From a9c9f3434e2455e8cef1b79658dd004931a25e6e Mon Sep 17 00:00:00 2001 From: Rene Nochebuena Guerrero Date: Fri, 29 May 2026 16:13:01 +0000 Subject: [PATCH] =?UTF-8?q?feat(auth-jwt):=20initial=20implementation=20?= =?UTF-8?q?=E2=80=94=20JWT=20lifecycle=20and=20AuthMiddleware=20(v1.0.0)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error for consistent 401 responses, and added ECDSA support. Signers and Verifiers (one file per implementation — CT-6 compliant): - Verifier interface — Verify(tokenString string) (*jwt.Token, error) - Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error) - signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify - signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256 - verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only - signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512) - verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only Token lifecycle: - TokenConfig struct — AccessTTL, RefreshTTL, Issuer - TokenPair struct — AccessToken, RefreshToken, ExpiresIn - IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks - Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing - ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection - RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair HTTP middleware: - AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level); publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce narrowest-interface principle for verify-only services Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify, algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/ revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData. Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth-jwt is a function library; not registered with the launcher --- .gitea/CODEOWNERS | 1 + .gitea/pull_request_template.md | 70 ++++ .gitignore | 38 ++ CHANGELOG.md | 36 ++ CLA.md | 90 +++++ CONTRIBUTING.md | 247 ++++++++++++ LICENSE | 661 ++++++++++++++++++++++++++++++++ README.md | 98 +++++ auth.go | 76 ++++ blacklist.go | 20 + compliance_test.go | 597 ++++++++++++++++++++++++++++ doc.go | 28 ++ docs/adr/index.md | 87 +++++ go.mod | 22 ++ go.sum | 36 ++ identifiable.go | 32 ++ refresh.go | 56 +++ signer.go | 11 + signer_ec.go | 66 ++++ signer_hmac.go | 30 ++ signer_rsa.go | 57 +++ token_config.go | 10 + token_pair.go | 8 + tokens.go | 62 +++ verifier.go | 10 + verifier_ec.go | 46 +++ verifier_rsa.go | 50 +++ 27 files changed, 2545 insertions(+) create mode 100644 .gitea/CODEOWNERS create mode 100644 .gitea/pull_request_template.md create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 CLA.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 README.md create mode 100644 auth.go create mode 100644 blacklist.go create mode 100644 compliance_test.go create mode 100644 doc.go create mode 100644 docs/adr/index.md create mode 100644 go.mod create mode 100644 go.sum create mode 100644 identifiable.go create mode 100644 refresh.go create mode 100644 signer.go create mode 100644 signer_ec.go create mode 100644 signer_hmac.go create mode 100644 signer_rsa.go create mode 100644 token_config.go create mode 100644 token_pair.go create mode 100644 tokens.go create mode 100644 verifier.go create mode 100644 verifier_ec.go create mode 100644 verifier_rsa.go diff --git a/.gitea/CODEOWNERS b/.gitea/CODEOWNERS new file mode 100644 index 0000000..3a6b985 --- /dev/null +++ b/.gitea/CODEOWNERS @@ -0,0 +1 @@ +* @einherjar/CoreDevelopers @einherjar/Agents diff --git a/.gitea/pull_request_template.md b/.gitea/pull_request_template.md new file mode 100644 index 0000000..1bf0362 --- /dev/null +++ b/.gitea/pull_request_template.md @@ -0,0 +1,70 @@ +## Summary + + + +--- + +## Type of change + +- [ ] Bug fix — non-breaking change that resolves an issue +- [ ] New feature — non-breaking addition of functionality +- [ ] Breaking change — alters existing behavior or public API +- [ ] Documentation update +- [ ] Refactor — no functional change, no new API surface +- [ ] Test improvement + +--- + +## Description + + + +--- + +## Testing + +- [ ] I added or updated tests that cover my changes +- [ ] All tests pass locally — `go test ./...` +- [ ] No formatting issues — `gofmt -l .` produces no output +- [ ] No vet warnings — `go vet ./...` is clean + +--- + +## Checklist + +- [ ] At most one exported type per non-test `.go` file (CT-6) +- [ ] No new external dependencies added without prior discussion in an issue +- [ ] Public API changes are reflected in `CHANGELOG.md` +- [ ] Breaking changes include a migration note in the PR description above + +--- + +## Contributor License Agreement + +> **This PR will not be merged until the CLA comment is present.** + +Before a Maintainer reviews your code, you must post the following text **as a comment on this PR** — not here in the description. PR description checkboxes can be silently toggled by anyone; a comment is a timestamped, author-attributed record that cannot be quietly removed. + +**Copy and post this exact text as a PR comment:** + +--- + +> I have read the Einherjar Contributor License Agreement (CLA.md) and I agree to all its terms. +> I confirm this Contribution is my original work. I grant the Maintainers the rights described +> therein, including the right to relicense, and I retain ownership of my copyright. +> This agreement covers all future Contributions I submit to any Einherjar repository under +> this account. + +--- + +First time contributing? Read [CLA.md](../CLA.md) for the full agreement before posting the comment. + +If you are contributing on behalf of a company, an authorized representative of that company must post the comment. + + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f68b26c --- /dev/null +++ b/.gitignore @@ -0,0 +1,38 @@ +# ── Release workflow helpers ────────────────────────────────────────────────── +COMMIT.md +PR.md +RELEASE.md + +# ── Go build artifacts ──────────────────────────────────────────────────────── +*.exe +*.exe~ +*.dll +*.so +*.dylib +*.test +*.out +/dist/ +/bin/ + +# ── Go workspace (local development only) ──────────────────────────────────── +go.work +go.work.sum + +# ── Dependency vendor directory ─────────────────────────────────────────────── +vendor/ + +# ── Coverage output ─────────────────────────────────────────────────────────── +coverage.out +coverage.html +*.coverprofile + +# ── OS artifacts ───────────────────────────────────────────────────────────── +.DS_Store +Thumbs.db + +# ── Editor artifacts ────────────────────────────────────────────────────────── +.idea/ +.vscode/ +*.swp +*.swo +*~ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..076a22e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,36 @@ +# Changelog + +## v1.0.0 + +Initial release. + +### Signers and Verifiers + +- `Verifier` interface — `Verify(tokenString string) (*jwt.Token, error)` +- `Signer` interface — extends `Verifier`; adds `Sign(claims jwt.Claims) (string, error)` +- `NewHMACSigner(secret []byte) Signer` — HMAC-SHA256 (HS256) +- `NewRSASigner(privateKey *rsa.PrivateKey) Signer` — RSA-SHA256 (RS256); public key derived from private +- `NewRSASignerFromPEM(pemKey []byte) (Signer, error)` — parses PKCS#8 or PKCS#1 PEM +- `NewRSAPublicKeyVerifier(publicKey *rsa.PublicKey) Verifier` — verify-only; use when the service never issues tokens +- `NewRSAPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error)` — parses PKIX or PKCS#1 PEM +- `NewECSigner(privateKey *ecdsa.PrivateKey) Signer` — ECDSA; algorithm auto-detected from curve (P-256→ES256, P-384→ES384, P-521→ES512) +- `NewECSignerFromPEM(pemKey []byte) (Signer, error)` — parses PKCS#8 PEM +- `NewECPublicKeyVerifier(publicKey *ecdsa.PublicKey) Verifier` — EC verify-only +- `NewECPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error)` — parses PKIX PEM +- All `Verify` implementations use `jwt.WithJSONNumber()` — preserves large int64 bitmasks through JSON round-trip + +### Token issuance + +- `TokenConfig` struct — `AccessTTL time.Duration`, `RefreshTTL time.Duration`, `Issuer string` +- `TokenPair` struct — `AccessToken string`, `RefreshToken