mirror of
https://github.com/raz-varren/sacrificial-socket.git
synced 2025-10-07 00:52:48 +08:00
65 lines
1.6 KiB
Go
65 lines
1.6 KiB
Go
/*
|
|
Package token is used by package ssgrpc for generating and validating HMAC-SHA256 tokens sent as "per RPC credentials".
|
|
*/
|
|
package token
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"github.com/dvsekhvalnov/jose2go"
|
|
"time"
|
|
)
|
|
|
|
var (
|
|
ErrTokenExpired = errors.New("token expired")
|
|
ErrBadPayload = errors.New("payload is missing critical values")
|
|
|
|
ErrNoToken = errors.New("user did not provide a token")
|
|
ErrBadBearerValue = errors.New("user provided an invalid Bearer value")
|
|
)
|
|
|
|
//UserToken represents an authenticated user
|
|
type UserToken struct {
|
|
//authenticated user name
|
|
IAM string `json:"iam"`
|
|
|
|
//unix epoc expire time
|
|
EXP int64 `json:"exp"`
|
|
}
|
|
|
|
//GenUserToken will generate an expiring HMAC-SHA256 signed token representing an authenticated user
|
|
func GenUserToken(user string, expires time.Duration, signingKey []byte) (UserToken, string, error) {
|
|
var u UserToken
|
|
u.IAM = user
|
|
u.EXP = time.Now().Add(expires).Unix()
|
|
data, _ := json.Marshal(u)
|
|
tok, err := jose.Sign(string(data), jose.HS256, signingKey)
|
|
return u, tok, err
|
|
}
|
|
|
|
//ValidateUserToken will validate the token and attempt to unmarshal it's payload into a UserToken.
|
|
//
|
|
//error is nil if validation succeeded.
|
|
func ValidateUserToken(token string, signingKey []byte) (UserToken, error) {
|
|
var u UserToken
|
|
payload, _, err := jose.Decode(token, signingKey)
|
|
if err != nil {
|
|
return u, err
|
|
}
|
|
|
|
err = json.Unmarshal([]byte(payload), &u)
|
|
if err != nil {
|
|
return u, err
|
|
}
|
|
|
|
if u.IAM == "" || u.EXP == 0 {
|
|
return u, ErrBadPayload
|
|
}
|
|
|
|
if u.EXP < time.Now().Unix() {
|
|
return u, ErrTokenExpired
|
|
}
|
|
|
|
return u, nil
|
|
}
|