initial commit

authreq/authreq.go

@@ -0,0 +1,131 @@
+package authreq
+
+import (
+	"bytes"
+	"context"
+	"crypto/ed25519"
+	"encoding/base64"
+	"fmt"
+	"hash/fnv"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+var SignatureLifetime = 30 * time.Minute
+var AuthHeader = "Authorization"
+
+func Sign(req *http.Request, key ed25519.PrivateKey) (*http.Request, error) {
+	pub := enc([]byte(key.Public().(ed25519.PublicKey)))
+
+	h := fnv.New128a()
+	fmt.Fprint(h, req.Method, req.URL.String())
+
+	if req.Body != nil {
+		b := &bytes.Buffer{}
+		w := io.MultiWriter(h, b)
+		_, err := io.Copy(w, req.Body)
+		if err != nil {
+			return req, err
+		}
+		req.Body = io.NopCloser(b)
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, jwt.RegisteredClaims{
+		Subject:   enc(h.Sum(nil)),
+		ExpiresAt: jwt.NewNumericDate(time.Now().Add(SignatureLifetime)),
+		IssuedAt:  jwt.NewNumericDate(time.Now()),
+		Issuer:    pub,
+	})
+
+	sig, err := token.SignedString(key)
+	if err != nil {
+		return req, err
+	}
+
+	req.Header.Set(AuthHeader, sig)
+
+	return req, nil
+}
+
+func Authorization(hdlr http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		auth := req.Header.Get(AuthHeader)
+		if auth == "" {
+			rw.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		h := fnv.New128a()
+		fmt.Fprint(h, req.Method, req.URL.String())
+
+		if req.Body != nil {
+			b := &bytes.Buffer{}
+			w := io.MultiWriter(h, b)
+			_, err := io.Copy(w, req.Body)
+			if err != nil {
+				rw.WriteHeader(http.StatusBadRequest)
+			}
+		}
+
+		subject := enc(h.Sum(nil))
+		token, err := jwt.ParseWithClaims(
+			string(auth),
+			&jwt.RegisteredClaims{},
+			func(tok *jwt.Token) (any, error) {
+				c, ok := tok.Claims.(*jwt.RegisteredClaims)
+				if !ok {
+					return nil, fmt.Errorf("wrong type of claim")
+				}
+
+				pub, err := dec(c.Issuer)
+				return ed25519.PublicKey(pub), err
+			},
+			jwt.WithValidMethods([]string{jwt.SigningMethodEdDSA.Alg()}),
+			jwt.WithJSONNumber(),
+		)
+		if err != nil {
+			rw.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
+		c, ok := token.Claims.(*jwt.RegisteredClaims)
+		if !ok {
+			rw.WriteHeader(http.StatusUnprocessableEntity)
+
+			return
+		}
+
+		req = req.WithContext(context.WithValue(req.Context(), contextKey, c))
+
+		if c.Subject != subject {
+			rw.WriteHeader(http.StatusForbidden)
+			return
+		}
+
+		hdlr.ServeHTTP(rw, req)
+	})
+}
+
+func enc(b []byte) string {
+	return base64.RawURLEncoding.EncodeToString(b)
+}
+func dec(s string) ([]byte, error) {
+	s = strings.TrimSpace(s)
+	return base64.RawURLEncoding.DecodeString(s)
+}
+
+var contextKey = struct{ name string }{"jwtClaim"}
+
+func FromContext(ctx context.Context) *jwt.RegisteredClaims {
+	if v := ctx.Value(contextKey); v != nil {
+		if c, ok := v.(*jwt.RegisteredClaims); ok {
+			return c
+		}
+	}
+
+	return nil
+}

authreq/authreq_test.go

@@ -0,0 +1,104 @@
+package authreq_test
+
+import (
+	"crypto/ed25519"
+	"encoding/base64"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/matryer/is"
+	"go.sour.is/pkg/authreq"
+)
+
+func TestGETRequest(t *testing.T) {
+	is := is.New(t)
+
+	pub, priv, err := ed25519.GenerateKey(nil)
+	is.NoErr(err)
+
+	req, err := http.NewRequest(http.MethodGet, "http://example.com/"+enc(pub)+"/test?q=test", nil)
+	is.NoErr(err)
+
+	req, err = authreq.Sign(req, priv)
+	is.NoErr(err)
+
+	t.Log(enc(pub))
+	t.Log(req.Header.Get(authreq.AuthHeader))
+
+	var hdlr http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c := authreq.FromContext(r.Context())
+		if c == nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		if !strings.Contains(req.URL.Path, c.Issuer) {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+	})
+
+	hdlr = authreq.Authorization(hdlr)
+
+	rw := httptest.NewRecorder()
+
+	hdlr.ServeHTTP(rw, req)
+
+	is.Equal(rw.Code, http.StatusOK)
+}
+
+func TestPOSTRequest(t *testing.T) {
+	is := is.New(t)
+
+	content := "this is post!"
+
+	pub, priv, err := ed25519.GenerateKey(nil)
+	is.NoErr(err)
+
+	req, err := http.NewRequest(http.MethodPost, "http://example.com/"+enc(pub)+"/test?q=test", strings.NewReader(content))
+	is.NoErr(err)
+
+	req, err = authreq.Sign(req, priv)
+	is.NoErr(err)
+
+	t.Log(enc(pub))
+	t.Log(req.Header.Get(authreq.AuthHeader))
+
+	var hdlr http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c := authreq.FromContext(r.Context())
+		if c == nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		contentCheck, err := io.ReadAll(r.Body)
+		r.Body.Close()
+
+		if err != nil {
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
+		t.Log(string(contentCheck))
+		if !strings.Contains(req.URL.Path, c.Issuer) {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+	})
+
+	hdlr = authreq.Authorization(hdlr)
+
+	rw := httptest.NewRecorder()
+
+	hdlr.ServeHTTP(rw, req)
+
+	is.Equal(rw.Code, http.StatusOK)
+
+}
+
+func enc(b []byte) string {
+	return base64.RawURLEncoding.EncodeToString(b)
+}