einherjar/auth-jwt
2
0
Fork 0
Code Issues Pull Requests Packages Releases 1 Activity
Files
a9c9f3434e2455e8cef1b79658dd004931a25e6e
auth-jwt/refresh.go

57 lines
1.7 KiB
Go
Raw Normal View History

feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error for consistent 401 responses, and added ECDSA support. Signers and Verifiers (one file per implementation — CT-6 compliant): - Verifier interface — Verify(tokenString string) (*jwt.Token, error) - Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error) - signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify - signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256 - verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only - signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512) - verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only Token lifecycle: - TokenConfig struct — AccessTTL, RefreshTTL, Issuer - TokenPair struct — AccessToken, RefreshToken, ExpiresIn - IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks - Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing - ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection - RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair HTTP middleware: - AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level); publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce narrowest-interface principle for verify-only services Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify, algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/ revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData. Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth-jwt is a function library; not registered with the launcher
2026-05-29 16:13:01 +00:00
package authjwt
import (
"context"
"fmt"
"time"
"github.com/golang-jwt/jwt/v5"
)
// RefreshTokenPair validates refreshToken, checks the blacklist, revokes the old JTI,
// and issues a new token pair for the same uid.
// customClaims are merged into the new access token — re-fetch fresh permissions here
// so role changes take effect without revoking outstanding access tokens.
// Returns ErrTokenRevoked if the JTI is already on the blacklist (replay attack or
// re-use after rotation).
func RefreshTokenPair(ctx context.Context, signer Signer, refreshToken string, bl Blacklist, cfg TokenConfig, customClaims map[string]any) (TokenPair, error) {
token, err := signer.Verify(refreshToken)
if err != nil {
return TokenPair{}, fmt.Errorf("invalid refresh token: %w", err)
}
claims, ok := token.Claims.(jwt.MapClaims)
if !ok {
return TokenPair{}, fmt.Errorf("unexpected claims type in refresh token")
}
jti, _ := claims["jti"].(string)
uid, _ := claims["sub"].(string)
if jti == "" || uid == "" {
return TokenPair{}, fmt.Errorf("missing required claims in refresh token")
}
revoked, err := bl.IsRevoked(ctx, jti)
if err != nil {
return TokenPair{}, fmt.Errorf("blacklist check: %w", err)
}
if revoked {
return TokenPair{}, ErrTokenRevoked
}
expTime, err := claims.GetExpirationTime()
if err != nil || expTime == nil {
return TokenPair{}, fmt.Errorf("invalid expiration in refresh token")
}
remaining := time.Until(expTime.Time)
if remaining < time.Second {
remaining = time.Second
}
if err := bl.Revoke(ctx, jti, remaining); err != nil {
return TokenPair{}, fmt.Errorf("revoke old token: %w", err)
}
return IssueTokenPair(signer, uid, customClaims, cfg)
}
Reference in New Issue Copy Permalink