tag/v1.0.0/tokens.go

package authjwt

import (
	"crypto/rand"
	"fmt"
	"time"

	"github.com/golang-jwt/jwt/v5"
)

// IssueTokenPair signs a new access + refresh token pair for uid.
// customClaims are merged into the access token at the top level. Use this to embed
// per-resource permission masks so ClaimsPermissionProvider can read them without a DB call.
// The refresh token carries only sub, iss, iat, exp, jti, and fam (token family).
func IssueTokenPair(signer Signer, uid string, customClaims map[string]any, cfg TokenConfig) (TokenPair, error) {
	now := time.Now()

	accessClaims := jwt.MapClaims{
		"sub": uid,
		"iss": cfg.Issuer,
		"iat": jwt.NewNumericDate(now),
		"exp": jwt.NewNumericDate(now.Add(cfg.AccessTTL)),
		"jti": newJTI(),
	}
	for k, v := range customClaims {
		accessClaims[k] = v
	}

	accessToken, err := signer.Sign(accessClaims)
	if err != nil {
		return TokenPair{}, fmt.Errorf("sign access token: %w", err)
	}

	refreshClaims := jwt.MapClaims{
		"sub": uid,
		"iss": cfg.Issuer,
		"iat": jwt.NewNumericDate(now),
		"exp": jwt.NewNumericDate(now.Add(cfg.RefreshTTL)),
		"jti": newJTI(),
		"fam": newJTI(),
	}

	refreshToken, err := signer.Sign(refreshClaims)
	if err != nil {
		return TokenPair{}, fmt.Errorf("sign refresh token: %w", err)
	}

	return TokenPair{
		AccessToken:  accessToken,
		RefreshToken: refreshToken,
		ExpiresIn:    int64(cfg.AccessTTL.Seconds()),
	}, nil
}

func newJTI() string {
	b := make([]byte, 16)
	_, _ = rand.Read(b)
	b[6] = (b[6] & 0x0f) | 0x40
	b[8] = (b[8] & 0x3f) | 0x80
	return fmt.Sprintf("%08x-%04x-%04x-%04x-%012x",
		b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
}
feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error for consistent 401 responses, and added ECDSA support. Signers and Verifiers (one file per implementation — CT-6 compliant): - Verifier interface — Verify(tokenString string) (*jwt.Token, error) - Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error) - signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify - signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256 - verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only - signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512) - verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only Token lifecycle: - TokenConfig struct — AccessTTL, RefreshTTL, Issuer - TokenPair struct — AccessToken, RefreshToken, ExpiresIn - IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks - Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing - ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection - RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair HTTP middleware: - AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level); publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce narrowest-interface principle for verify-only services Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify, algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/ revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData. Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth-jwt is a function library; not registered with the launcher 2026-05-29 16:13:01 +00:00			`package authjwt`

			`import (`
			`"crypto/rand"`
			`"fmt"`
			`"time"`

			`"github.com/golang-jwt/jwt/v5"`
			`)`

			`// IssueTokenPair signs a new access + refresh token pair for uid.`
			`// customClaims are merged into the access token at the top level. Use this to embed`
			`// per-resource permission masks so ClaimsPermissionProvider can read them without a DB call.`
			`// The refresh token carries only sub, iss, iat, exp, jti, and fam (token family).`
			`func IssueTokenPair(signer Signer, uid string, customClaims map[string]any, cfg TokenConfig) (TokenPair, error) {`
			`now := time.Now()`

			`accessClaims := jwt.MapClaims{`
			`"sub": uid,`
			`"iss": cfg.Issuer,`
			`"iat": jwt.NewNumericDate(now),`
			`"exp": jwt.NewNumericDate(now.Add(cfg.AccessTTL)),`
			`"jti": newJTI(),`
			`}`
			`for k, v := range customClaims {`
			`accessClaims[k] = v`
			`}`

			`accessToken, err := signer.Sign(accessClaims)`
			`if err != nil {`
			`return TokenPair{}, fmt.Errorf("sign access token: %w", err)`
			`}`

			`refreshClaims := jwt.MapClaims{`
			`"sub": uid,`
			`"iss": cfg.Issuer,`
			`"iat": jwt.NewNumericDate(now),`
			`"exp": jwt.NewNumericDate(now.Add(cfg.RefreshTTL)),`
			`"jti": newJTI(),`
			`"fam": newJTI(),`
			`}`

			`refreshToken, err := signer.Sign(refreshClaims)`
			`if err != nil {`
			`return TokenPair{}, fmt.Errorf("sign refresh token: %w", err)`
			`}`

			`return TokenPair{`
			`AccessToken: accessToken,`
			`RefreshToken: refreshToken,`
			`ExpiresIn: int64(cfg.AccessTTL.Seconds()),`
			`}, nil`
			`}`

			`func newJTI() string {`
			`b := make([]byte, 16)`
			`_, _ = rand.Read(b)`
			`b[6] = (b[6] & 0x0f) \| 0x40`
			`b[8] = (b[8] & 0x3f) \| 0x80`
			`return fmt.Sprintf("%08x-%04x-%04x-%04x-%012x",`
			`b[0:4], b[4:6], b[6:8], b[8:10], b[10:])`
			`}`