tag/v1.0.0/verifier_rsa.go

package authjwt

import (
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"

	"github.com/golang-jwt/jwt/v5"
)

var _ Verifier = (*rsaPublicVerifier)(nil)

type rsaPublicVerifier struct{ public *rsa.PublicKey }

// NewRSAPublicKeyVerifier returns a Verifier backed by an RSA public key.
// Use this in services that verify tokens but never issue them.
func NewRSAPublicKeyVerifier(publicKey *rsa.PublicKey) Verifier {
	return &rsaPublicVerifier{public: publicKey}
}

// NewRSAPublicKeyVerifierFromPEM parses a PKIX or PKCS#1 PEM-encoded RSA public key.
func NewRSAPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error) {
	block, _ := pem.Decode(pemKey)
	if block == nil {
		return nil, fmt.Errorf("no PEM block found")
	}
	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		rsaPub, err2 := x509.ParsePKCS1PublicKey(block.Bytes)
		if err2 != nil {
			return nil, fmt.Errorf("parse RSA public key: %w", err)
		}
		return NewRSAPublicKeyVerifier(rsaPub), nil
	}
	rsaPub, ok := pub.(*rsa.PublicKey)
	if !ok {
		return nil, fmt.Errorf("PEM key is not an RSA public key")
	}
	return NewRSAPublicKeyVerifier(rsaPub), nil
}

func (v *rsaPublicVerifier) Verify(tokenString string) (*jwt.Token, error) {
	return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) {
		if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok {
			return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"])
		}
		return v.public, nil
	}, jwt.WithJSONNumber())
}
feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error for consistent 401 responses, and added ECDSA support. Signers and Verifiers (one file per implementation — CT-6 compliant): - Verifier interface — Verify(tokenString string) (*jwt.Token, error) - Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error) - signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify - signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256 - verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only - signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512) - verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only Token lifecycle: - TokenConfig struct — AccessTTL, RefreshTTL, Issuer - TokenPair struct — AccessToken, RefreshToken, ExpiresIn - IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks - Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing - ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection - RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair HTTP middleware: - AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level); publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce narrowest-interface principle for verify-only services Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify, algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/ revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData. Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth-jwt is a function library; not registered with the launcher 2026-05-29 16:13:01 +00:00			`package authjwt`

			`import (`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"fmt"`

			`"github.com/golang-jwt/jwt/v5"`
			`)`

			`var _ Verifier = (*rsaPublicVerifier)(nil)`

			`type rsaPublicVerifier struct{ public *rsa.PublicKey }`

			`// NewRSAPublicKeyVerifier returns a Verifier backed by an RSA public key.`
			`// Use this in services that verify tokens but never issue them.`
			`func NewRSAPublicKeyVerifier(publicKey *rsa.PublicKey) Verifier {`
			`return &rsaPublicVerifier{public: publicKey}`
			`}`

			`// NewRSAPublicKeyVerifierFromPEM parses a PKIX or PKCS#1 PEM-encoded RSA public key.`
			`func NewRSAPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error) {`
			`block, _ := pem.Decode(pemKey)`
			`if block == nil {`
			`return nil, fmt.Errorf("no PEM block found")`
			`}`
			`pub, err := x509.ParsePKIXPublicKey(block.Bytes)`
			`if err != nil {`
			`rsaPub, err2 := x509.ParsePKCS1PublicKey(block.Bytes)`
			`if err2 != nil {`
			`return nil, fmt.Errorf("parse RSA public key: %w", err)`
			`}`
			`return NewRSAPublicKeyVerifier(rsaPub), nil`
			`}`
			`rsaPub, ok := pub.(*rsa.PublicKey)`
			`if !ok {`
			`return nil, fmt.Errorf("PEM key is not an RSA public key")`
			`}`
			`return NewRSAPublicKeyVerifier(rsaPub), nil`
			`}`

			`func (v rsaPublicVerifier) Verify(tokenString string) (jwt.Token, error) {`
			`return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) {`
			`if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok {`
			`return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"])`
			`}`
			`return v.public, nil`
			`}, jwt.WithJSONNumber())`
			`}`