188 lines
4.6 KiB
Go
188 lines
4.6 KiB
Go
package auth
|
|
|
|
import (
|
|
"errors"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v3"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
type Config struct {
|
|
Secret string
|
|
Issuer string
|
|
AccessTokenExpiry time.Duration
|
|
RefreshTokenExpiry time.Duration
|
|
}
|
|
|
|
type Service struct {
|
|
cfg Config
|
|
secret []byte
|
|
accessExpiry time.Duration
|
|
refreshExpiry time.Duration
|
|
}
|
|
|
|
type Claims struct {
|
|
Username string `json:"username"`
|
|
TokenType string `json:"type"`
|
|
jwt.RegisteredClaims
|
|
}
|
|
|
|
// Typescript: interface
|
|
type TokenPair struct {
|
|
AccessToken string `json:"access_token"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
}
|
|
|
|
const (
|
|
tokenTypeAccess = "access"
|
|
tokenTypeRefresh = "refresh"
|
|
)
|
|
|
|
func New(cfg Config) (*Service, error) {
|
|
if cfg.Secret == "" {
|
|
return nil, errors.New("jwt secret is required")
|
|
}
|
|
if cfg.AccessTokenExpiry <= 0 {
|
|
return nil, errors.New("access token expiry must be positive")
|
|
}
|
|
if cfg.RefreshTokenExpiry <= 0 {
|
|
return nil, errors.New("refresh token expiry must be positive")
|
|
}
|
|
|
|
return &Service{
|
|
cfg: cfg,
|
|
secret: []byte(cfg.Secret),
|
|
accessExpiry: cfg.AccessTokenExpiry,
|
|
refreshExpiry: cfg.RefreshTokenExpiry,
|
|
}, nil
|
|
}
|
|
|
|
func (s *Service) GenerateTokenPair(username string) (TokenPair, error) {
|
|
access, err := s.generateToken(username, tokenTypeAccess, s.accessExpiry)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
|
|
refresh, err := s.generateToken(username, tokenTypeRefresh, s.refreshExpiry)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
|
|
return TokenPair{
|
|
AccessToken: access,
|
|
RefreshToken: refresh,
|
|
}, nil
|
|
}
|
|
|
|
// AccessExpiry returns the configured access token lifetime.
|
|
func (s *Service) AccessExpiry() time.Duration {
|
|
return s.accessExpiry
|
|
}
|
|
|
|
// RefreshExpiry returns the configured refresh token lifetime.
|
|
func (s *Service) RefreshExpiry() time.Duration {
|
|
return s.refreshExpiry
|
|
}
|
|
|
|
func (s *Service) Middleware() fiber.Handler {
|
|
return func(c fiber.Ctx) error {
|
|
tokenString := c.Get("Auth-Token")
|
|
if tokenString == "" {
|
|
return fiber.NewError(fiber.StatusUnauthorized, "missing token header")
|
|
}
|
|
|
|
claims, err := s.parseToken(tokenString)
|
|
if err != nil {
|
|
return fiber.NewError(fiber.StatusUnauthorized, err.Error())
|
|
}
|
|
if claims.TokenType != tokenTypeAccess {
|
|
return fiber.NewError(fiber.StatusUnauthorized, "access token required")
|
|
}
|
|
|
|
c.Locals("authClaims", claims)
|
|
return c.Next()
|
|
}
|
|
}
|
|
|
|
func (s *Service) Refresh(refreshToken string) (TokenPair, error) {
|
|
claims, err := s.parseToken(refreshToken)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
if claims.TokenType != tokenTypeRefresh {
|
|
return TokenPair{}, errors.New("refresh token required")
|
|
}
|
|
return s.GenerateTokenPair(claims.Username)
|
|
}
|
|
|
|
// ValidateAccessToken parses and validates an access token string, ensuring type=access.
|
|
func (s *Service) ValidateAccessToken(tokenString string) (*Claims, error) {
|
|
claims, err := s.parseToken(tokenString)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if claims.TokenType != tokenTypeAccess {
|
|
return nil, errors.New("access token required")
|
|
}
|
|
return claims, nil
|
|
}
|
|
|
|
func (s *Service) parseToken(tokenString string) (*Claims, error) {
|
|
claims := &Claims{}
|
|
token, err := jwt.ParseWithClaims(tokenString, claims, func(t *jwt.Token) (interface{}, error) {
|
|
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, fiber.ErrUnauthorized
|
|
}
|
|
return s.secret, nil
|
|
})
|
|
if err != nil || !token.Valid {
|
|
return nil, errors.New("invalid or expired token")
|
|
}
|
|
if s.cfg.Issuer != "" && claims.Issuer != "" && claims.Issuer != s.cfg.Issuer {
|
|
return nil, errors.New("invalid token issuer")
|
|
}
|
|
|
|
return claims, nil
|
|
}
|
|
|
|
func (s *Service) generateToken(username, tokenType string, expiry time.Duration) (string, error) {
|
|
claims := Claims{
|
|
Username: username,
|
|
TokenType: tokenType,
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
|
Issuer: s.cfg.Issuer,
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
},
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
return token.SignedString(s.secret)
|
|
}
|
|
|
|
func bearerToken(header string) (string, error) {
|
|
if header == "" {
|
|
return "", errors.New("missing Auth-Token header")
|
|
}
|
|
if !strings.HasPrefix(header, "Bearer ") {
|
|
return "", errors.New("invalid Authorization header format")
|
|
}
|
|
|
|
token := strings.TrimSpace(strings.TrimPrefix(header, "Bearer "))
|
|
if token == "" {
|
|
return "", errors.New("empty bearer token")
|
|
}
|
|
return token, nil
|
|
}
|
|
|
|
func ClaimsFromCtx(c fiber.Ctx) (*Claims, bool) {
|
|
val := c.Locals("authClaims")
|
|
if val == nil {
|
|
return nil, false
|
|
}
|
|
claims, ok := val.(*Claims)
|
|
return claims, ok
|
|
}
|