rpdata
/
api
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
GraphQL API and utilities for the rpdata project
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
134 Commits
6 Branches
38 Tags
5.6 MiB
Tree: 875dac9ecb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '875dac9ecb'
${ noResults }
api/internal/auth/token.go

198 lines
4.8 KiB
Raw Normal View History

auth: Replaced old system with api key-based system.
6 years ago
auth: Fixed incorrect error reporting on permissions mismatching, added ensuring of user in auth.FindUser.
6 years ago
auth: Replaced old system with api key-based system.
6 years ago
  1. package auth
  3. import (
  4. "context"
  5. "errors"
  6. "fmt"
  7. "net/http"
  8. "strings"
  9. "time"
  11. jwt "github.com/dgrijalva/jwt-go"
  12. )
  14. var contextKey = &struct{ data string }{"Token Context Key"}
  16. // ErrNoKid is returned if the key id is missing from the jwt token header,
  17. var ErrNoKid = errors.New("Missing \"kid\" field in token")
  19. // ErrKeyNotFound is returned if the key wasn't found.
  20. var ErrKeyNotFound = errors.New("Key not found")
  22. // ErrInvalidClaims is returned by parseClaims if the claims cannot be parsed
  23. var ErrInvalidClaims = errors.New("Invalid claims in token")
  25. // ErrExpired is returned by parseClaims if the expiry date is in the past
  26. var ErrExpired = errors.New("Claims have already expired")
  28. // ErrWrongUser is returned by CheckToken if the key cannot represent this user
  29. var ErrWrongUser = errors.New("Key is not valid for this user")
  31. // ErrWrongPermissions is returned by CheckToken if the key cannot claim one or more of its permissions
  32. var ErrWrongPermissions = errors.New("User does not have these permissions")
  34. // ErrDeletedUser is returned by CheckToken if the key can represent this user, but the user doesn't exist.
  35. var ErrDeletedUser = errors.New("User was not found")
  37. // A Token contains the parsed results from an bearer token. Its methods are safe to use with a nil receiver, but
  38. // the userID should be checked.
  39. type Token struct {
  40. UserID string
  41. Permissions []string
  42. }
  44. // Authenticated returns true if the token is non-nil and parsed
  45. func (token *Token) Authenticated() bool {
  46. return token != nil && token.UserID != ""
  47. }
  49. // Permitted returns true if the token is non-nil and has the given permission or the "admin" permission
  50. func (token *Token) Permitted(permissions ...string) bool {
  51. if token == nil {
  52. return false
  53. }
  55. for _, tokenPermission := range token.Permissions {
  56. if tokenPermission == "admin" {
  57. return true
  58. }
  60. for _, permission := range permissions {
  61. if permission == tokenPermission {
  62. return true
  63. }
  64. }
  65. }
  67. return false
  68. }
  70. // PermittedUser checks the first permission if the user matches, the second otherwise. This is a common
  71. // pattern.
  72. func (token *Token) PermittedUser(userID, permissionIfUser, permissionOtherwise string) bool {
  73. if token == nil {
  74. return false
  75. }
  77. if token.UserID == userID {
  78. return token.Permitted(permissionIfUser)
  79. }
  81. return token.Permitted(permissionOtherwise)
  82. }
  84. // TokenFromContext gets the token from context.
  85. func TokenFromContext(ctx context.Context) *Token {
  86. token, ok := ctx.Value(contextKey).(*Token)
  87. if !ok {
  88. return nil
  89. }
  91. return token
  92. }
  94. // RequestWithToken either returns the request, or the request with a new context that
  95. // has the token.
  96. func RequestWithToken(r *http.Request) *http.Request {
  97. header := r.Header.Get("Authorization")
  98. if header == "" {
  99. return r
  100. }
  102. if !strings.HasPrefix(header, "Bearer ") {
  103. return r
  104. }
  106. token, err := CheckToken(header[7:])
  107. if err != nil {
  108. return r
  109. }
  111. return r.WithContext(context.WithValue(r.Context(), contextKey, &token))
  112. }
  114. // CheckToken reads the token string and returns a token if everything is kosher.
  115. func CheckToken(tokenString string) (token Token, err error) {
  116. var key Key
  118. jwtToken, err := jwt.Parse(tokenString, func(jwtToken *jwt.Token) (interface{}, error) {
  119. if _, ok := jwtToken.Method.(*jwt.SigningMethodHMAC); !ok {
  120. return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
  121. }
  123. kid, ok := jwtToken.Header["kid"].(string)
  124. if !ok {
  125. return nil, ErrNoKid
  126. }
  128. key, err = FindKey(kid)
  129. if err != nil || key.ID == "" {
  130. return nil, ErrKeyNotFound
  131. }
  133. return []byte(key.Secret), nil
  134. })
  135. if err != nil {
  136. return Token{}, err
  137. }
  139. userid, permissions, err := parseClaims(jwtToken.Claims)
  140. if err != nil {
  141. return Token{}, err
  142. }
  144. if !key.ValidForUser(userid) {
  145. return Token{}, ErrWrongUser
  146. }
  148. user, err := FindUser(userid)
  149. if err != nil {
  150. return Token{}, ErrDeletedUser
  151. }
  153. for _, permission := range permissions {
  154. found := false
  156. for _, userPermission := range user.Permissions {
  157. if permission == userPermission {
  158. found = true
  159. break
  160. }
  161. }
  163. if !found {
  164. return Token{}, ErrWrongPermissions
  165. }
  166. }
  168. return Token{UserID: token.UserID, Permissions: permissions}, nil
  169. }
  171. func parseClaims(jwtClaims jwt.Claims) (userid string, permissions []string, err error) {
  172. mapClaims, ok := jwtClaims.(jwt.MapClaims)
  173. if !ok {
  174. return "", nil, ErrInvalidClaims
  175. }
  177. if !mapClaims.VerifyExpiresAt(time.Now().Unix(), true) {
  178. return "", nil, ErrExpired
  179. }
  181. if userid, ok = mapClaims["user"].(string); !ok {
  182. return "", nil, ErrInvalidClaims
  183. }
  185. if claimedPermissions, ok := mapClaims["permissions"].([]interface{}); ok {
  186. for _, permission := range claimedPermissions {
  187. if permission, ok := permission.(string); ok {
  188. permissions = append(permissions, permission)
  189. }
  190. }
  191. }
  193. if len(permissions) == 0 {
  194. return "", nil, ErrInvalidClaims
  195. }
  197. return
  198. }