string`, `ExpiresIn int64` +- `IssueTokenPair(signer, uid, customClaims, cfg) (TokenPair, error)` — signs access + refresh pair; `customClaims` merged at top level of access token; refresh token carries only `sub/iss/iat/exp/jti/fam` + +### Token refresh + +- `Blacklist` interface — `IsRevoked(ctx, jti) (bool, error)` + `Revoke(ctx, jti, ttl) error`; satisfied by `cache-valkey` via duck typing +- `ErrTokenRevoked` — sentinel error; use `errors.Is(err, authjwt.ErrTokenRevoked)` to detect replay attacks +- `RefreshTokenPair(ctx, signer, refreshToken, bl, cfg, customClaims) (TokenPair, error)` — validates token, checks blacklist, revokes old JTI, issues new pair; `customClaims` re-embedded in new access token + +### HTTP middleware + +- `AuthMiddleware(logger, verifier, publicPaths) func(http.Handler) http.Handler` — verifies Bearer tokens; calls `authmw.SetTokenData` on success; routes 401 through `httputil.Error`; `publicPaths` support `path.Match` wildcards diff --git a/CLA.md b/CLA.md new file mode 100644 index 0000000..2850689 --- /dev/null +++ b/CLA.md @@ -0,0 +1,90 @@ +# Contributor License Agreement + +By contributing to any Einherjar repository, you agree to the terms of this Contributor License Agreement ("Agreement"). Please read it carefully before submitting your first Pull Request. + +--- + +## 1. Definitions + +| Term | Meaning | +|---|---| +| **You** | The individual or legal entity submitting a Contribution | +| **Contribution** | Any original work — source code, documentation, tests, configuration — submitted to an Einherjar repository | +| **Project** | The Einherjar framework and all repositories under `code.nochebuena.dev/einherjar/` | +| **Maintainers** | The individuals responsible for maintaining the Project | + +--- + +## 2. You Retain Ownership + +This Agreement does **not** transfer your copyright to the Maintainers. You remain the legal owner of your Contribution. What you grant here is a broad license to use it — not ownership of it. + +--- + +## 3. Copyright License Grant + +You grant the Maintainers and all recipients of the Project a **perpetual, worldwide, non-exclusive, royalty-free, irrevocable** license to: + +- Reproduce, modify, and create derivative works of your Contribution +- Publicly display and perform your Contribution +- Distribute your Contribution and derivative works, in source or compiled form, under any terms +- Sublicense the above rights to third parties +- **Relicense** your Contribution under a different open-source or commercial license at the Maintainers' sole discretion + +The Maintainers commit to keeping the Project available under at least one OSI-approved open-source license at all times. + +--- + +## 4. Patent License Grant + +You grant the Maintainers and all recipients of the Project a **perpetual, worldwide, non-exclusive, royalty-free, irrevocable** patent license to make, use, sell, offer for sale, import, and distribute your Contribution — limited to patent claims you own or control that are necessarily infringed by your Contribution alone, or in combination with the Project to which you submitted it. + +--- + +## 5. Your Representations + +By submitting a Contribution, you confirm that: + +1. **Original work.** The Contribution is your original work, or you have the legal right to submit it under these terms. +2. **No infringement.** To your knowledge, the Contribution does not infringe any third-party intellectual property rights, including patents, copyrights, and trade secrets. +3. **Employer rights.** If your employer holds rights over intellectual property you create, you have obtained written permission to submit the Contribution on behalf of that employer, or your employer has explicitly waived such rights for contributions to open-source projects. +4. **No warranty implied.** You understand that your Contribution may or may not be included in the Project, and the Maintainers are under no obligation to use it. + +--- + +## 6. No Support Obligation + +You are not required to provide maintenance, support, or updates for your Contributions. They are accepted **"as-is"**, without any warranty of fitness for a particular purpose or correctness. + +--- + +## 7. How to Sign + +Consent is given by **posting a comment** on your Pull Request with the following exact text: + +``` +I have read the Einherjar Contributor License Agreement (CLA.md) and I agree to all its terms. +I confirm this Contribution is my original work. I grant the Maintainers the rights described +therein, including the right to relicense, and I retain ownership of my copyright. +This agreement covers all future Contributions I submit to any Einherjar repository under +this account. +``` + +**Why a comment and not a checkbox?** +PR description checkboxes can be silently toggled on and off by anyone with write access to the branch at any time. A comment creates a timestamped, author-attributed record in the PR activity log — it cannot be quietly retracted. If a comment is deleted, the deletion itself is visible in the activity log. + +No handwritten or electronic signature is required beyond the comment above. A Maintainer will verify the comment before merging. PRs without the comment will not be merged. + +If you are contributing on behalf of a company or organization, ensure that an authorized representative of that entity has reviewed and accepted these terms before submitting. The comment must be posted by the account that owns the Contribution. + +--- + +## 8. Governing Terms + +This Agreement is intended to be simple and broadly fair. It follows the model established by widely adopted CLAs from the Apache Software Foundation, Google, and MongoDB — granting the Project the flexibility to evolve while fully preserving your ownership of what you wrote. + +If any provision of this Agreement is found unenforceable, the remaining provisions continue in full effect. + +--- + +*For those who come after. — The Einherjar Maintainers* diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..ed3e1d0 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,247 @@ +# Contributing to Einherjar + +Thank you for your interest in contributing to Einherjar. This document explains everything you need to know before sending your first Pull Request. + +Einherjar is developed and maintained by **NOCHEBUENADEV**, the trade name of its founder operating as a *Persona Física con Actividad Empresarial* (PFAE) under Mexican law. Contributions are welcome and valued — but they are accepted under the terms described here, so please read this document fully before you begin. + +--- + +## Table of Contents + +1. [Before You Start](#1-before-you-start) +2. [Legal: CLA and Copyright](#2-legal-cla-and-copyright) +3. [Development Setup](#3-development-setup) +4. [Code Standards](#4-code-standards) +5. [Commit Messages](#5-commit-messages) +6. [Submitting a Pull Request](#6-submitting-a-pull-request) +7. [Reporting Bugs](#7-reporting-bugs) +8. [Requesting Features](#8-requesting-features) +9. [What Gets Accepted](#9-what-gets-accepted) + +--- + +## 1. Before You Start + +**Open an issue first for anything non-trivial.** + +Before you write a line of code, open an issue describing what you want to change and why. This protects your time: a change that seems straightforward may conflict with a planned refactor, an architectural decision, or the project's direction. Getting alignment before coding means your PR will not be rejected for reasons unrelated to its quality. + +Exceptions where you can skip the issue: +- Typo or documentation-only fix +- Test coverage improvement for existing behavior +- Trivially obvious bug with a clear, contained fix + +**Do not submit a PR that changes the public API of any module without prior discussion.