2015-05-12 00:43:54 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2016-04-25 19:58:11 +02:00
|
|
|
"fmt"
|
|
|
|
"net/http"
|
2016-09-15 00:35:10 +02:00
|
|
|
"reflect"
|
2016-05-26 23:06:30 +02:00
|
|
|
"strings"
|
2015-07-05 15:21:05 +02:00
|
|
|
|
2016-04-25 19:58:11 +02:00
|
|
|
"github.com/dgrijalva/jwt-go"
|
2019-01-30 12:56:56 +02:00
|
|
|
"github.com/labstack/echo/v4"
|
2015-05-12 00:43:54 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type (
|
2016-07-27 18:34:44 +02:00
|
|
|
// JWTConfig defines the config for JWT middleware.
|
2016-05-07 16:45:03 +02:00
|
|
|
JWTConfig struct {
|
2016-07-27 18:34:44 +02:00
|
|
|
// Skipper defines a function to skip middleware.
|
|
|
|
Skipper Skipper
|
|
|
|
|
2018-06-29 03:13:02 +02:00
|
|
|
// BeforeFunc defines a function which is executed just before the middleware.
|
|
|
|
BeforeFunc BeforeFunc
|
|
|
|
|
|
|
|
// SuccessHandler defines a function which is executed for a valid token.
|
|
|
|
SuccessHandler JWTSuccessHandler
|
|
|
|
|
|
|
|
// ErrorHandler defines a function which is executed for an invalid token.
|
2018-07-18 08:21:54 +02:00
|
|
|
// It may be used to define a custom JWT error.
|
2018-06-29 03:13:02 +02:00
|
|
|
ErrorHandler JWTErrorHandler
|
|
|
|
|
2019-05-17 16:45:49 +02:00
|
|
|
// Signing key to validate token. Used as fallback if SigningKeys has length 0.
|
|
|
|
// Required. This or SigningKeys.
|
2017-01-03 06:12:06 +02:00
|
|
|
SigningKey interface{}
|
2016-04-25 19:58:11 +02:00
|
|
|
|
2019-05-17 16:45:49 +02:00
|
|
|
// Map of signing keys to validate token with kid field usage.
|
|
|
|
// Required. This or SigningKey.
|
|
|
|
SigningKeys map[string]interface{}
|
|
|
|
|
2016-05-10 20:52:04 +02:00
|
|
|
// Signing method, used to check token signing method.
|
|
|
|
// Optional. Default value HS256.
|
2017-01-03 06:12:06 +02:00
|
|
|
SigningMethod string
|
2016-04-25 19:58:11 +02:00
|
|
|
|
2016-05-10 20:52:04 +02:00
|
|
|
// Context key to store user information from the token into context.
|
|
|
|
// Optional. Default value "user".
|
2017-01-03 06:12:06 +02:00
|
|
|
ContextKey string
|
2016-04-25 19:58:11 +02:00
|
|
|
|
2016-08-20 18:12:17 +02:00
|
|
|
// Claims are extendable claims data defining token content.
|
|
|
|
// Optional. Default value jwt.MapClaims
|
|
|
|
Claims jwt.Claims
|
|
|
|
|
2016-05-27 04:23:46 +02:00
|
|
|
// TokenLookup is a string in the form of "<source>:<name>" that is used
|
|
|
|
// to extract token from the request.
|
2016-05-26 23:06:30 +02:00
|
|
|
// Optional. Default value "header:Authorization".
|
|
|
|
// Possible values:
|
|
|
|
// - "header:<name>"
|
2016-05-27 04:23:46 +02:00
|
|
|
// - "query:<name>"
|
2016-07-02 11:26:05 +02:00
|
|
|
// - "cookie:<name>"
|
2017-01-03 06:12:06 +02:00
|
|
|
TokenLookup string
|
|
|
|
|
|
|
|
// AuthScheme to be used in the Authorization header.
|
|
|
|
// Optional. Default value "Bearer".
|
|
|
|
AuthScheme string
|
2016-09-15 00:35:10 +02:00
|
|
|
|
|
|
|
keyFunc jwt.Keyfunc
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
|
|
|
|
2018-06-29 03:13:02 +02:00
|
|
|
// JWTSuccessHandler defines a function which is executed for a valid token.
|
|
|
|
JWTSuccessHandler func(echo.Context)
|
|
|
|
|
|
|
|
// JWTErrorHandler defines a function which is executed for an invalid token.
