2015-05-12 00:43:54 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2016-04-25 19:58:11 +02:00
|
|
|
"fmt"
|
|
|
|
"net/http"
|
2015-07-05 15:21:05 +02:00
|
|
|
|
2016-04-25 19:58:11 +02:00
|
|
|
"github.com/dgrijalva/jwt-go"
|
2015-07-05 15:21:05 +02:00
|
|
|
"github.com/labstack/echo"
|
2015-05-12 00:43:54 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type (
|
2016-04-25 19:58:11 +02:00
|
|
|
// JWTAuthConfig defines the config for JWT auth middleware.
|
|
|
|
JWTAuthConfig struct {
|
|
|
|
// SigningKey is the key to validate token.
|
|
|
|
// Required.
|
2016-04-26 11:10:57 +02:00
|
|
|
SigningKey []byte
|
2016-04-25 19:58:11 +02:00
|
|
|
|
|
|
|
// SigningMethod is used to check token signing method.
|
|
|
|
// Optional, with default value as `HS256`.
|
|
|
|
SigningMethod string
|
|
|
|
|
|
|
|
// ContextKey is the key to be used for storing user information from the
|
|
|
|
// token into context.
|
|
|
|
// Optional, with default value as `user`.
|
|
|
|
ContextKey string
|
|
|
|
|
2016-04-28 07:03:54 +02:00
|
|
|
// Extractor is a function that extracts token from the request.
|
2016-04-25 19:58:11 +02:00
|
|
|
// Optional, with default values as `JWTFromHeader`.
|
|
|
|
Extractor JWTExtractor
|
|
|
|
}
|
|
|
|
|
|
|
|
// JWTExtractor defines a function that takes `echo.Context` and returns either
|
|
|
|
// a token or an error.
|
|
|
|
JWTExtractor func(echo.Context) (string, error)
|
2015-05-12 00:43:54 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2016-04-25 19:58:11 +02:00
|
|
|
bearer = "Bearer"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Algorithims
|
|
|
|
const (
|
|
|
|
AlgorithmHS256 = "HS256"
|
2015-05-12 00:43:54 +02:00
|
|
|
)
|
|
|
|
|
2016-03-14 22:55:38 +02:00
|
|
|
var (
|
2016-04-25 19:58:11 +02:00
|
|
|
// DefaultJWTAuthConfig is the default JWT auth middleware config.
|
|
|
|
DefaultJWTAuthConfig = JWTAuthConfig{
|
|
|
|
SigningMethod: AlgorithmHS256,
|
|
|
|
ContextKey: "user",
|
|
|
|
Extractor: JWTFromHeader,
|
|
|
|
}
|
2016-03-14 22:55:38 +02:00
|
|
|
)
|
|
|
|
|
2016-04-25 19:58:11 +02:00
|
|
|
// JWTAuth returns a JSON Web Token (JWT) auth middleware.
|
|
|
|
//
|
|
|
|
// For valid token, it sets the user in context and calls next handler.
|
|
|
|
// For invalid token, it sends "401 - Unauthorized" response.
|
|
|
|
// For empty or invalid `Authorization` header, it sends "400 - Bad Request".
|
|
|
|
//
|
|
|
|
// See https://jwt.io/introduction
|
2016-04-26 11:10:57 +02:00
|
|
|
func JWTAuth(key []byte) echo.MiddlewareFunc {
|
2016-04-25 19:58:11 +02:00
|
|
|
c := DefaultJWTAuthConfig
|
|
|
|
c.SigningKey = key
|
|
|
|
return JWTAuthWithConfig(c)
|
|
|
|
}
|
|
|
|
|
|
|
|
// JWTAuthWithConfig returns a JWT auth middleware from config.
|
|
|
|
// See `JWTAuth()`.
|
|
|
|
func JWTAuthWithConfig(config JWTAuthConfig) echo.MiddlewareFunc {
|
|
|
|
// Defaults
|
2016-04-26 11:10:57 +02:00
|
|
|
if config.SigningKey == nil {
|
2016-04-25 19:58:11 +02:00
|
|
|
panic("jwt middleware requires signing key")
|
|
|
|
}
|
|
|
|
if config.SigningMethod == "" {
|
|
|
|
config.SigningMethod = DefaultJWTAuthConfig.SigningMethod
|
|
|
|
}
|
|
|
|
if config.ContextKey == "" {
|
|
|
|
config.ContextKey = DefaultJWTAuthConfig.ContextKey
|
|
|
|
}
|
|
|
|
if config.Extractor == nil {
|
|
|
|
config.Extractor = DefaultJWTAuthConfig.Extractor
|
|
|
|
}
|
|
|
|
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
|
|
return func(c echo.Context) error {
|
|
|
|
auth, err := config.Extractor(c)
|
|
|
|
if err != nil {
|
|
|
|
return echo.NewHTTPError(http.StatusBadRequest, err.Error())
|
|
|
|
}
|
|
|
|
token, err := jwt.Parse(auth, func(t *jwt.Token) (interface{}, error) {
|
|
|
|
// Check the signing method
|
|
|
|
if t.Method.Alg() != config.SigningMethod {
|
|
|
|
return nil, fmt.Errorf("unexpected jwt signing method=%v", t.Header["alg"])
|
|
|
|
}
|
2016-04-26 11:10:57 +02:00
|
|
|
return config.SigningKey, nil
|
2016-04-25 19:58:11 +02:00
|
|
|
|
|
|
|
})
|
|
|
|
if err == nil && token.Valid {
|
|
|
|
// Store user information from token into context.
|
|
|
|
c.Set(config.ContextKey, token)
|
|
|
|
return next(c)
|
|
|
|
}
|
2016-03-12 20:18:40 +02:00
|
|
|
return echo.ErrUnauthorized
|
2016-04-02 23:19:39 +02:00
|
|
|
}
|
2016-02-18 07:49:31 +02:00
|
|
|
}
|
2015-06-10 05:06:51 +02:00
|
|
|
}
|
2016-04-25 22:41:09 +02:00
|
|
|
|
|
|
|
// JWTFromHeader is a `JWTExtractor` that extracts token from the `Authorization` request
|
|
|
|
// header.
|
|
|
|
func JWTFromHeader(c echo.Context) (string, error) {
|
|
|
|
auth := c.Request().Header().Get(echo.HeaderAuthorization)
|
|
|
|
l := len(bearer)
|
|
|
|
if len(auth) > l+1 && auth[:l] == bearer {
|
|
|
|
return auth[l+1:], nil
|
|
|
|
}
|
|
|
|
return "", echo.NewHTTPError(http.StatusBadRequest, "invalid jwt authorization header="+auth)
|
|
|
|
}
|
|
|
|
|
|
|
|
// JWTFromQuery returns a `JWTExtractor` that extracts token from the provided query
|
|
|
|
// parameter.
|
|
|
|
func JWTFromQuery(param string) JWTExtractor {
|
|
|
|
return func(c echo.Context) (string, error) {
|
|
|
|
return c.QueryParam(param), nil
|
|
|
|
}
|
|
|
|
}
|