** Every Einherjar module has a stability contract. Breaking changes require a major version bump and coordinated updates across dependent modules. + +--- + +## 2. Legal: CLA and Copyright + +### Contributor License Agreement + +Before your first PR can be merged, you must sign the Contributor License Agreement by **posting a specific comment** on your Pull Request. The required comment text and full instructions are in [CLA.md](CLA.md). + +> Checkboxes in PR descriptions are not used for CLA consent — they can be silently toggled by anyone. A comment is a timestamped, author-attributed record. + +### Copyright + +All original code in Einherjar is copyright **NOCHEBUENADEV**. NOCHEBUENADEV is the registered trade name of its founder, a natural person operating under the Mexican *Persona Física con Actividad Empresarial* (PFAE) regime. + +When you contribute, you retain ownership of what you wrote. By signing the CLA you grant NOCHEBUENADEV a perpetual, irrevocable, worldwide license to use, modify, sublicense, and redistribute your Contribution — including the right to relicense it. See [CLA.md](CLA.md) for the full terms. + +### License + +Einherjar is licensed under the **GNU Affero General Public License v3.0** (AGPL-3.0). Your Contributions will be distributed under the same license unless the Maintainers exercise their relicensing rights under the CLA. + +--- + +## 3. Development Setup + +Einherjar uses a Go workspace (`go.work`) that spans all modules. You do not need to `go get` anything — local replacements are wired automatically. + +### Prerequisites + +- Go 1.26+ +- Git + +### Clone and initialize + +```bash +git clone https://code.nochebuena.dev/einherjar/ +cd + +# If working across multiple modules, clone the workspace root instead +# and all modules will resolve from disk via go.work. +``` + +### Verify your setup + +```bash +go build ./... # must compile clean +go vet ./... # no warnings +go test ./... # all tests pass +gofmt -l . # no output (no unformatted files) +``` + +All four commands must produce clean output before a PR will be reviewed. + +--- + +## 4. Code Standards + +These are non-negotiable. Every PR is checked against them. + +### One exported type per file (CT-6) + +Each non-test `.go` file may contain **at most one exported TypeSpec** (type, struct, or interface declaration). Unexported helpers, constants, and functions may coexist in the same file. `_test.go` files are exempt. + +This rule exists to keep the codebase navigable: a developer who knows the type name can immediately predict the file name. + +``` +provider.go ← type Provider interface { ... } ✓ one exported type +component.go ← type Component interface { ... } ✓ one exported type +new.go ← func New(...) + unexported impl ✓ zero exported types +``` + +### Formatting + +All code must be formatted with `gofmt`. No exceptions. If `gofmt -l .` produces output, the PR will not be merged. + +Do not configure your editor to use `goimports` as a replacement — it may add import groups that diverge from the project style. Use `gofmt` + manual import management. + +### Naming conventions + +- Follow standard Go naming: `CamelCase` for exported, `camelCase` for unexported. +- Interfaces that represent a capability are named with an agent noun: `Provider`, `Sender`, `Checkable`. +- Interfaces that represent a full component are named `Component`. +- Config structs are named `Config`. One config struct per module root. +- Constructors are named `New` (main) or `NewXxx` (adapters and variants). + +### Error handling + +- Use `core/xerrors` for all errors returned from public API. Never return raw `errors.New` or `fmt.Errorf` from exported functions. +- Error codes must map to the gRPC canonical set defined in `xerrors`. If you need a new code, open an issue first. +- Do not swallow errors silently. Log at the appropriate level or return them. + +### No comments unless necessary + +Do not add comments that restate what the code already says. Only add a comment when the **why** is non-obvious: a hidden constraint, a subtle invariant, a workaround for a known upstream bug. If removing the comment would not confuse a future reader, do not write it. + +### Dependencies + +Do not add new external dependencies without opening an issue and getting explicit approval first. Einherjar modules are deliberately lean. Every new dependency increases the blast radius for downstream consumers. + +--- + +## 5. Commit Messages + +Follow the [Conventional Commits](https://www.conventionalcommits.org/) specification: + +``` +(): + +[optional body] +``` + +| Type | When to use | +|---|---| +| `feat` | New exported function, type, or behavior | +| `fix` | Bug fix in existing behavior | +| `docs` | Documentation only | +| `test` | Tests only, no production code change | +| `refactor` | Code restructure with no behavior change | +| `chore` | Build system, CI, dependency updates | + +**Scope** is the module name without the `einherjar/` prefix: `core`, `web`, `db-postgres`, `cache-valkey`, etc. + +Examples: +``` +feat(cache-valkey): add IncrWithTTL for atomic fixed-window counters +fix(db-postgres): handle pgconn deadline exceeded as ErrDeadlineExceeded +docs(web): document rate limiter fail-open behavior +``` + +Keep the subject line under 72 characters. Write in the imperative mood ("add", "fix", "remove" — not "added", "fixes", "removed"). + +--- + +## 6. Submitting a Pull Request + +1. **Open an issue first** (see §1) unless the change is trivial. +2. Fork the repository and create a branch from `main`: + ```bash + git checkout -b feat/your-feature-name + ``` +3. Make your changes following the standards in §4. +4. Ensure all verification commands pass (§3). +5. Open the PR against `main` using the provided PR template. +6. **Post the CLA comment** on the PR before requesting review (see §2 and [CLA.md](CLA.md)). +7. Respond to review feedback. Keep the review cycle short by addressing all comments before re-requesting review. + +### Branch naming + +| Prefix | Use for | +|---|---| +| `feat/` | New features | +| `fix/` | Bug fixes | +| `docs/` | Documentation changes | +| `test/` | Test additions or improvements | +| `refactor/` | Refactors without behavior change | + +### PR size + +Keep PRs focused. A PR that does one thing is easier to review, faster to merge, and safer to revert if needed. If your change naturally spans multiple concerns, split it into multiple PRs. + +--- + +## 7. Reporting Bugs + +Open an issue with the following information: + +- **Module** affected (`einherjar/db-postgres`, `einherjar/web`, etc.) +- **Go version** (`go version`) +- **Minimal reproduction** — the smallest code snippet that demonstrates the problem +- **Expected behavior** vs **actual behavior** +- **Error output** if applicable (sanitize any credentials or sensitive data) + +Do not open a PR to fix a bug without first opening an issue. The bug may be intentional behavior, already fixed on `main`, or caused by something outside the module. + +--- + +## 8. Requesting Features + +Open an issue with: + +- **What** you want to add and **why** it belongs in the framework (not in application code) +- **Which module** it affects, or whether it requires a new module +- **API sketch** — what the interface, function signature, or config field would look like +- **Alternative approaches** you considered + +Feature requests that add a new external dependency, change a public interface, or cross module boundaries require longer discussion before approval. + +--- + +## 9. What Gets Accepted + +Einherjar is a **focused framework**. It covers a specific, well-defined set of infrastructure concerns. Contributions that fall outside that scope — however well-written — will not be merged. + +What fits: +- Bug fixes in existing behavior +- Performance improvements with benchmarks +- Missing error mappings for existing drivers +- Documentation improvements and example corrections +- Test coverage for untested edge cases + +What does not fit without prior architectural agreement: +- New modules (open an issue first) +- New external dependencies +- Changes to public interfaces in any module +- Features that belong in application code rather than the framework + +If you are unsure, open an issue and ask. It costs nothing and saves everyone time. + +--- + +*Einherjar was built for those who come after. Contributions that hold to that standard — clear, documented, tested, designed for the developer who was never in the room — are always welcome.