authorizer/server/token/jwt.go

package token

import (
	"errors"

	"github.com/golang-jwt/jwt"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/crypto"
	"github.com/authorizerdev/authorizer/server/memorystore"
)

// SignJWTToken common util to sing jwt token
func SignJWTToken(claims jwt.MapClaims) (string, error) {
	jwtType, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtType)
	if err != nil {
		return "", err
	}
	signingMethod := jwt.GetSigningMethod(jwtType)
	if signingMethod == nil {
		return "", errors.New("unsupported signing method")
	}
	t := jwt.New(signingMethod)
	if t == nil {
		return "", errors.New("unsupported signing method")
	}
	t.Claims = claims

	switch signingMethod {
	case jwt.SigningMethodHS256, jwt.SigningMethodHS384, jwt.SigningMethodHS512:
		jwtSecret, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)
		if err != nil {
			return "", err
		}
		return t.SignedString([]byte(jwtSecret))
	case jwt.SigningMethodRS256, jwt.SigningMethodRS384, jwt.SigningMethodRS512:
		jwtPrivateKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPrivateKey)
		if err != nil {
			return "", err
		}
		key, err := crypto.ParseRsaPrivateKeyFromPemStr(jwtPrivateKey)
		if err != nil {
			return "", err
		}
		return t.SignedString(key)
	case jwt.SigningMethodES256, jwt.SigningMethodES384, jwt.SigningMethodES512:
		jwtPrivateKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPrivateKey)
		if err != nil {
			return "", err
		}
		key, err := crypto.ParseEcdsaPrivateKeyFromPemStr(jwtPrivateKey)
		if err != nil {
			return "", err
		}

		return t.SignedString(key)
	default:
		return "", errors.New("unsupported signing method")
	}
}

// ParseJWTToken common util to parse jwt token
func ParseJWTToken(token string) (jwt.MapClaims, error) {
	jwtType, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtType)
	if err != nil {
		return nil, err
	}
	signingMethod := jwt.GetSigningMethod(jwtType)

	var claims jwt.MapClaims

	switch signingMethod {
	case jwt.SigningMethodHS256, jwt.SigningMethodHS384, jwt.SigningMethodHS512:
		_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {
			jwtSecret, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)
			if err != nil {
				return nil, err
			}
			return []byte(jwtSecret), nil
		})
	case jwt.SigningMethodRS256, jwt.SigningMethodRS384, jwt.SigningMethodRS512:
		_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {
			jwtPublicKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey)
			if err != nil {
				return nil, err
			}
			key, err := crypto.ParseRsaPublicKeyFromPemStr(jwtPublicKey)
			if err != nil {
				return nil, err
			}
			return key, nil
		})
	case jwt.SigningMethodES256, jwt.SigningMethodES384, jwt.SigningMethodES512:
		_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {
			jwtPublicKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey)
			if err != nil {
				return nil, err
			}
			key, err := crypto.ParseEcdsaPublicKeyFromPemStr(jwtPublicKey)
			if err != nil {
				return nil, err
			}
			return key, nil
		})
	default:
		err = errors.New("unsupported signing method")
	}
	if err != nil {
		return claims, err
	}

	// claim parses exp & iat into float 64 with e^10,
	// but we expect it to be int64
	// hence we need to assert interface and convert to int64
	intExp := int64(claims["exp"].(float64))
	intIat := int64(claims["iat"].(float64))
	claims["exp"] = intExp
	claims["iat"] = intIat

	return claims, nil
}

// ValidateJWTClaims common util to validate claims
func ValidateJWTClaims(claims jwt.MapClaims, hostname, nonce, subject string) (bool, error) {
	clientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID)
	if err != nil {
		return false, err
	}
	if claims["aud"] != clientID {
		return false, errors.New("invalid audience")
	}

	if claims["nonce"] != nonce {
		return false, errors.New("invalid nonce")
	}

	if claims["iss"] != hostname {
		return false, errors.New("invalid issuer")
	}

	if claims["sub"] != subject {
		return false, errors.New("invalid subject")
	}

	return true, nil
}

// ValidateJWTTokenWithoutNonce common util to validate claims without nonce
func ValidateJWTTokenWithoutNonce(claims jwt.MapClaims, hostname, subject string) (bool, error) {
	clientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID)
	if err != nil {
		return false, err
	}
	if claims["aud"] != clientID {
		return false, errors.New("invalid audience")
	}

	if claims["iss"] != hostname {
		return false, errors.New("invalid issuer")
	}

	if claims["sub"] != subject {
		return false, errors.New("invalid subject")
	}
	return true, nil
}
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`package token`

			`import (`
			`"errors"`

fix: app login page signup url add debug logs 2022-06-05 16:14:16 +00:00			`"github.com/golang-jwt/jwt"`

Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
fix: tests 2022-02-28 02:25:01 +00:00			`"github.com/authorizerdev/authorizer/server/crypto"`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`)`

