Skip to content

Commit

Permalink
claimsfeat(authN): Redesign JWT token auth #372
Browse files Browse the repository at this point in the history
Split verify function for JWT token auth to make it more readable
  • Loading branch information
michalkrzyz committed Dec 12, 2024
1 parent e4db2d7 commit f36bc07
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 18 deletions.
68 changes: 51 additions & 17 deletions internal/api/graphql/access/token_auth_method.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,35 +40,69 @@ type TokenAuthMethod struct {
}

func (tam TokenAuthMethod) Verify(c *gin.Context) error {
verifyError := func(s string) error {
return fmt.Errorf("TokenAuthMethod(%s)", s)

tokenString, err := getTokenFromHeader(c)
if err != nil {
return err
}

claims, err := tam.verifyTokenAndGetClaimsFromTokenString(tokenString)
if err != nil {
return err
}

err = tam.verifyTokenExpiration(claims)
if err != nil {
return err
}

scannerNameToContext(c, claims)

return nil
}

func verifyError(s string) error {
return fmt.Errorf("TokenAuthMethod(%s)", s)
}

func getTokenFromHeader(c *gin.Context) (string, error) {
var err error
tokenString := c.GetHeader(tokenAuthHeader)
if tokenString == "" {
return verifyError("No authorization header")
err = verifyError("No authorization header")
}
token, claims, err := tam.parseFromString(tokenString)
return tokenString, err
}

func (tam TokenAuthMethod) verifyTokenAndGetClaimsFromTokenString(tokenString string) (*TokenClaims, error) {
claims := &TokenClaims{}
token, err := jwt.ParseWithClaims(tokenString, claims, tam.parse)
if err != nil {
tam.logger.Error("JWT parsing error: ", err)
return verifyError("Token parsing error")
} else if !token.Valid || claims.ExpiresAt == nil {
err = verifyError("Token parsing error")
} else if !token.Valid {
tam.logger.Error("Invalid token")
return verifyError("Invalid token")
} else if claims.ExpiresAt.Before(time.Now()) {
err = verifyError("Invalid token")
}
return claims, err
}

func (tam TokenAuthMethod) verifyTokenExpiration(tc *TokenClaims) error {
var err error
if tc.ExpiresAt == nil {
tam.logger.Error("Missing ExpiresAt in token claims")
err = verifyError("Missing ExpiresAt in token claims")
} else if tc.ExpiresAt.Before(time.Now()) {
tam.logger.Warn("Expired token")
return verifyError("Token expired")
err = verifyError("Expired token")
}
c.Set(scannerNameKey, claims.RegisteredClaims.Subject)
ctx := context.WithValue(c.Request.Context(), ginContextKey, c)
c.Request = c.Request.WithContext(ctx)
return nil
return err
}

func (tam TokenAuthMethod) parseFromString(tokenString string) (*jwt.Token, *TokenClaims, error) {
claims := &TokenClaims{}
token, err := jwt.ParseWithClaims(tokenString, claims, tam.parse)
return token, claims, err
func scannerNameToContext(c *gin.Context, tc *TokenClaims) {
c.Set(scannerNameKey, tc.RegisteredClaims.Subject)
ctx := context.WithValue(c.Request.Context(), ginContextKey, c)
c.Request = c.Request.WithContext(ctx)
}

func (tam *TokenAuthMethod) parse(token *jwt.Token) (interface{}, error) {
Expand Down
2 changes: 1 addition & 1 deletion internal/e2e/token_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ var _ = Describe("Getting access via API", Label("e2e", "TokenAuthorization"), f
token := GenerateInvalidJwt(cfg.AuthTokenSecret)
resp := SendGetRequest(queryUrl, map[string]string{"X-Service-Authorization": token})
Expect(resp.StatusCode).To(Equal(401))
ExpectErrorMessage(resp, "TokenAuthMethod(Invalid token)")
ExpectErrorMessage(resp, "TokenAuthMethod(Missing ExpiresAt in token claims)")
})
})
})

0 comments on commit f36bc07

Please sign in to comment.