* + +— **NOCHEBUENADEV** diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0ad25db --- /dev/null +++ b/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/README.md b/README.md new file mode 100644 index 0000000..7d881e7 --- /dev/null +++ b/README.md @@ -0,0 +1,98 @@ +# einherjar/auth-jwt + +[![version](https://img.shields.io/badge/version-v1.0.0-5C4EE5?style=flat-square)](https://code.nochebuena.dev/einherjar/auth-jwt) +[![license](https://img.shields.io/badge/license-AGPL--3.0-22863A?style=flat-square)](LICENSE) +[![go](https://img.shields.io/badge/Go-1.26+-00ADD8?style=flat-square&logo=go&logoColor=white)](https://go.dev) + +> A warrior's seal is recognized anywhere — but only if it cannot be forged. + +JWT authentication middleware and token lifecycle management for the Einherjar framework. +Supports HMAC-SHA256 (HS256), RSA-SHA256 (RS256), and ECDSA (ES256/ES384/ES512). + +## API + +| Symbol | Kind | Description | +|---|---|---| +| `Verifier` | interface | Validates JWT strings | +| `Signer` | interface | Extends `Verifier`; also signs tokens | +| `NewHMACSigner(secret)` | func | HS256 signer | +| `NewRSASigner(key)` | func | RS256 signer | +| `NewRSASignerFromPEM(pem)` | func | RS256 signer from PKCS#8/PKCS#1 PEM | +| `NewRSAPublicKeyVerifier(key)` | func | RS256 verifier (verify-only) | +| `NewRSAPublicKeyVerifierFromPEM(pem)` | func | RS256 verifier from PKIX/PKCS#1 PEM | +| `NewECSigner(key)` | func | ES256/384/512 signer (curve auto-detected) | +| `NewECSignerFromPEM(pem)` | func | EC signer from PKCS#8 PEM | +| `NewECPublicKeyVerifier(key)` | func | EC verifier (verify-only) | +| `NewECPublicKeyVerifierFromPEM(pem)` | func | EC verifier from PKIX PEM | +| `TokenConfig` | struct | AccessTTL, RefreshTTL, Issuer | +| `TokenPair` | struct | AccessToken, RefreshToken, ExpiresIn | +| `IssueTokenPair(signer, uid, claims, cfg)` | func | Sign access + refresh pair | +| `Blacklist` | interface | JTI revocation store (duck-typed by cache-valkey) | +| `ErrTokenRevoked` | var | Sentinel for replay-attack detection | +| `RefreshTokenPair(ctx, signer, token, bl, cfg, claims)` | func | Rotate tokens with blacklist check | +| `AuthMiddleware(logger, verifier, publicPaths)` | func | HTTP middleware — verifies Bearer token, calls `authmw.SetTokenData` | + +## Dependency graph + +``` +contracts/logging ──► auth-jwt +contracts/security ──► auth-jwt (via auth/authmw) +core/xerrors ──► auth-jwt +web/httputil ──► auth-jwt +auth/authmw ──► auth-jwt +jwt/v5 ──► auth-jwt (only external dependency) +``` + +## Wiring example — HMAC, full stack + +```go +import ( + "code.nochebuena.dev/einherjar/auth-jwt" + "code.nochebuena.dev/einherjar/auth/authmw" + "code.nochebuena.dev/einherjar/auth/rbac" +) + +signer := authjwt.NewHMACSigner([]byte(os.Getenv("JWT_SECRET"))) +cfg := authjwt.TokenConfig{ + AccessTTL: 15 * time.Minute, + RefreshTTL: 7 * 24 * time.Hour, + Issuer: "myapp", +} + +// JWT verification runs first (global). +srv.Use(authjwt.AuthMiddleware(logger, signer, []string{"/health", "/auth/*"})) + +// Enrichment and authz follow. +srv.Use(authmw.EnrichmentMiddleware(logger, userEnricher)) + +const ReadOrders = security.Permission(0) +srv.With(authmw.AuthzMiddleware(logger, permissions, "orders", ReadOrders)). + Get("/orders", ordersHandler) + +// Login handler issues tokens: +pair, err := authjwt.IssueTokenPair(signer, uid, customClaims, cfg) + +// Refresh handler rotates tokens: +newPair, err := authjwt.RefreshTokenPair(ctx, signer, body.RefreshToken, blacklist, cfg, freshClaims) +if errors.Is(err, authjwt.ErrTokenRevoked) { + // replay attack — return 401 and require re-login +} +``` + +## Verifier-only microservice (RSA) + +```go +// Service that verifies tokens but never issues them. +verifier, err := authjwt.NewRSAPublicKeyVerifierFromPEM([]byte(os.Getenv("RSA_PUBLIC_KEY_PEM"))) +srv.Use(authjwt.AuthMiddleware(logger, verifier, publicPaths)) +``` + +## Environment variables + +None. All configuration is passed in code. + +## Install + +```bash +go get code.nochebuena.dev/einherjar/auth-jwt@v1.0.0 +``` diff --git a/auth.go b/auth.go new file mode 100644 index 0000000..11742cf --- /dev/null +++ b/auth.go @@ -0,0 +1,76 @@ +package authjwt + +import ( + "encoding/json" + "net/http" + "path" + "strings" + + "github.com/golang-jwt/jwt/v5" + + "code.nochebuena.dev/einherjar/auth/authmw" + "code.nochebuena.dev/einherjar/contracts/logging" + "code.nochebuena.dev/einherjar/core/xerrors" +) + +// AuthMiddleware verifies the Bearer access token and injects uid + claims into context +// via authmw.SetTokenData. Downstream authmw.EnrichmentMiddleware reads them transparently. +// +// Accepts a Verifier — pass a Signer when the service issues tokens, or a +// NewRSAPublicKeyVerifier/NewECPublicKeyVerifier when it only verifies. +// +// Requests to publicPaths are skipped without verification (path.Match wildcards supported). +// Returns 401 on missing, invalid, or expired tokens. +func AuthMiddleware(logger logging.Logger, verifier Verifier, publicPaths []string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + for _, pattern := range publicPaths { + if matched, _ := path.Match(pattern, r.URL.Path); matched { + next.ServeHTTP(w, r) + return + } + } + + authHeader := r.Header.Get("Authorization") + if !strings.HasPrefix(authHeader, "Bearer ") { + writeUnauthorized(logger, w, r) + return + } + tokenStr := strings.TrimPrefix(authHeader, "Bearer ") + + token, err := verifier.Verify(tokenStr) + if err != nil { + writeUnauthorized(logger, w, r) + return + } + + claims, ok := token.Claims.(jwt.MapClaims) + if !ok { + writeUnauthorized(logger, w, r) + return + } + + uid, _ := claims["sub"].(string) + if uid == "" { + writeUnauthorized(logger, w, r) + return + } + + ctx := authmw.SetTokenData(r.Context(), uid, map[string]any(claims)) + next.ServeHTTP(w, r.WithContext(ctx)) + }) + } +} + +func writeUnauthorized(logger logging.Logger, w http.ResponseWriter, r *http.Request) { + logger.WithContext(r.Context()).Warn("auth-jwt: unauthorized", + "error_code", string(xerrors.ErrUnauthorized), + "status", http.StatusUnauthorized, + ) + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusUnauthorized) + _ = json.NewEncoder(w).Encode(map[string]any{ + "code": string(xerrors.ErrUnauthorized), + "message": "unauthorized", + }) +} diff --git a/blacklist.go b/blacklist.go new file mode 100644 index 0000000..d0efa19 --- /dev/null +++ b/blacklist.go @@ -0,0 +1,20 @@ +package authjwt + +import ( + "context" + "errors" + "time" +) + +// ErrTokenRevoked is returned by RefreshTokenPair when the JTI is on the blacklist. +// Use errors.Is(err, authjwt.ErrTokenRevoked) to distinguish replay attacks from +// infrastructure errors. +var ErrTokenRevoked = errors.New("token revoked") + +// Blacklist records and checks revoked refresh token JTIs. +// Satisfied by einherjar/cache-valkey via duck typing. +// TTL on Revoke should match the token's remaining lifetime so entries expire naturally. +type Blacklist interface { + IsRevoked(ctx context.Context, jti string) (bool, error) + Revoke(ctx context.Context, jti string, ttl time.Duration) error +} diff --git a/compliance_test.go b/compliance_test.go new file mode 100644 index 0000000..8892bdc --- /dev/null +++ b/compliance_test.go @@ -0,0 +1,597 @@ +package authjwt_test + +import ( + "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "encoding/json" + "errors" + "go/ast" + "go/parser" + "go/token" + "math" + "net/http" + "net/http/httptest" + "path/filepath" + "strings" + "testing" + "time" + + "github.com/golang-jwt/jwt/v5" + + authjwt "code.nochebuena.dev/einherjar/auth-jwt" + "code.nochebuena.dev/einherjar/auth/authmw" + "code.nochebuena.dev/einherjar/contracts/logging" +) + +// --- Package-level test keys (generated once to avoid per-test cost) --- + +var ( + testSecret = []byte("test-secret-key-at-least-32-bytes!") + testHMAC = authjwt.NewHMACSigner(testSecret) + testRSAKey = mustGenerateRSA() + testRSA = authjwt.NewRSASigner(testRSAKey) + testECKey = mustGenerateEC(elliptic.P256()) + testEC = authjwt.NewECSigner(testECKey) +) + +func mustGenerateRSA() *rsa.PrivateKey { + k, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + panic(err) + } + return k +} + +func mustGenerateEC(curve elliptic.Curve) *ecdsa.PrivateKey { + k, err := ecdsa.GenerateKey(curve, rand.Reader) + if err != nil { + panic(err) + } + return k +} + +var testCfg = authjwt.TokenConfig{ + AccessTTL: time.Minute, + RefreshTTL: 7 * 24 * time.Hour, + Issuer: "test-issuer", +} + +// --- Mock types --- + +type mockSigner struct{} + +func (m *mockSigner) Sign(_ jwt.Claims) (string, error) { return "", nil } +func (m *mockSigner) Verify(_ string) (*jwt.Token, error) { return nil, nil } + +type mockVerifier struct{} + +func (m *mockVerifier) Verify(_ string) (*jwt.Token, error) { return nil, nil } + +type mockBlacklist struct { + revoked map[string]bool + err error +} + +func newMockBlacklist() *mockBlacklist { + return &mockBlacklist{revoked: make(map[string]bool)} +} + +func (m *mockBlacklist) IsRevoked(_ context.Context, jti string) (bool, error) { + if m.err != nil { + return false, m.err + } + return m.revoked[jti], nil +} + +func (m *mockBlacklist) Revoke(_ context.Context, jti string, _ time.Duration) error { + if m.err != nil { + return m.err + } + m.revoked[jti] = true + return nil +} + +// Compile-time interface satisfaction checks. +var _ authjwt.Signer = (*mockSigner)(nil) +var _ authjwt.Verifier = (*mockVerifier)(nil) +var _ authjwt.Blacklist = (*mockBlacklist)(nil) + +// --- nopLogger --- + +type nopLogger struct{} + +func (nopLogger) Debug(msg string, args ...any) {} +func (nopLogger) Info(msg string, args ...any) {} +func (nopLogger) Warn(msg string, args ...any) {} +func (nopLogger) Error(msg string, err error, args ...any) {} +func (nopLogger) With(args ...any) logging.Logger { return nopLogger{} } +func (nopLogger) WithContext(_ context.Context) logging.Logger { return nopLogger{} } + +var _ logging.Logger = nopLogger{} + +// --- CT-6 --- + +func TestAtMostOneExportedTypePerFile(t *testing.T) { + fset := token.NewFileSet() + pkgs, err := parser.ParseDir(fset, ".", nil, 0) + if err != nil { + t.Fatalf("parse: %v", err) + } + for _, pkg := range pkgs { + if strings.HasSuffix(pkg.Name, "_test") { + continue + } + for fname, f := range pkg.Files { + base := filepath.Base(fname) + if strings.HasSuffix(base, "_test.go") { + continue + } + count := 0 + for _, decl := range f.Decls { + gd, ok := decl.(*ast.GenDecl) + if !ok { + continue + } + for _, spec := range gd.Specs { + if ts, ok := spec.(*ast.TypeSpec); ok && ts.Name.IsExported() { + count++ + } + } + } + if count > 1 { + t.Errorf("%s: %d exported TypeSpecs (max 1)", base, count) + } + } + } +} + +// --- Signer / Verifier --- + +func TestHMACSigner_SignAndVerify(t *testing.T) { + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, err := testHMAC.Sign(claims) + if err != nil { + t.Fatalf("Sign: %v", err) + } + parsed, err := testHMAC.Verify(tok) + if err != nil { + t.Fatalf("Verify: %v", err) + } + mc, _ := parsed.Claims.(jwt.MapClaims) + if mc["sub"] != "uid1" { + t.Errorf("want sub=uid1, got %v", mc["sub"]) + } +} + +func TestHMACSigner_TamperedToken(t *testing.T) { + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, _ := testHMAC.Sign(claims) + _, err := testHMAC.Verify(tok + "tampered") + if err == nil { + t.Error("expected error for tampered token") + } +} + +func TestHMACSigner_WrongSecret(t *testing.T) { + other := authjwt.NewHMACSigner([]byte("completely-different-secret-key!")) + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, _ := testHMAC.Sign(claims) + _, err := other.Verify(tok) + if err == nil { + t.Error("expected error for wrong secret") + } +} + +func TestHMACSigner_AlgMismatch(t *testing.T) { + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, _ := testRSA.Sign(claims) + _, err := testHMAC.Verify(tok) + if err == nil { + t.Error("expected error: RSA token verified with HMAC") + } +} + +func TestRSASigner_SignAndVerify(t *testing.T) { + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, err := testRSA.Sign(claims) + if err != nil { + t.Fatalf("Sign: %v", err) + } + parsed, err := testRSA.Verify(tok) + if err != nil { + t.Fatalf("Verify: %v", err) + } + mc, _ := parsed.Claims.(jwt.MapClaims) + if mc["sub"] != "uid1" { + t.Errorf("want sub=uid1, got %v", mc["sub"]) + } +} + +func TestRSAPublicKeyVerifier_VerifiesTokenFromSigner(t *testing.T) { + verifier := authjwt.NewRSAPublicKeyVerifier(&testRSAKey.PublicKey) + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, _ := testRSA.Sign(claims) + _, err := verifier.Verify(tok) + if err != nil { + t.Fatalf("Verify: %v", err) + } +} + +func TestRSAPublicKeyVerifier_RejectsHMACToken(t *testing.T) { + verifier := authjwt.NewRSAPublicKeyVerifier(&testRSAKey.PublicKey) + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, _ := testHMAC.Sign(claims) + _, err := verifier.Verify(tok) + if err == nil { + t.Error("expected error: HMAC token verified with RSA public key") + } +} + +func TestECSigner_SignAndVerify(t *testing.T) { + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, err := testEC.Sign(claims) + if err != nil { + t.Fatalf("Sign: %v", err) + } + parsed, err := testEC.Verify(tok) + if err != nil { + t.Fatalf("Verify: %v", err) + } + mc, _ := parsed.Claims.(jwt.MapClaims) + if mc["sub"] != "uid1" { + t.Errorf("want sub=uid1, got %v", mc["sub"]) + } +} + +func TestECSigner_P384(t *testing.T) { + key := mustGenerateEC(elliptic.P384()) + signer := authjwt.NewECSigner(key) + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, err := signer.Sign(claims) + if err != nil { + t.Fatalf("Sign P-384: %v", err) + } + _, err = signer.Verify(tok) + if err != nil { + t.Fatalf("Verify P-384: %v", err) + } +} + +func TestECPublicKeyVerifier_VerifiesTokenFromSigner(t *testing.T) { + verifier := authjwt.NewECPublicKeyVerifier(&testECKey.PublicKey) + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, _ := testEC.Sign(claims) + _, err := verifier.Verify(tok) + if err != nil { + t.Fatalf("Verify: %v", err) + } +} + +func TestECPublicKeyVerifier_RejectsHMACToken(t *testing.T) { + verifier := authjwt.NewECPublicKeyVerifier(&testECKey.PublicKey) + claims := jwt.MapClaims{"sub": "uid1", "exp": jwt.NewNumericDate(time.Now().Add(time.Minute))} + tok, _ := testHMAC.Sign(claims) + _, err := verifier.Verify(tok) + if err == nil { + t.Error("expected error: HMAC token verified with EC public key") + } +} + +// --- IssueTokenPair --- + +func TestIssueTokenPair_StandardClaims(t *testing.T) { + pair, err := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + if err != nil { + t.Fatalf("IssueTokenPair: %v", err) + } + if pair.AccessToken == "" || pair.RefreshToken == "" { + t.Error("expected non-empty tokens") + } + if pair.ExpiresIn != int64(testCfg.AccessTTL.Seconds()) { + t.Errorf("want ExpiresIn=%d, got %d", int64(testCfg.AccessTTL.Seconds()), pair.ExpiresIn) + } + tok, err := testHMAC.Verify(pair.AccessToken) + if err != nil { + t.Fatalf("verify access token: %v", err) + } + mc, _ := tok.Claims.(jwt.MapClaims) + if mc["sub"] != "uid1" { + t.Errorf("want sub=uid1, got %v", mc["sub"]) + } + if mc["iss"] != testCfg.Issuer { + t.Errorf("want iss=%s, got %v", testCfg.Issuer, mc["iss"]) + } + if mc["jti"] == "" { + t.Error("expected non-empty jti in access token") + } +} + +func TestIssueTokenPair_CustomClaims(t *testing.T) { + custom := map[string]any{"permisos": map[string]any{"usuarios": int64(515)}} + pair, err := authjwt.IssueTokenPair(testHMAC, "uid1", custom, testCfg) + if err != nil { + t.Fatalf("IssueTokenPair: %v", err) + } + tok, _ := testHMAC.Verify(pair.AccessToken) + mc, _ := tok.Claims.(jwt.MapClaims) + permisos, ok := mc["permisos"].(map[string]any) + if !ok { + t.Fatalf("permisos claim missing or wrong type: %T", mc["permisos"]) + } + n, ok := permisos["usuarios"].