time.Duration) (string, error) { claims := Claims{ Username: username, TokenType: tokenType, RegisteredClaims: jwt.RegisteredClaims{ Issuer: s.cfg.Issuer, ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)), IssuedAt: jwt.NewNumericDate(time.Now()), }, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) return token.SignedString(s.secret) }