197 lines
4.7 KiB
Go
197 lines
4.7 KiB
Go
package tokens
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"errors"
|
|
"server/internal/auth"
|
|
"server/internal/config"
|
|
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v3"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
type TockenService struct {
|
|
cfg config.AuthConfig
|
|
secret []byte
|
|
accessExpiry time.Duration
|
|
refreshExpiry time.Duration
|
|
}
|
|
|
|
type Claims struct {
|
|
Username string `json:"username"`
|
|
Permission int `json:"permission"`
|
|
TokenType string `json:"type"`
|
|
jwt.RegisteredClaims
|
|
}
|
|
|
|
// Typescript: interface
|
|
type TokenPair struct {
|
|
AccessToken string `json:"access_token"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
}
|
|
|
|
const (
|
|
TokenTypeAccess = "access"
|
|
TokenTypeRefresh = "refresh"
|
|
)
|
|
|
|
var Tockens *TockenService
|
|
|
|
func GetTockenService() (*TockenService, error) {
|
|
if Tockens == nil {
|
|
cfg, err := config.GetConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
Tockens, err = NewTockenService(cfg.Auth)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
return Tockens, nil
|
|
}
|
|
|
|
func NewTockenService(cfg config.AuthConfig) (*TockenService, error) {
|
|
if cfg.Secret == "" {
|
|
return nil, errors.New("jwt secret is required")
|
|
}
|
|
if cfg.AccessTokenExpiryMinutes <= 0 {
|
|
return nil, errors.New("access token expiry must be positive")
|
|
}
|
|
if cfg.RefreshTokenExpiryMinutes <= 0 {
|
|
return nil, errors.New("refresh token expiry must be positive")
|
|
}
|
|
|
|
return &TockenService{
|
|
cfg: cfg,
|
|
secret: []byte(cfg.Secret),
|
|
accessExpiry: time.Duration(cfg.AccessTokenExpiryMinutes) * time.Minute,
|
|
refreshExpiry: time.Duration(cfg.RefreshTokenExpiryMinutes) * time.Minute,
|
|
}, nil
|
|
}
|
|
|
|
func hashToken(token string) string {
|
|
sum := sha256.Sum256([]byte(token))
|
|
return hex.EncodeToString(sum[:])
|
|
}
|
|
|
|
func HashToken(token string) string {
|
|
return hashToken(token)
|
|
}
|
|
|
|
func (s *TockenService) GenerateTokenPair(user string, permission auth.Permission) (TokenPair, error) {
|
|
access, err := s.GenerateToken(user, permission, TokenTypeAccess, s.accessExpiry)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
|
|
refresh, err := s.GenerateToken(user, permission, TokenTypeRefresh, s.refreshExpiry)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
|
|
return TokenPair{
|
|
AccessToken: access,
|
|
RefreshToken: refresh,
|
|
}, nil
|
|
}
|
|
|
|
func (s *TockenService) AccessExpiry() time.Duration {
|
|
return s.accessExpiry
|
|
}
|
|
|
|
func (s *TockenService) RefreshExpiry() time.Duration {
|
|
return s.refreshExpiry
|
|
}
|
|
|
|
func (s *TockenService) Refresh(refreshToken string) (TokenPair, error) {
|
|
claims, err := s.ParseToken(refreshToken)
|
|
if err != nil {
|
|
return TokenPair{}, err
|
|
}
|
|
if claims.TokenType != TokenTypeRefresh {
|
|
return TokenPair{}, errors.New("refresh token required")
|
|
}
|
|
return s.GenerateTokenPair(claims.Username, auth.PermissionToString(claims.Permission))
|
|
}
|
|
|
|
func (s *TockenService) ValidateToken(tokenString string) (*Claims, error) {
|
|
claims, err := s.ParseToken(tokenString)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if claims.TokenType != TokenTypeAccess {
|
|
return nil, errors.New("access token required")
|
|
}
|
|
return claims, nil
|
|
}
|
|
|
|
func ClaimsFromCtx(c fiber.Ctx) (*Claims, bool) {
|
|
val := c.Locals("authClaims")
|
|
if val == nil {
|
|
return nil, false
|
|
}
|
|
claims, ok := val.(*Claims)
|
|
return claims, ok
|
|
}
|
|
|
|
func (s *TockenService) ParseToken(tokenString string) (*Claims, error) {
|
|
claims := &Claims{}
|
|
token, err := jwt.ParseWithClaims(tokenString, claims, func(t *jwt.Token) (interface{}, error) {
|
|
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, fiber.ErrUnauthorized
|
|
}
|
|
return s.secret, nil
|
|
})
|
|
if err != nil || !token.Valid {
|
|
return nil, errors.New("invalid or expired token")
|
|
}
|
|
if s.cfg.Issuer != "" && claims.Issuer != "" && claims.Issuer != s.cfg.Issuer {
|
|
return nil, errors.New("invalid token issuer")
|
|
}
|
|
|
|
return claims, nil
|
|
}
|
|
|
|
func (s *TockenService) GenerateToken(user string, permission auth.Permission, tokenType string, expiry time.Duration) (string, error) {
|
|
p := auth.RoleToPermission(permission)
|
|
|
|
claims := Claims{
|
|
Username: user,
|
|
Permission: p,
|
|
TokenType: tokenType,
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
|
Issuer: s.cfg.Issuer,
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
},
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
return token.SignedString(s.secret)
|
|
}
|
|
|
|
func (s *TockenService) ValidateAccessToken(tokenString string) (*Claims, error) {
|
|
claims, err := s.ParseToken(tokenString)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if claims.TokenType != TokenTypeAccess {
|
|
return nil, errors.New("access token required")
|
|
}
|
|
return claims, nil
|
|
}
|
|
|
|
func (s *TockenService) GenerateSecureToken() (string, error) {
|
|
buf := make([]byte, 32)
|
|
if _, err := rand.Read(buf); err != nil {
|
|
return "", err
|
|
}
|
|
return base64.RawURLEncoding.EncodeToString(buf), nil
|
|
}
|