(json.Number) + if !ok { + t.Fatalf("want json.Number, got %T", permisos["usuarios"]) + } + if v, _ := n.Int64(); v != 515 { + t.Errorf("want usuarios=515, got %d", v) + } +} + +func TestIssueTokenPair_UniqueJTIs(t *testing.T) { + p1, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + p2, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + if p1.AccessToken == p2.AccessToken { + t.Error("expected unique access tokens across calls") + } + if p1.RefreshToken == p2.RefreshToken { + t.Error("expected unique refresh tokens across calls") + } +} + +func TestIssueTokenPair_RefreshHasFam(t *testing.T) { + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + tok, _ := testHMAC.Verify(pair.RefreshToken) + mc, _ := tok.Claims.(jwt.MapClaims) + if mc["fam"] == "" { + t.Error("expected fam claim in refresh token") + } +} + +// --- RefreshTokenPair --- + +func TestRefreshTokenPair_Success(t *testing.T) { + bl := newMockBlacklist() + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + newPair, err := authjwt.RefreshTokenPair(context.Background(), testHMAC, pair.RefreshToken, bl, testCfg, nil) + if err != nil { + t.Fatalf("RefreshTokenPair: %v", err) + } + if newPair.AccessToken == "" || newPair.RefreshToken == "" { + t.Error("expected non-empty new token pair") + } + if newPair.RefreshToken == pair.RefreshToken { + t.Error("new refresh token must differ from old") + } +} + +func TestRefreshTokenPair_OldTokenRevoked(t *testing.T) { + bl := newMockBlacklist() + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + if _, err := authjwt.RefreshTokenPair(context.Background(), testHMAC, pair.RefreshToken, bl, testCfg, nil); err != nil { + t.Fatalf("first refresh: %v", err) + } + _, err := authjwt.RefreshTokenPair(context.Background(), testHMAC, pair.RefreshToken, bl, testCfg, nil) + if !errors.Is(err, authjwt.ErrTokenRevoked) { + t.Errorf("want ErrTokenRevoked, got %v", err) + } +} + +func TestRefreshTokenPair_InvalidToken(t *testing.T) { + bl := newMockBlacklist() + _, err := authjwt.RefreshTokenPair(context.Background(), testHMAC, "not.a.token", bl, testCfg, nil) + if err == nil { + t.Error("expected error for invalid token string") + } +} + +func TestRefreshTokenPair_BlacklistCheckError(t *testing.T) { + bl := &mockBlacklist{revoked: make(map[string]bool), err: errors.New("valkey unavailable")} + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + _, err := authjwt.RefreshTokenPair(context.Background(), testHMAC, pair.RefreshToken, bl, testCfg, nil) + if err == nil { + t.Error("expected error when blacklist is unavailable") + } +} + +func TestRefreshTokenPair_CustomClaimsInNewToken(t *testing.T) { + bl := newMockBlacklist() + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + freshClaims := map[string]any{"permisos": map[string]any{"usuarios": float64(7)}} + newPair, err := authjwt.RefreshTokenPair(context.Background(), testHMAC, pair.RefreshToken, bl, testCfg, freshClaims) + if err != nil { + t.Fatalf("RefreshTokenPair: %v", err) + } + tok, _ := testHMAC.Verify(newPair.AccessToken) + mc, _ := tok.Claims.(jwt.MapClaims) + permisos, ok := mc["permisos"].(map[string]any) + if !ok { + t.Fatalf("permisos missing from new access token") + } + n, ok := permisos["usuarios"].(json.Number) + if !ok { + t.Fatalf("want json.Number, got %T", permisos["usuarios"]) + } + if v, _ := n.Int64(); v != 7 { + t.Errorf("want 7, got %d", v) + } +} + +// --- Precision --- + +func TestVerify_JSONNumberPreservesMaxInt64(t *testing.T) { + custom := map[string]any{"masks": map[string]any{"*": int64(math.MaxInt64)}} + pair, err := authjwt.IssueTokenPair(testHMAC, "uid1", custom, testCfg) + if err != nil { + t.Fatalf("IssueTokenPair: %v", err) + } + tok, err := testHMAC.Verify(pair.AccessToken) + if err != nil { + t.Fatalf("Verify: %v", err) + } + mc, _ := tok.Claims.(jwt.MapClaims) + masks, ok := mc["masks"].(map[string]any) + if !ok { + t.Fatalf("masks claim missing or wrong type: %T", mc["masks"]) + } + n, ok := masks["*"].(json.Number) + if !ok { + t.Fatalf("want json.Number, got %T — jwt.WithJSONNumber() may not be set", masks["*"]) + } + got, err := n.Int64() + if err != nil { + t.Fatalf("Int64(): %v", err) + } + if got != math.MaxInt64 { + t.Errorf("want MaxInt64 (%d), got %d — precision lost in float64 round-trip", int64(math.MaxInt64), got) + } +} + +// --- AuthMiddleware --- + +func TestAuthMiddleware_ValidToken(t *testing.T) { + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, testCfg) + reached := false + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + reached = true + w.WriteHeader(http.StatusOK) + })) + req := httptest.NewRequest(http.MethodGet, "/api", nil) + req.Header.Set("Authorization", "Bearer "+pair.AccessToken) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, req) + if rec.Code != http.StatusOK { + t.Errorf("want 200, got %d", rec.Code) + } + if !reached { + t.Error("inner handler was not called") + } +} + +func TestAuthMiddleware_InvalidToken(t *testing.T) { + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + req := httptest.NewRequest(http.MethodGet, "/api", nil) + req.Header.Set("Authorization", "Bearer invalid.token.here") + rec := httptest.NewRecorder() + h.ServeHTTP(rec, req) + if rec.Code != http.StatusUnauthorized { + t.Errorf("want 401, got %d", rec.Code) + } +} + +func TestAuthMiddleware_ExpiredToken(t *testing.T) { + expiredCfg := authjwt.TokenConfig{AccessTTL: -time.Minute, RefreshTTL: time.Hour, Issuer: "test"} + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", nil, expiredCfg) + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + req := httptest.NewRequest(http.MethodGet, "/api", nil) + req.Header.Set("Authorization", "Bearer "+pair.AccessToken) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, req) + if rec.Code != http.StatusUnauthorized { + t.Errorf("want 401, got %d", rec.Code) + } +} + +func TestAuthMiddleware_MissingHeader(t *testing.T) { + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/api", nil)) + if rec.Code != http.StatusUnauthorized { + t.Errorf("want 401, got %d", rec.Code) + } +} + +func TestAuthMiddleware_PublicPath(t *testing.T) { + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, []string{"/health"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/health", nil)) + if rec.Code != http.StatusOK { + t.Errorf("want 200, got %d", rec.Code) + } +} + +func TestAuthMiddleware_PublicPathWildcard(t *testing.T) { + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, []string{"/public/*"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/public/resource", nil)) + if rec.Code != http.StatusOK { + t.Errorf("want 200, got %d", rec.Code) + } +} + +func TestAuthMiddleware_UnauthorizedJSON(t *testing.T) { + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/api", nil)) + if rec.Code != http.StatusUnauthorized { + t.Errorf("want 401, got %d", rec.Code) + } + if ct := rec.Header().Get("Content-Type"); ct != "application/json" { + t.Errorf("want Content-Type application/json, got %q", ct) + } + var body map[string]any + if err := json.NewDecoder(rec.Body).Decode(&body); err != nil { + t.Fatalf("response body is not valid JSON: %v", err) + } + if body["code"] != "UNAUTHENTICATED" { + t.Errorf("want code UNAUTHENTICATED, got %q", body["code"]) + } +} + +func TestAuthMiddleware_RSAPublicKeyVerifier(t *testing.T) { + verifier := authjwt.NewRSAPublicKeyVerifier(&testRSAKey.PublicKey) + pair, _ := authjwt.IssueTokenPair(testRSA, "uid1", nil, testCfg) + reached := false + h := authjwt.AuthMiddleware(nopLogger{}, verifier, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + reached = true + w.WriteHeader(http.StatusOK) + })) + req := httptest.NewRequest(http.MethodGet, "/api", nil) + req.Header.Set("Authorization", "Bearer "+pair.AccessToken) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, req) + if rec.Code != http.StatusOK { + t.Errorf("want 200, got %d", rec.Code) + } + if !reached { + t.Error("inner handler was not called") + } +} + +func TestAuthMiddleware_SetsTokenData(t *testing.T) { + custom := map[string]any{"role": "admin"} + pair, _ := authjwt.IssueTokenPair(testHMAC, "uid1", custom, testCfg) + var gotUID string + var gotClaims map[string]any + h := authjwt.AuthMiddleware(nopLogger{}, testHMAC, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + gotClaims = authmw.GetClaims(r.Context()) + if gotClaims != nil { + gotUID, _ = gotClaims["sub"].