|
2018-07-18 08:21:54 +02:00
|
|
|
JWTErrorHandler func(error) error
|
2018-06-29 03:13:02 +02:00
|
|
|
|
2016-05-26 23:06:30 +02:00
|
|
|
jwtExtractor func(echo.Context) (string, error)
|
2015-05-12 00:43:54 +02:00
|
|
|
)
|
|
|
|
|
2016-12-09 19:05:40 +02:00
|
|
|
// Algorithms
|
2016-04-25 19:58:11 +02:00
|
|
|
const (
|
|
|
|
AlgorithmHS256 = "HS256"
|
2015-05-12 00:43:54 +02:00
|
|
|
)
|
|
|
|
|
2017-08-31 18:18:42 +02:00
|
|
|
// Errors
|
|
|
|
var (
|
2018-02-21 21:38:22 +02:00
|
|
|
ErrJWTMissing = echo.NewHTTPError(http.StatusBadRequest, "missing or malformed jwt")
|
2017-08-31 18:18:42 +02:00
|
|
|
)
|
|
|
|
|
2016-03-14 22:55:38 +02:00
|
|
|
var (
|
2016-05-07 16:45:03 +02:00
|
|
|
// DefaultJWTConfig is the default JWT auth middleware config.
|
|
|
|
DefaultJWTConfig = JWTConfig{
|
2017-01-28 21:43:56 +02:00
|
|
|
Skipper: DefaultSkipper,
|
2016-04-25 19:58:11 +02:00
|
|
|
SigningMethod: AlgorithmHS256,
|
|
|
|
ContextKey: "user",
|
2016-05-27 04:23:46 +02:00
|
|
|
TokenLookup: "header:" + echo.HeaderAuthorization,
|
2017-01-03 06:12:06 +02:00
|
|
|
AuthScheme: "Bearer",
|
2016-08-20 17:59:36 +02:00
|
|
|
Claims: jwt.MapClaims{},
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
2016-03-14 22:55:38 +02:00
|
|
|
)
|
|
|
|
|
2016-05-07 16:45:03 +02:00
|
|
|
// JWT returns a JSON Web Token (JWT) auth middleware.
|
2016-04-25 19:58:11 +02:00
|
|
|
//
|
|
|
|
// For valid token, it sets the user in context and calls next handler.
|
2016-08-27 19:52:35 +02:00
|
|
|
// For invalid token, it returns "401 - Unauthorized" error.
|
2017-01-03 06:12:06 +02:00
|
|
|
// For missing token, it returns "400 - Bad Request" error.
|
2016-04-25 19:58:11 +02:00
|
|
|
//
|
2016-05-13 02:45:00 +02:00
|
|
|
// See: https://jwt.io/introduction
|
2016-07-02 11:26:05 +02:00
|
|
|
// See `JWTConfig.TokenLookup`
|
2017-06-20 00:42:27 +02:00
|
|
|
func JWT(key interface{}) echo.MiddlewareFunc {
|
2016-05-07 16:45:03 +02:00
|
|
|
c := DefaultJWTConfig
|
2016-04-25 19:58:11 +02:00
|
|
|
c.SigningKey = key
|
2016-05-07 16:45:03 +02:00
|
|
|
return JWTWithConfig(c)
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
|
|
|
|
2016-09-01 05:10:14 +02:00
|
|
|
// JWTWithConfig returns a JWT auth middleware with config.
|
2016-05-13 02:45:00 +02:00
|
|
|
// See: `JWT()`.
