mirror of
https://github.com/labstack/echo.git
synced 2025-01-07 23:01:56 +02:00
6ef5f77bf2
WIP: make default logger implemented custom writer for jsonlike logs WIP: improve examples WIP: defaultErrorHandler use errors.As to unwrap errors. Update readme WIP: default logger logs json, restore e.Start method WIP: clean router.Match a bit WIP: func types/fields have echo.Context has first element WIP: remove yaml tags as functions etc can not be serialized anyway WIP: change BindPathParams,BindQueryParams,BindHeaders from methods to functions and reverse arguments to be like DefaultBinder.Bind is WIP: improved comments, logger now extracts status from error WIP: go mod tidy WIP: rebase with 4.5.0 WIP: * removed todos. * removed StartAutoTLS and StartH2CServer methods from `StartConfig` * KeyAuth middleware errorhandler can swallow the error and resume next middleware WIP: add RouterConfig.UseEscapedPathForMatching to use escaped path for matching request against routes WIP: FIXMEs WIP: upgrade golang-jwt/jwt to `v4` WIP: refactor http methods to return RouteInfo WIP: refactor static not creating multiple routes WIP: refactor route and middleware adding functions not to return error directly WIP: Use 401 for problematic/missing headers for key auth and JWT middleware (#1552, #1402). > In summary, a 401 Unauthorized response should be used for missing or bad authentication WIP: replace `HTTPError.SetInternal` with `HTTPError.WithInternal` so we could not mutate global error variables WIP: add RouteInfo and RouteMatchType into Context what we could know from in middleware what route was matched and/or type of that match (200/404/405) WIP: make notFoundHandler and methodNotAllowedHandler private. encourage that all errors be handled in Echo.HTTPErrorHandler WIP: server cleanup ideas WIP: routable.ForGroup WIP: note about logger middleware WIP: bind should not default values on second try. use crypto rand for better randomness WIP: router add route as interface and returns info as interface WIP: improve flaky test (remains still flaky) WIP: add notes about bind default values WIP: every route can have their own path params names WIP: routerCreator and different tests WIP: different things WIP: remove route implementation WIP: support custom method types WIP: extractor tests WIP: v5.0.x proposal over v4.4.0
190 lines
6.7 KiB
Go
190 lines
6.7 KiB
Go
package middleware
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"github.com/labstack/echo/v4"
|
|
"net/http"
|
|
)
|
|
|
|
// JWTConfig defines the config for JWT middleware.
|
|
type JWTConfig struct {
|
|
// Skipper defines a function to skip middleware.
|
|
Skipper Skipper
|
|
|
|
// BeforeFunc defines a function which is executed just before the middleware.
|
|
BeforeFunc BeforeFunc
|
|
|
|
// SuccessHandler defines a function which is executed for a valid token.
|
|
SuccessHandler JWTSuccessHandler
|
|
|
|
// ErrorHandler defines a function which is executed when all lookups have been done and none of them passed Validator
|
|
// function. ErrorHandler is executed with last missing (ErrExtractionValueMissing) or an invalid key.
|
|
// It may be used to define a custom JWT error.
|
|
//
|
|
// Note: when error handler swallows the error (returns nil) middleware continues handler chain execution towards handler.
|
|
// This is useful in cases when portion of your site/api is publicly accessible and has extra features for authorized users
|
|
// In that case you can use ErrorHandler to set default public JWT token value to request and continue with handler chain.
|
|
ErrorHandler JWTErrorHandlerWithContext
|
|
|
|
// Context key to store user information from the token into context.
|
|
// Optional. Default value "user".
|
|
ContextKey string
|
|
|
|
// TokenLookup is a string in the form of "<source>:<name>" or "<source>:<name>,<source>:<name>" that is used
|
|
// to extract token(s) from the request.
|
|
// Optional. Default value "header:Authorization:Bearer ".
|
|
// Possible values:
|
|
// - "header:<name>"
|
|
// - "query:<name>"
|
|
// - "param:<name>"
|
|
// - "cookie:<name>"
|
|
// - "form:<name>"
|
|
// Multiple sources example:
|
|
// - "header:Authorization,cookie:myowncookie"
|
|
TokenLookup string
|
|
|
|
// ParseTokenFunc defines a user-defined function that parses token from given auth. Returns an error when token
|
|
// parsing fails or parsed token is invalid.
|
|
// NB: could be called multiple times per request when token lookup is able to extract multiple token values (i.e. multiple Authorization headers)
|
|
// See `jwt_external_test.go` for example implementation using `github.com/golang-jwt/jwt` as JWT implementation library
|
|
ParseTokenFunc func(c echo.Context, auth string) (interface{}, error)
|
|
}
|
|
|
|
// JWTSuccessHandler defines a function which is executed for a valid token.
|
|
type JWTSuccessHandler func(c echo.Context)
|
|
|
|
// JWTErrorHandler defines a function which is executed for an invalid token.
|
|
type JWTErrorHandler func(err error) error
|
|
|
|
// JWTErrorHandlerWithContext is almost identical to JWTErrorHandler, but it's passed the current context.