(string) + } + w.WriteHeader(http.StatusOK) + })) + req := httptest.NewRequest(http.MethodGet, "/api", nil) + req.Header.Set("Authorization", "Bearer "+pair.AccessToken) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, req) + if gotUID != "uid1" { + t.Errorf("want uid=uid1 in claims, got %q", gotUID) + } + if gotClaims == nil { + t.Error("expected claims in context via authmw.GetClaims") + } +} diff --git a/doc.go b/doc.go new file mode 100644 index 0000000..eba506f --- /dev/null +++ b/doc.go @@ -0,0 +1,28 @@ +// Package authjwt provides JWT authentication middleware and token lifecycle +// management for the Einherjar framework. It supports HMAC-SHA256 (HS256), +// RSA-SHA256 (RS256), and ECDSA (ES256/ES384/ES512). +// +// # Typical wiring +// +// signer := authjwt.NewHMACSigner([]byte(os.Getenv("JWT_SECRET"))) +// cfg := authjwt.TokenConfig{ +// AccessTTL: 15 * time.Minute, +// RefreshTTL: 7 * 24 * time.Hour, +// Issuer: "myapp", +// } +// +// // Verify Bearer tokens and inject uid+claims into context. +// srv.Use(authjwt.AuthMiddleware(logger, signer, []string{"/health", "/auth/*"})) +// +// // Enrichment and authz from auth/authmw follow downstream. +// srv.Use(authmw.EnrichmentMiddleware(logger, userEnricher)) +// +// // Issue tokens on login: +// pair, err := authjwt.IssueTokenPair(signer, uid, customClaims, cfg) +// +// // Rotate tokens on refresh: +// newPair, err := authjwt.RefreshTokenPair(ctx, signer, body.RefreshToken, blacklist, cfg, freshClaims) +// if errors.Is(err, authjwt.ErrTokenRevoked) { +// // replay attack — force re-login +// } +package authjwt diff --git a/docs/adr/index.md b/docs/adr/index.md new file mode 100644 index 0000000..0a389f4 --- /dev/null +++ b/docs/adr/index.md @@ -0,0 +1,87 @@ +# Architecture Decision Records — `einherjar/auth-jwt` + +## ADR-001: No root factory + +**Status:** Accepted + +**Context:** The question arose whether `auth-jwt` should expose a root factory +(e.g. `authjwt.New(secret, cfg)`) analogous to `web.New`. + +**Decision:** No root factory. Callers construct `Signer`/`Verifier` directly and +wire `AuthMiddleware` themselves. + +**Rationale:** HMAC vs RSA vs EC is a fundamental architectural choice that cannot +be encapsulated in a universal default. The `TokenConfig`, `publicPaths`, and +the `Blacklist` for refresh must all be supplied by the application. A root factory +would either accept all of these (producing a Config struct as complex as the raw API) +or make fixed choices that are wrong for some callers. + +--- + +## ADR-002: Logger added to AuthMiddleware + +**Status:** Accepted + +**Context:** The micro-lib `httpauth-jwt` `AuthMiddleware` wrote 401 responses +silently with no log emission. + +**Decision:** `AuthMiddleware` accepts `logging.Logger` and routes all 401 responses +through `httputil.Error(logger, w, r, xerrors.Unauthorized(...))`. + +**Rationale:** Consistent with `auth` ADR-002. 401 responses are logged at Warn level +by `httputil.Error` — token expiry, missing headers, and invalid signatures are all +client-visible failures that benefit from operator visibility. Silent 401s are invisible +in production; the cost of one Warn log per rejected request is negligible. + +--- + +## ADR-003: web dependency for httputil.Error + +**Status:** Accepted + +**Context:** `auth-jwt` error responses could be written with a local JSON helper +to avoid a dependency on `web`. + +**Decision:** `auth-jwt` depends on `einherjar/web` solely for `httputil.Error`. + +**Rationale:** Consistent with `auth` ADR-003. Error response shape must be identical +to all other API errors. `auth-jwt` is a transport-layer package; a `web` dependency +is expected and correct. Duplicating the error writer in `auth-jwt` would create +divergence over time. + +--- + +## ADR-004: ErrTokenRevoked as plain sentinel + +**Status:** Accepted + +**Context:** `RefreshTokenPair` could return a `*xerrors.Err` with code +`ErrUnauthenticated` instead of a plain `errors.New` sentinel. + +**Decision:** `ErrTokenRevoked = errors.New("token revoked")` — idiomatic Go sentinel. + +**Rationale:** `errors.Is(err, authjwt.ErrTokenRevoked)` is how callers distinguish +replay attacks from infrastructure failures. A plain sentinel keeps this check simple +and allocation-free. Using `xerrors.Unauthorized(...)` returns a pointer value whose +`errors.Is` semantics require an `Is()` method implementation. The sentinel pattern +(as used for `io.EOF`, `sql.ErrNoRows`) is the established Go idiom for this case. +The HTTP 401 response is the caller's responsibility, not `RefreshTokenPair`'s. + +--- + +## ADR-005: EC algorithm auto-detected from key curve + +**Status:** Accepted + +**Context:** ECDSA supports three standardized curves (P-256, P-384, P-521) mapped +to three JWT algorithms (ES256, ES384, ES512). The API could require callers to +specify the algorithm explicitly. + +**Decision:** `NewECSigner` detects the algorithm from `key.Curve.Params().Name`: +P-256→ES256, P-384→ES384, P-521→ES512. Default (unknown curve) is ES256. + +**Rationale:** The algorithm is determined by the key — there is no valid scenario +where a P-256 key should sign with ES384. Requiring the caller to pass it explicitly +would create a new class of misconfiguration errors. Auto-detection eliminates that +class entirely. The same logic is applied in `ecSigner.Verify` to validate the +incoming token's algorithm header. diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..179c1df --- /dev/null +++ b/go.mod @@ -0,0 +1,22 @@ +module code.nochebuena.dev/einherjar/auth-jwt + +go 1.26 + +require ( + code.nochebuena.dev/einherjar/auth v1.0.0 + code.nochebuena.dev/einherjar/contracts v1.0.0 + code.nochebuena.dev/einherjar/core v1.0.0 + github.com/golang-jwt/jwt/v5 v5.2.1 +) + +require ( + code.nochebuena.dev/einherjar/web v1.0.0 // indirect + github.com/gabriel-vasile/mimetype v1.4.12 // indirect + github.com/go-playground/locales v0.14.1 // indirect + github.com/go-playground/universal-translator v0.18.1 // indirect + github.com/go-playground/validator/v10 v10.30.1 // indirect + github.com/leodido/go-urn v1.4.0 // indirect + golang.org/x/crypto v0.46.0 // indirect + golang.org/x/sys v0.39.0 // indirect + golang.org/x/text v0.32.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..edfe60e --- /dev/null +++ b/go.sum @@ -0,0 +1,36 @@ +code.nochebuena.dev/einherjar/auth v1.0.0 h1:wJKObC/6HCmSN6QvuFtfw3hGwxl1kOJpQdQgwlRYWkc= +code.nochebuena.dev/einherjar/auth v1.0.0/go.mod h1:/yneDDCrk1WdPkUrKVJ+jB1hgGP7pnGE8pttUx0Ypc0= +code.nochebuena.dev/einherjar/contracts v1.0.0 h1:hRudEtOIqU7vwedYLsCh8+9q5dCnKb61qX+zibqImRU= +code.nochebuena.dev/einherjar/contracts v1.0.0/go.mod h1:ccltUtrFb5+MEJdkx2VVEUL+xC5pupVlVVsMM8AlCWI= +code.nochebuena.dev/einherjar/core v1.0.0 h1:AueZgfjp3+rQmDKOxmJQ945TTh+sqC1l/xJdTOdbr9w= +code.nochebuena.dev/einherjar/core v1.0.0/go.mod h1:0IywfRnJXX9xXQO6iPVaq2QDlXbbpXrB8A4T7gO8nE4= +code.nochebuena.dev/einherjar/web v1.0.0 h1:OaHfDP2vNlnPTsWfmf1GRvl5EWMhCgIxHkEwYg8qH3Y= +code.nochebuena.dev/einherjar/web v1.0.0/go.mod h1:2dbELcS5G1T1+YDAUt4hfn3wg+EmbJ7HOrKSo01CRQE= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw= +github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= +github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= +github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= +github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= +github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= +github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= +github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= +github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w= +github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= +github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= +golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= +golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/identifiable.go b/identifiable.go new file mode 100644 index 0000000..67cbb38 --- /dev/null +++ b/identifiable.go @@ -0,0 +1,32 @@ +package authjwt + +import ( + "runtime/debug" + + "code.nochebuena.dev/einherjar/contracts/observability" +) + +// Module