			`// SignJWTToken common util to sing jwt token`
			`func SignJWTToken(claims jwt.MapClaims) (string, error) {`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtType, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtType)`
			`if err != nil {`
			`return "", err`
			`}`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`signingMethod := jwt.GetSigningMethod(jwtType)`
Add test for jwt tokens 2022-02-12 13:56:37 +00:00			`if signingMethod == nil {`
			`return "", errors.New("unsupported signing method")`
			`}`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`t := jwt.New(signingMethod)`
Add test for jwt tokens 2022-02-12 13:56:37 +00:00			`if t == nil {`
			`return "", errors.New("unsupported signing method")`
			`}`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`t.Claims = claims`

			`switch signingMethod {`
			`case jwt.SigningMethodHS256, jwt.SigningMethodHS384, jwt.SigningMethodHS512:`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtSecret, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)`
			`if err != nil {`
			`return "", err`
			`}`
			`return t.SignedString([]byte(jwtSecret))`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`case jwt.SigningMethodRS256, jwt.SigningMethodRS384, jwt.SigningMethodRS512:`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtPrivateKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPrivateKey)`
			`if err != nil {`
			`return "", err`
			`}`
			`key, err := crypto.ParseRsaPrivateKeyFromPemStr(jwtPrivateKey)`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`if err != nil {`
			`return "", err`
			`}`
			`return t.SignedString(key)`
			`case jwt.SigningMethodES256, jwt.SigningMethodES384, jwt.SigningMethodES512:`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtPrivateKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPrivateKey)`
			`if err != nil {`
			`return "", err`
			`}`
			`key, err := crypto.ParseEcdsaPrivateKeyFromPemStr(jwtPrivateKey)`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`if err != nil {`
			`return "", err`
			`}`
fix: tests 2022-02-28 02:25:01 +00:00
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`return t.SignedString(key)`
			`default:`
			`return "", errors.New("unsupported signing method")`
			`}`
			`}`

			`// ParseJWTToken common util to parse jwt token`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`func ParseJWTToken(token string) (jwt.MapClaims, error) {`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtType, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtType)`
			`if err != nil {`
			`return nil, err`
			`}`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`signingMethod := jwt.GetSigningMethod(jwtType)`

			`var claims jwt.MapClaims`

			`switch signingMethod {`
			`case jwt.SigningMethodHS256, jwt.SigningMethodHS384, jwt.SigningMethodHS512:`
Add test for jwt tokens 2022-02-12 13:56:37 +00:00			`_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtSecret, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return []byte(jwtSecret), nil`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`})`
			`case jwt.SigningMethodRS256, jwt.SigningMethodRS384, jwt.SigningMethodRS512:`
			`_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtPublicKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`key, err := crypto.ParseRsaPublicKeyFromPemStr(jwtPublicKey)`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return key, nil`
			`})`
			`case jwt.SigningMethodES256, jwt.SigningMethodES384, jwt.SigningMethodES512:`
			`_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`jwtPublicKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`key, err := crypto.ParseEcdsaPublicKeyFromPemStr(jwtPublicKey)`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return key, nil`
			`})`
			`default:`
			`err = errors.New("unsupported signing method")`
			`}`
			`if err != nil {`
			`return claims, err`
			`}`

			`// claim parses exp & iat into float 64 with e^10,`
			`// but we expect it to be int64`
			`// hence we need to assert interface and convert to int64`
			`intExp := int64(claims["exp"].(float64))`
			`intIat := int64(claims["iat"].(float64))`
			`claims["exp"] = intExp`
			`claims["iat"] = intIat`
fix: session invalidation 2022-06-11 13:40:39 +00:00
			`return claims, nil`
			`}`

			`// ValidateJWTClaims common util to validate claims`
			`func ValidateJWTClaims(claims jwt.MapClaims, hostname, nonce, subject string) (bool, error) {`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`clientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID)`
			`if err != nil {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, err`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`}`
			`if claims["aud"] != clientID {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, errors.New("invalid audience")`
fix: auth flow 2022-03-02 12:12:31 +00:00			`}`

			`if claims["nonce"] != nonce {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, errors.New("invalid nonce")`
fix: auth flow 2022-03-02 12:12:31 +00:00			`}`

			`if claims["iss"] != hostname {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, errors.New("invalid issuer")`
fix: auth flow 2022-03-02 12:12:31 +00:00			`}`

			`if claims["sub"] != subject {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, errors.New("invalid subject")`
fix: auth flow 2022-03-02 12:12:31 +00:00			`}`

fix: session invalidation 2022-06-11 13:40:39 +00:00			`return true, nil`
Add support for more JWT algo methods 2022-02-12 10:24:23 +00:00			`}`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00
fix: user session access 2022-06-11 18:57:21 +00:00			`// ValidateJWTTokenWithoutNonce common util to validate claims without nonce`
			`func ValidateJWTTokenWithoutNonce(claims jwt.MapClaims, hostname, subject string) (bool, error) {`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`clientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID)`
			`if err != nil {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, err`
fix: memory store upgrade in token helpers 2022-05-30 05:30:00 +00:00			`}`
			`if claims["aud"] != clientID {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, errors.New("invalid audience")`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`}`

			`if claims["iss"] != hostname {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return false, errors.New("invalid issuer")`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`}`

fix: user session access 2022-06-11 18:57:21 +00:00			`if claims["sub"] != subject {`
			`return false, errors.New("invalid subject")`
			`}`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return true, nil`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`}`