|
2016-05-07 16:45:03 +02:00
|
|
|
func JWTWithConfig(config JWTConfig) echo.MiddlewareFunc {
|
2016-04-25 19:58:11 +02:00
|
|
|
// Defaults
|
2016-07-27 18:34:44 +02:00
|
|
|
if config.Skipper == nil {
|
|
|
|
config.Skipper = DefaultJWTConfig.Skipper
|
|
|
|
}
|
2019-05-17 16:45:49 +02:00
|
|
|
if config.SigningKey == nil && len(config.SigningKeys) == 0 {
|
2017-06-03 02:55:59 +02:00
|
|
|
panic("echo: jwt middleware requires signing key")
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
|
|
|
if config.SigningMethod == "" {
|
2016-05-07 16:45:03 +02:00
|
|
|
config.SigningMethod = DefaultJWTConfig.SigningMethod
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
|
|
|
if config.ContextKey == "" {
|
2016-05-07 16:45:03 +02:00
|
|
|
config.ContextKey = DefaultJWTConfig.ContextKey
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
2016-08-20 17:59:36 +02:00
|
|
|
if config.Claims == nil {
|
2016-09-15 00:35:10 +02:00
|
|
|
config.Claims = DefaultJWTConfig.Claims
|
2016-08-20 17:59:36 +02:00
|
|
|
}
|
2016-05-27 04:23:46 +02:00
|
|
|
if config.TokenLookup == "" {
|
|
|
|
config.TokenLookup = DefaultJWTConfig.TokenLookup
|
2016-05-26 23:06:30 +02:00
|
|
|
}
|
2017-01-03 06:12:06 +02:00
|
|
|
if config.AuthScheme == "" {
|
|
|
|
config.AuthScheme = DefaultJWTConfig.AuthScheme
|
|
|
|
}
|
2016-09-15 00:35:10 +02:00
|
|
|
config.keyFunc = func(t *jwt.Token) (interface{}, error) {
|
|
|
|
// Check the signing method
|
|
|
|
if t.Method.Alg() != config.SigningMethod {
|
2018-02-21 20:44:17 +02:00
|
|
|
return nil, fmt.Errorf("unexpected jwt signing method=%v", t.Header["alg"])
|
2016-09-15 00:35:10 +02:00
|
|
|
}
|
2019-05-17 16:45:49 +02:00
|
|
|
if len(config.SigningKeys) > 0 {
|
|
|
|
if kid, ok := t.Header["kid"].(string); ok {
|
|
|
|
if key, ok := config.SigningKeys[kid]; ok {
|
|
|
|
return key, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, fmt.Errorf("unexpected jwt key id=%v", t.Header["kid"])
|
|
|
|
}
|
|
|
|
|
2016-09-15 00:35:10 +02:00
|
|
|
return config.SigningKey, nil
|
|
|
|
}
|
2016-05-26 23:06:30 +02:00
|
|
|
|
|
|
|
// Initialize
|
2016-05-27 04:23:46 +02:00
|
|
|
parts := strings.Split(config.TokenLookup, ":")
|
2016-12-18 12:38:46 +02:00
|
|
|
extractor := jwtFromHeader(parts[1], config.AuthScheme)
|
2016-05-26 23:06:30 +02:00
|
|
|
switch parts[0] {
|
2016-05-27 04:23:46 +02:00
|
|
|
case "query":
|
2016-05-26 23:06:30 +02:00
|
|
|
extractor = jwtFromQuery(parts[1])
|
2016-07-02 11:26:05 +02:00
|
|
|
case "cookie":
|
|
|
|
extractor = jwtFromCookie(parts[1])
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
|
|
return func(c echo.Context) error {
|
2016-07-27 18:34:44 +02:00
|
|
|
if config.Skipper(c) {
|
|
|
|
return next(c)
|
|
|
|
}
|
|
|
|
|
2018-06-29 03:13:02 +02:00
|
|
|
if config.BeforeFunc != nil {
|
|
|
|
config.BeforeFunc(c)
|
|
|
|
}
|
|
|
|
|
2016-05-26 23:06:30 +02:00
|
|
|
auth, err := extractor(c)
|
2016-04-25 19:58:11 +02:00
|
|
|
if err != nil {
|
2018-07-09 20:34:53 +02:00
|
|
|
if config.ErrorHandler != nil {
|
2018-07-18 08:21:54 +02:00
|
|
|
return config.ErrorHandler(err)
|
2018-07-09 20:34:53 +02:00
|
|
|
}
|
2017-08-31 18:18:42 +02:00
|
|
|
return err
|
2016-04-25 19:58:11 +02:00
|
|
|
}
|
2016-09-15 00:35:10 +02:00
|
|
|
token := new(jwt.Token)
|
|
|
|
// Issue #647, #656
|
|
|
|
if _, ok := config.Claims.(jwt.MapClaims); ok {
|
|
|
|
token, err = jwt.Parse(auth, config.keyFunc)
|
|
|
|
} else {
|
2017-07-14 20:55:19 +02:00
|
|
|
t := reflect.ValueOf(config.Claims).Type().Elem()
|
|
|
|
claims := reflect.New(t).Interface().(jwt.Claims)
|
2016-09-15 00:35:10 +02:00
|
|
|
token, err = jwt.ParseWithClaims(auth, claims, config.keyFunc)
|
|
|
|
}
|
2016-04-25 19:58:11 +02:00
|
|
|
if err == nil && token.Valid {
|
|
|
|
// Store user information from token into context.