|
|
type JWTErrorHandlerWithContext func(c echo.Context, err error) error
|
|
|
|
type valuesExtractor func(c echo.Context) ([]string, ExtractorType, error)
|
|
|
|
const (
|
|
// AlgorithmHS256 is token signing algorithm
|
|
AlgorithmHS256 = "HS256"
|
|
)
|
|
|
|
// ErrJWTMissing denotes an error raised when JWT token value could not be extracted from request
|
|
var ErrJWTMissing = echo.NewHTTPError(http.StatusUnauthorized, "missing or malformed jwt")
|
|
|
|
// ErrJWTInvalid denotes an error raised when JWT token value is invalid or expired
|
|
var ErrJWTInvalid = echo.NewHTTPError(http.StatusUnauthorized, "invalid or expired jwt")
|
|
|
|
// DefaultJWTConfig is the default JWT auth middleware config.
|
|
var DefaultJWTConfig = JWTConfig{
|
|
Skipper: DefaultSkipper,
|
|
ContextKey: "user",
|
|
TokenLookup: "header:" + echo.HeaderAuthorization + ":Bearer ",
|
|
}
|
|
|
|
// JWT returns a JSON Web Token (JWT) auth middleware.
|
|
//
|
|
// For valid token, it sets the user in context and calls next handler.
|
|
// For invalid token, it returns "401 - Unauthorized" error.
|
|
// For missing token, it returns "400 - Bad Request" error.
|
|
//
|
|
// See: https://jwt.io/introduction
|
|
func JWT(parseTokenFunc func(c echo.Context, auth string) (interface{}, error)) echo.MiddlewareFunc {
|
|
c := DefaultJWTConfig
|
|
c.ParseTokenFunc = parseTokenFunc
|
|
return JWTWithConfig(c)
|
|
}
|
|
|
|
// JWTWithConfig returns a JSON Web Token (JWT) auth middleware or panics if configuration is invalid.
|
|
//
|
|
// For valid token, it sets the user in context and calls next handler.
|
|
// For invalid token, it returns "401 - Unauthorized" error.
|
|
// For missing token, it returns "400 - Bad Request" error.
|
|
//
|
|
// See: https://jwt.io/introduction
|
|
func JWTWithConfig(config JWTConfig) echo.MiddlewareFunc {
|
|
return toMiddlewareOrPanic(config)
|
|
}
|
|
|
|
// ToMiddleware converts JWTConfig to middleware or returns an error for invalid configuration
|
|
func (config JWTConfig) ToMiddleware() (echo.MiddlewareFunc, error) {
|
|
if config.Skipper == nil {
|
|
config.Skipper = DefaultJWTConfig.Skipper
|
|
}
|
|
if config.ParseTokenFunc == nil {
|
|
return nil, errors.New("echo jwt middleware requires parse token function")
|
|
}
|
|
if config.ContextKey == "" {
|
|
config.ContextKey = DefaultJWTConfig.ContextKey
|
|
}
|
|
if config.TokenLookup == "" {
|
|
config.TokenLookup = DefaultJWTConfig.TokenLookup
|
|
}
|
|
extractors, err := createExtractors(config.TokenLookup)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("echo jwt middleware could not create token extractor: %w", err)
|
|
}
|
|
if len(extractors) == 0 {
|
|
return nil, errors.New("echo jwt middleware could not create extractors from TokenLookup string")
|
|
}
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
if config.Skipper(c) {
|
|
return next(c)
|
|
}
|
|
|
|
if config.BeforeFunc != nil {
|
|
config.BeforeFunc(c)
|
|
}
|
|
var lastExtractorErr error
|
|
var lastTokenErr error
|
|
for _, extractor := range extractors {
|
|
auths, _, extrErr := extractor(c)
|
|
if extrErr != nil {
|
|
lastExtractorErr = extrErr
|
|
continue
|
|
}
|
|
for _, auth := range auths {
|
|
token, err := config.ParseTokenFunc(c, auth)
|
|
if err != nil {
|
|
lastTokenErr = err
|
|
continue
|
|
}
|
|
// Store user information from token into context.
|
|
c.Set(config.ContextKey, token)
|
|
if config.SuccessHandler != nil {
|
|
config.SuccessHandler(c)
|
|
}
|
|
return next(c)
|
|
}
|
|
}
|
|
|
|
// prioritize token errors over extracting errors
|
|
err := lastTokenErr
|
|
if err == nil {
|
|
err = lastExtractorErr
|
|
}
|
|
if config.ErrorHandler != nil {
|
|
if err == ErrExtractionValueMissing {
|
|
err = ErrJWTMissing
|
|
}
|
|
// Allow error handler to swallow the error and continue handler chain execution
|
|
// Useful in cases when portion of your site/api is publicly accessible and has extra features for authorized users
|
|
// In that case you can use ErrorHandler to set default public token to request and continue with handler chain
|
|
if handledErr := config.ErrorHandler(c, err); handledErr != nil {
|
|
return handledErr
|
|
}
|
|
return next(c)
|
|
}
|
|
if err == ErrExtractionValueMissing {
|
|
return ErrJWTMissing
|
|
}
|
|
// everything else goes under http.StatusUnauthorized to avoid exposing JWT internals with generic error
|
|
return &echo.HTTPError{
|
|
Code: ErrJWTInvalid.Code,
|
|
Message: ErrJWTInvalid.Message,
|
|
Internal: err,
|
|
}
|
|
}
|
|
}, nil
|
|
}
|