2023-01-21 22:36:23 -07:00
|
|
|
package authreq
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2023-01-22 11:11:01 -07:00
|
|
|
"context"
|
2023-01-21 22:36:23 -07:00
|
|
|
"crypto/ed25519"
|
|
|
|
"encoding/base64"
|
|
|
|
"fmt"
|
|
|
|
"hash/fnv"
|
|
|
|
"io"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
|
|
|
)
|
|
|
|
|
2023-01-22 11:11:01 -07:00
|
|
|
var SignatureLifetime = 30 * time.Minute
|
|
|
|
var AuthHeader = "Authorization"
|
2023-01-21 22:36:23 -07:00
|
|
|
|
2023-01-22 11:11:01 -07:00
|
|
|
func Sign(req *http.Request, key ed25519.PrivateKey) (*http.Request, error) {
|
2023-01-21 22:36:23 -07:00
|
|
|
pub := enc([]byte(key.Public().(ed25519.PublicKey)))
|
|
|
|
|
|
|
|
h := fnv.New128a()
|
|
|
|
fmt.Fprint(h, req.Method, req.URL.String())
|
|
|
|
|
|
|
|
if req.Body != nil {
|
|
|
|
b := &bytes.Buffer{}
|
|
|
|
w := io.MultiWriter(h, b)
|
|
|
|
_, err := io.Copy(w, req.Body)
|
|
|
|
if err != nil {
|
|
|
|
return req, err
|
|
|
|
}
|
|
|
|
req.Body = io.NopCloser(b)
|
|
|
|
}
|
|
|
|
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, jwt.RegisteredClaims{
|
|
|
|
Subject: enc(h.Sum(nil)),
|
|
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(SignatureLifetime)),
|
|
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
|
|
Issuer: pub,
|
|
|
|
})
|
|
|
|
|
|
|
|
sig, err := token.SignedString(key)
|
|
|
|
if err != nil {
|
|
|
|
return req, err
|
|
|
|
}
|
|
|
|
|
2023-01-22 11:11:01 -07:00
|
|
|
req.Header.Set(AuthHeader, sig)
|
2023-01-21 22:36:23 -07:00
|
|
|
|
|
|
|
return req, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func Authorization(hdlr http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
2023-01-22 11:11:01 -07:00
|
|
|
auth := req.Header.Get(AuthHeader)
|
2023-01-21 22:36:23 -07:00
|
|
|
if auth == "" {
|
|
|
|
rw.WriteHeader(http.StatusUnauthorized)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
h := fnv.New128a()
|
|
|
|
fmt.Fprint(h, req.Method, req.URL.String())
|
|
|
|
|
|
|
|
if req.Body != nil {
|
|
|
|
b := &bytes.Buffer{}
|
|
|
|
w := io.MultiWriter(h, b)
|
|
|
|
_, err := io.Copy(w, req.Body)
|
|
|
|
if err != nil {
|
|
|
|
rw.WriteHeader(http.StatusBadRequest)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
subject := enc(h.Sum(nil))
|
|
|
|
token, err := jwt.ParseWithClaims(
|
|
|
|
string(auth),
|
|
|
|
&jwt.RegisteredClaims{},
|
|
|
|
func(tok *jwt.Token) (any, error) {
|
|
|
|
c, ok := tok.Claims.(*jwt.RegisteredClaims)
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("wrong type of claim")
|
|
|
|
}
|
|
|
|
|
|
|
|
pub, err := dec(c.Issuer)
|
|
|
|
return ed25519.PublicKey(pub), err
|
|
|
|
},
|
2023-01-22 11:11:01 -07:00
|
|
|
jwt.WithValidMethods([]string{jwt.SigningMethodEdDSA.Alg()}),
|
2023-01-21 22:36:23 -07:00
|
|
|
jwt.WithJSONNumber(),
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
rw.WriteHeader(http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
c, ok := token.Claims.(*jwt.RegisteredClaims)
|
|
|
|
if !ok {
|
|
|
|
rw.WriteHeader(http.StatusUnprocessableEntity)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-01-22 11:11:01 -07:00
|
|
|
req = req.WithContext(context.WithValue(req.Context(), contextKey, c))
|
|
|
|
|
2023-01-21 22:36:23 -07:00
|
|
|
if c.Subject != subject {
|
|
|
|
rw.WriteHeader(http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
hdlr.ServeHTTP(rw, req)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func enc(b []byte) string {
|
|
|
|
return base64.RawURLEncoding.EncodeToString(b)
|
|
|
|
}
|
|
|
|
func dec(s string) ([]byte, error) {
|
|
|
|
s = strings.TrimSpace(s)
|
|
|
|
return base64.RawURLEncoding.DecodeString(s)
|
|
|
|
}
|
2023-01-22 11:11:01 -07:00
|
|
|
|
|
|
|
var contextKey = struct{ name string }{"jwtClaim"}
|
|
|
|
|
|
|
|
func FromContext(ctx context.Context) *jwt.RegisteredClaims {
|
|
|
|
if v := ctx.Value(contextKey); v != nil {
|
|
|
|
if c, ok := v.(*jwt.RegisteredClaims); ok {
|
|
|
|
return c
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|