202 lines
4.8 KiB
Go
202 lines
4.8 KiB
Go
package tokens
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"errors"
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v3"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
type TockenService struct {
|
|
cfg Config
|
|
secret []byte
|
|
accessExpiry time.Duration
|
|
refreshExpiry time.Duration
|
|
}
|
|
|
|
type Config struct {
|
|
Secret string
|
|
Issuer string
|
|
AccessTokenExpiry time.Duration
|
|
RefreshTokenExpiry time.Duration
|
|
}
|
|
|
|
type Claims struct {
|
|
Username string `json:"username"`
|
|
Role string `json:"role"`
|
|
TokenType string `json:"type"`
|
|
jwt.RegisteredClaims
|
|
}
|
|
|
|
// Typescript: interface
|
|
type TokenPair struct {
|
|
AccessToken string `json:"access_token"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
}
|
|
|
|
const (
|
|
TokenTypeAccess = "access"
|
|
TokenTypeRefresh = "refresh"
|
|
)
|
|
|
|
func NewTockenService(cfg Config) (*TockenService, error) {
|
|
if cfg.Secret == "" {
|
|
return nil, errors.New("jwt secret is required")
|
|
}
|
|
if cfg.AccessTokenExpiry <= 0 {
|
|
return nil, errors.New("access token expiry must be positive")
|
|
}
|
|
if cfg.RefreshTokenExpiry <= 0 {
|
|
return nil, errors.New("refresh token expiry must be positive")
|
|
}
|
|
|
|
return &TockenService{
|
|
cfg: cfg,
|
|
secret: []byte(cfg.Secret),
|
|
accessExpiry: cfg.AccessTokenExpiry,
|
|
refreshExpiry: cfg.RefreshTokenExpiry,
|
|
}, nil
|
|
}
|
|
|
|
func hashToken(token string) string {
|
|
sum := sha256.Sum256([]byte(token))
|
|
return hex.EncodeToString(sum[:])
|
|
}
|
|
|
|
func HashToken(token string) string {
|
|
return hashToken(token)
|
|
}
|
|
|
|
func (s *TockenService) GenerateTokenPair(username string) (TokenPair, error) {
|
|
access, err := s.GenerateToken(username, TokenTypeAccess, s.accessExpiry)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
|
|
refresh, err := s.GenerateToken(username, TokenTypeRefresh, s.refreshExpiry)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
|
|
return TokenPair{
|
|
AccessToken: access,
|
|
RefreshToken: refresh,
|
|
}, nil
|
|
}
|
|
|
|
func (s *TockenService) AccessExpiry() time.Duration {
|
|
return s.accessExpiry
|
|
}
|
|
|
|
func (s *TockenService) RefreshExpiry() time.Duration {
|
|
return s.refreshExpiry
|
|
}
|
|
|
|
func (s *TockenService) Middleware() fiber.Handler {
|
|
return func(c fiber.Ctx) error {
|
|
tokenString := c.Get("Auth-Token")
|
|
if tokenString == "" {
|
|
return fiber.NewError(fiber.StatusUnauthorized, "missing token header")
|
|
}
|
|
|
|
claims, err := s.ParseToken(tokenString)
|
|
if err != nil {
|
|
return fiber.NewError(fiber.StatusUnauthorized, err.Error())
|
|
}
|
|
if claims.TokenType != TokenTypeAccess {
|
|
return fiber.NewError(fiber.StatusUnauthorized, "access token required")
|
|
}
|
|
|
|
c.Locals("authClaims", claims)
|
|
return c.Next()
|
|
}
|
|
}
|
|
|
|
func (s *TockenService) Refresh(refreshToken string) (TokenPair, error) {
|
|
claims, err := s.ParseToken(refreshToken)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
if claims.TokenType != TokenTypeRefresh {
|
|
return TokenPair{}, errors.New("refresh token required")
|
|
}
|
|
return s.GenerateTokenPair(claims.Username)
|
|
}
|
|
|
|
func (s *TockenService) ValidateToken(tokenString string) (*Claims, error) {
|
|
claims, err := s.ParseToken(tokenString)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if claims.TokenType != TokenTypeAccess {
|
|
return nil, errors.New("access token required")
|
|
}
|
|
return claims, nil
|
|
}
|
|
|
|
func ClaimsFromCtx(c fiber.Ctx) (*Claims, bool) {
|
|
val := c.Locals("authClaims")
|
|
if val == nil {
|
|
return nil, false
|
|
}
|
|
claims, ok := val.(*Claims)
|
|
return claims, ok
|
|
}
|
|
|
|
func (s *TockenService) ParseToken(tokenString string) (*Claims, error) {
|
|
claims := &Claims{}
|
|
token, err := jwt.ParseWithClaims(tokenString, claims, func(t *jwt.Token) (interface{}, error) {
|
|
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, fiber.ErrUnauthorized
|
|
}
|
|
return s.secret, nil
|
|
})
|
|
if err != nil || !token.Valid {
|
|
return nil, errors.New("invalid or expired token")
|
|
}
|
|
if s.cfg.Issuer != "" && claims.Issuer != "" && claims.Issuer != s.cfg.Issuer {
|
|
return nil, errors.New("invalid token issuer")
|
|
}
|
|
|
|
return claims, nil
|
|
}
|
|
|
|
func (s *TockenService) GenerateToken(username, tokenType string, expiry time.Duration) (string, error) {
|
|
claims := Claims{
|
|
Username: username,
|
|
TokenType: tokenType,
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
|
Issuer: s.cfg.Issuer,
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
},
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
return token.SignedString(s.secret)
|
|
}
|
|
|
|
func (s *TockenService) ValidateAccessToken(tokenString string) (*Claims, error) {
|
|
claims, err := s.ParseToken(tokenString)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if claims.TokenType != TokenTypeAccess {
|
|
return nil, errors.New("access token required")
|
|
}
|
|
return claims, nil
|
|
}
|
|
|
|
func (s *TockenService) GenerateSecureToken() (string, error) {
|
|
buf := make([]byte, 32)
|
|
if _, err := rand.Read(buf); err != nil {
|
|
return "", err
|
|
}
|
|
return base64.RawURLEncoding.EncodeToString(buf), nil
|
|
}
|