go-pkg/authreq/authreq.go

package authreq

import (
	"bytes"
	"context"
	"crypto/ed25519"
	"encoding/base64"
	"fmt"
	"hash/fnv"
	"io"
	"net/http"
	"strings"
	"time"

	"github.com/golang-jwt/jwt/v4"
)

var SignatureLifetime = 30 * time.Minute
var AuthHeader = "Authorization"

func Sign(req *http.Request, key ed25519.PrivateKey) (*http.Request, error) {
	pub := enc([]byte(key.Public().(ed25519.PublicKey)))

	h := fnv.New128a()
	fmt.Fprint(h, req.Method, req.URL.String())

	if req.Body != nil {
		b := &bytes.Buffer{}
		w := io.MultiWriter(h, b)
		_, err := io.Copy(w, req.Body)
		if err != nil {
			return req, err
		}
		req.Body = io.NopCloser(b)
	}

	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, jwt.RegisteredClaims{
		Subject:   enc(h.Sum(nil)),
		ExpiresAt: jwt.NewNumericDate(time.Now().Add(SignatureLifetime)),
		IssuedAt:  jwt.NewNumericDate(time.Now()),
		Issuer:    pub,
	})

	sig, err := token.SignedString(key)
	if err != nil {
		return req, err
	}

	req.Header.Set(AuthHeader, sig)

	return req, nil
}

func Authorization(hdlr http.Handler) http.Handler {
	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
		auth := req.Header.Get(AuthHeader)
		if auth == "" {
			rw.WriteHeader(http.StatusUnauthorized)
			return
		}

		h := fnv.New128a()
		fmt.Fprint(h, req.Method, req.URL.String())

		if req.Body != nil {
			b := &bytes.Buffer{}
			w := io.MultiWriter(h, b)
			_, err := io.Copy(w, req.Body)
			if err != nil {
				rw.WriteHeader(http.StatusBadRequest)
			}
		}

		subject := enc(h.Sum(nil))
		token, err := jwt.ParseWithClaims(
			string(auth),
			&jwt.RegisteredClaims{},
			func(tok *jwt.Token) (any, error) {
				c, ok := tok.Claims.(*jwt.RegisteredClaims)
				if !ok {
					return nil, fmt.Errorf("wrong type of claim")
				}

				pub, err := dec(c.Issuer)
				return ed25519.PublicKey(pub), err
			},
			jwt.WithValidMethods([]string{jwt.SigningMethodEdDSA.Alg()}),
			jwt.WithJSONNumber(),
		)
		if err != nil {
			rw.WriteHeader(http.StatusBadRequest)
			return
		}

		c, ok := token.Claims.(*jwt.RegisteredClaims)
		if !ok {
			rw.WriteHeader(http.StatusUnprocessableEntity)

			return
		}

		req = req.WithContext(context.WithValue(req.Context(), contextKey, c))

		if c.Subject != subject {
			rw.WriteHeader(http.StatusForbidden)
			return
		}

		hdlr.ServeHTTP(rw, req)
	})
}

func enc(b []byte) string {
	return base64.RawURLEncoding.EncodeToString(b)
}
func dec(s string) ([]byte, error) {
	s = strings.TrimSpace(s)
	return base64.RawURLEncoding.DecodeString(s)
}

var contextKey = struct{ name string }{"jwtClaim"}

func FromContext(ctx context.Context) *jwt.RegisteredClaims {
	if v := ctx.Value(contextKey); v != nil {
		if c, ok := v.(*jwt.RegisteredClaims); ok {
			return c
		}
	}

	return nil
}
initial commit 2023-07-12 12:43:25 -06:00			`package authreq`

			`import (`
			`"bytes"`
			`"context"`
			`"crypto/ed25519"`
			`"encoding/base64"`
			`"fmt"`
			`"hash/fnv"`
			`"io"`
			`"net/http"`
			`"strings"`
			`"time"`

			`"github.com/golang-jwt/jwt/v4"`
			`)`

			`var SignatureLifetime = 30 * time.Minute`
			`var AuthHeader = "Authorization"`

			`func Sign(req http.Request, key ed25519.PrivateKey) (http.Request, error) {`
			`pub := enc([]byte(key.Public().(ed25519.PublicKey)))`

			`h := fnv.New128a()`
			`fmt.Fprint(h, req.Method, req.URL.String())`

			`if req.Body != nil {`
			`b := &bytes.Buffer{}`
			`w := io.MultiWriter(h, b)`
			`_, err := io.Copy(w, req.Body)`
			`if err != nil {`
			`return req, err`
			`}`
			`req.Body = io.NopCloser(b)`
			`}`

			`token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, jwt.RegisteredClaims{`
			`Subject: enc(h.Sum(nil)),`
			`ExpiresAt: jwt.NewNumericDate(time.Now().Add(SignatureLifetime)),`
			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`Issuer: pub,`
			`})`

			`sig, err := token.SignedString(key)`
			`if err != nil {`
			`return req, err`
			`}`

			`req.Header.Set(AuthHeader, sig)`

			`return req, nil`
			`}`

			`func Authorization(hdlr http.Handler) http.Handler {`
			`return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {`
			`auth := req.Header.Get(AuthHeader)`
			`if auth == "" {`
			`rw.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`

			`h := fnv.New128a()`
			`fmt.Fprint(h, req.Method, req.URL.String())`

			`if req.Body != nil {`
			`b := &bytes.Buffer{}`
			`w := io.MultiWriter(h, b)`
			`_, err := io.Copy(w, req.Body)`
			`if err != nil {`
			`rw.WriteHeader(http.StatusBadRequest)`
			`}`
			`}`

			`subject := enc(h.Sum(nil))`
			`token, err := jwt.ParseWithClaims(`
			`string(auth),`
			`&jwt.RegisteredClaims{},`
			`func(tok *jwt.Token) (any, error) {`
			`c, ok := tok.Claims.(*jwt.RegisteredClaims)`
			`if !ok {`
			`return nil, fmt.Errorf("wrong type of claim")`
			`}`

			`pub, err := dec(c.Issuer)`
			`return ed25519.PublicKey(pub), err`
			`},`
			`jwt.WithValidMethods([]string{jwt.SigningMethodEdDSA.Alg()}),`
			`jwt.WithJSONNumber(),`
			`)`
			`if err != nil {`
			`rw.WriteHeader(http.StatusBadRequest)`
			`return`
			`}`

			`c, ok := token.Claims.(*jwt.RegisteredClaims)`
			`if !ok {`
			`rw.WriteHeader(http.StatusUnprocessableEntity)`

			`return`
			`}`

			`req = req.WithContext(context.WithValue(req.Context(), contextKey, c))`

			`if c.Subject != subject {`
			`rw.WriteHeader(http.StatusForbidden)`
			`return`
			`}`

			`hdlr.ServeHTTP(rw, req)`
			`})`
			`}`

			`func enc(b []byte) string {`
			`return base64.RawURLEncoding.EncodeToString(b)`
			`}`
			`func dec(s string) ([]byte, error) {`
			`s = strings.TrimSpace(s)`
			`return base64.RawURLEncoding.DecodeString(s)`
			`}`

			`var contextKey = struct{ name string }{"jwtClaim"}`

			`func FromContext(ctx context.Context) *jwt.RegisteredClaims {`
			`if v := ctx.Value(contextKey); v != nil {`
			`if c, ok := v.(*jwt.RegisteredClaims); ok {`
			`return c`
			`}`
			`}`

			`return nil`
			`}`