|
|
|
|
c.Set(config.ContextKey, token)
|
2018-06-29 03:13:02 +02:00
|
|
|
if config.SuccessHandler != nil {
|
|
|
|
config.SuccessHandler(c)
|
|
|
|
}
|
2016-04-25 19:58:11 +02:00
|
|
|
return next(c)
|
|
|
|
}
|
2018-06-29 03:13:02 +02:00
|
|
|
if config.ErrorHandler != nil {
|
2018-07-18 08:21:54 +02:00
|
|
|
return config.ErrorHandler(err)
|
2018-06-29 03:13:02 +02:00
|
|
|
}
|
2017-08-31 19:16:34 +02:00
|
|
|
return &echo.HTTPError{
|
2018-07-09 20:34:53 +02:00
|
|
|
Code: http.StatusUnauthorized,
|
2018-07-18 08:21:54 +02:00
|
|
|
Message: "invalid or expired jwt",
|
2018-04-10 21:06:31 +02:00
|
|
|
Internal: err,
|
2017-08-31 19:16:34 +02:00
|
|
|
}
|
2016-04-02 23:19:39 +02:00
|
|
|
}
|
2016-02-18 07:49:31 +02:00
|
|
|
}
|
2015-06-10 05:06:51 +02:00
|
|
|
}
|
2016-04-25 22:41:09 +02:00
|
|
|
|
2017-01-03 06:12:06 +02:00
|
|
|
// jwtFromHeader returns a `jwtExtractor` that extracts token from the request header.
|
2016-12-18 12:38:46 +02:00
|
|
|
func jwtFromHeader(header string, authScheme string) jwtExtractor {
|
2016-05-26 23:06:30 +02:00
|
|
|
return func(c echo.Context) (string, error) {
|
2016-09-23 07:53:44 +02:00
|
|
|
auth := c.Request().Header.Get(header)
|
2016-12-18 12:38:46 +02:00
|
|
|
l := len(authScheme)
|
|
|
|
if len(auth) > l+1 && auth[:l] == authScheme {
|
2016-05-26 23:06:30 +02:00
|
|
|
return auth[l+1:], nil
|
|
|
|
}
|
2017-08-31 19:16:34 +02:00
|
|
|
return "", ErrJWTMissing
|
2016-04-25 22:41:09 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-03 06:12:06 +02:00
|
|
|
// jwtFromQuery returns a `jwtExtractor` that extracts token from the query string.
|
2016-05-26 23:06:30 +02:00
|
|
|
func jwtFromQuery(param string) jwtExtractor {
|
2016-04-25 22:41:09 +02:00
|
|
|
return func(c echo.Context) (string, error) {
|
2016-05-13 17:18:00 +02:00
|
|
|
token := c.QueryParam(param)
|
|
|
|
if token == "" {
|
2017-08-31 19:16:34 +02:00
|
|
|
return "", ErrJWTMissing
|
2016-05-13 17:18:00 +02:00
|
|
|
}
|
2017-01-03 06:12:06 +02:00
|
|
|
return token, nil
|
2016-04-25 22:41:09 +02:00
|
|
|
}
|
|
|
|
}
|
2016-07-02 11:26:05 +02:00
|
|
|
|
2017-01-03 06:12:06 +02:00
|
|
|
// jwtFromCookie returns a `jwtExtractor` that extracts token from the named cookie.
|
2016-07-02 11:26:05 +02:00
|
|
|
func jwtFromCookie(name string) jwtExtractor {
|
|
|
|
return func(c echo.Context) (string, error) {
|
|
|
|
cookie, err := c.Cookie(name)
|
|
|
|
if err != nil {
|
2017-08-31 19:16:34 +02:00
|
|
|
return "", ErrJWTMissing
|
2016-05-13 17:18:00 +02:00
|
|
|
}
|
2016-09-23 07:53:44 +02:00
|
|
|
return cookie.Value, nil
|
2016-04-25 22:41:09 +02:00
|
|
|
}
|
|
|
|
}
|