identifies this package to observability systems. +// auth-jwt is a function library — it is not registered with the launcher as a +// lifecycle component. Register Module manually with any version registry if needed. +var Module observability.Identifiable = &moduleID{} + +type moduleID struct{} + +const modulePath = "code.nochebuena.dev/einherjar/auth-jwt" + +func (m *moduleID) ModulePath() string { return modulePath } + +func (m *moduleID) ModuleVersion() string { + if info, ok := debug.ReadBuildInfo(); ok { + for _, dep := range info.Deps { + if dep.Path == modulePath { + return dep.Version + } + } + if info.Main.Path == modulePath { + return info.Main.Version + } + } + return "(devel)" +} diff --git a/refresh.go b/refresh.go new file mode 100644 index 0000000..2911f8f --- /dev/null +++ b/refresh.go @@ -0,0 +1,56 @@ +package authjwt + +import ( + "context" + "fmt" + "time" + + "github.com/golang-jwt/jwt/v5" +) + +// RefreshTokenPair validates refreshToken, checks the blacklist, revokes the old JTI, +// and issues a new token pair for the same uid. +// customClaims are merged into the new access token — re-fetch fresh permissions here +// so role changes take effect without revoking outstanding access tokens. +// Returns ErrTokenRevoked if the JTI is already on the blacklist (replay attack or +// re-use after rotation). +func RefreshTokenPair(ctx context.Context, signer Signer, refreshToken string, bl Blacklist, cfg TokenConfig, customClaims map[string]any) (TokenPair, error) { + token, err := signer.Verify(refreshToken) + if err != nil { + return TokenPair{}, fmt.Errorf("invalid refresh token: %w", err) + } + + claims, ok := token.Claims.(jwt.MapClaims) + if !ok { + return TokenPair{}, fmt.Errorf("unexpected claims type in refresh token") + } + + jti, _ := claims["jti"].(string) + uid, _ := claims["sub"].(string) + if jti == "" || uid == "" { + return TokenPair{}, fmt.Errorf("missing required claims in refresh token") + } + + revoked, err := bl.IsRevoked(ctx, jti) + if err != nil { + return TokenPair{}, fmt.Errorf("blacklist check: %w", err) + } + if revoked { + return TokenPair{}, ErrTokenRevoked + } + + expTime, err := claims.GetExpirationTime() + if err != nil || expTime == nil { + return TokenPair{}, fmt.Errorf("invalid expiration in refresh token") + } + remaining := time.Until(expTime.Time) + if remaining < time.Second { + remaining = time.Second + } + + if err := bl.Revoke(ctx, jti, remaining); err != nil { + return TokenPair{}, fmt.Errorf("revoke old token: %w", err) + } + + return IssueTokenPair(signer, uid, customClaims, cfg) +} diff --git a/signer.go b/signer.go new file mode 100644 index 0000000..7dd6d61 --- /dev/null +++ b/signer.go @@ -0,0 +1,11 @@ +package authjwt + +import "github.com/golang-jwt/jwt/v5" + +// Signer signs and verifies JWTs. +// NewHMACSigner, NewRSASigner, and NewECSigner return implementations backed by +// HS256, RS256, and ES256/ES384/ES512 respectively. +type Signer interface { + Verifier + Sign(claims jwt.Claims) (string, error) +} diff --git a/signer_ec.go b/signer_ec.go new file mode 100644 index 0000000..2bd4c8c --- /dev/null +++ b/signer_ec.go @@ -0,0 +1,66 @@ +package authjwt + +import ( + "crypto/ecdsa" + "crypto/x509" + "encoding/pem" + "fmt" + + "github.com/golang-jwt/jwt/v5" +) + +var _ Signer = (*ecSigner)(nil) + +type ecSigner struct { + private *ecdsa.PrivateKey + public *ecdsa.PublicKey +} + +// NewECSigner returns a Signer backed by ECDSA. +// The signing algorithm is auto-detected from the key's curve: +// P-256→ES256, P-384→ES384, P-521→ES512. +func NewECSigner(privateKey *ecdsa.PrivateKey) Signer { + return &ecSigner{private: privateKey, public: &privateKey.PublicKey} +} + +// NewECSignerFromPEM parses a PKCS#8 PEM-encoded ECDSA private key. +func NewECSignerFromPEM(pemKey []byte) (Signer, error) { + block, _ := pem.Decode(pemKey) + if block == nil { + return nil, fmt.Errorf("no PEM block found") + } + key, err := x509.ParsePKCS8PrivateKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("parse EC private key: %w", err) + } + ecKey, ok := key.(*ecdsa.PrivateKey) + if !ok { + return nil, fmt.Errorf("PEM key is not an EC private key") + } + return NewECSigner(ecKey), nil +} + +func (s *ecSigner) Sign(claims jwt.Claims) (string, error) { + return jwt.NewWithClaims(ecAlg(s.private), claims).SignedString(s.private) +} + +func (s *ecSigner) Verify(tokenString string) (*jwt.Token, error) { + alg := ecAlg(s.private) + return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) { + if t.Method.Alg() != alg.Alg() { + return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) + } + return s.public, nil + }, jwt.WithJSONNumber()) +} + +func ecAlg(key *ecdsa.PrivateKey) *jwt.SigningMethodECDSA { + switch key.Curve.Params().Name { + case "P-384": + return jwt.SigningMethodES384 + case "P-521": + return jwt.SigningMethodES512 + default: + return jwt.SigningMethodES256 + } +} diff --git a/signer_hmac.go b/signer_hmac.go new file mode 100644 index 0000000..29d674d --- /dev/null +++ b/signer_hmac.go @@ -0,0 +1,30 @@ +package authjwt + +import ( + "fmt" + + "github.com/golang-jwt/jwt/v5" +) + +var _ Signer = (*hmacSigner)(nil) + +type hmacSigner struct{ secret []byte } + +// NewHMACSigner returns a Signer backed by HMAC-SHA256 (HS256). +// secret should be at least 32 bytes; shorter values are accepted but weakened. +func NewHMACSigner(secret []byte) Signer { + return &hmacSigner{secret: secret} +} + +func (s *hmacSigner) Sign(claims jwt.Claims) (string, error) { + return jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(s.secret) +} + +func (s *hmacSigner) Verify(tokenString string) (*jwt.Token, error) { + return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) { + if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) + } + return s.secret, nil + }, jwt.WithJSONNumber()) +} diff --git a/signer_rsa.go b/signer_rsa.go new file mode 100644 index 0000000..eddecf6 --- /dev/null +++ b/signer_rsa.go @@ -0,0 +1,57 @@ +package authjwt + +import ( + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "fmt" + + "github.com/golang-jwt/jwt/v5" +) + +var _ Signer = (*rsaSigner)(nil) + +type rsaSigner struct { + private *rsa.PrivateKey + public *rsa.PublicKey +} + +// NewRSASigner returns a Signer backed by RSA-SHA256 (RS256). +// The public key is derived from the private key — no separate argument needed. +func NewRSASigner(privateKey *rsa.PrivateKey) Signer { + return &rsaSigner{private: privateKey, public: &privateKey.PublicKey} +} + +// NewRSASignerFromPEM parses a PKCS#8 or PKCS#1 PEM-encoded RSA private key. +func NewRSASignerFromPEM(pemKey []byte) (Signer, error) { + block, _ := pem.Decode(pemKey) + if block == nil { + return nil, fmt.Errorf("no PEM block found") + } + key, err := x509.ParsePKCS8PrivateKey(block.Bytes) + if err != nil { + rsaKey, err2 := x509.ParsePKCS1PrivateKey(block.Bytes) + if err2 != nil { + return nil, fmt.Errorf("parse RSA private key: %w", err) + } + return NewRSASigner(rsaKey), nil + } + rsaKey, ok := key.(*rsa.PrivateKey) + if !ok { + return nil, fmt.Errorf("PEM key is not an RSA private key") + } + return NewRSASigner(rsaKey), nil +} + +func (s *rsaSigner) Sign(claims jwt.Claims) (string, error) { + return jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(s.private) +} + +func (s *rsaSigner) Verify(tokenString string) (*jwt.Token, error) { + return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) { + if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok { + return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) + } + return s.public, nil + }, jwt.WithJSONNumber()) +} diff --git a/token_config.go b/token_config.go new file mode 100644 index 0000000..3d32283 --- /dev/null +++ b/token_config.go @@ -0,0 +1,10 @@ +package authjwt + +import "time" + +// TokenConfig configures token lifetimes and the issuer claim. +type TokenConfig struct { + AccessTTL time.Duration + RefreshTTL time.Duration + Issuer string +} diff --git a/token_pair.go b/token_pair.go new file mode 100644 index 0000000..4e4daba --- /dev/null +++ b/token_pair.go @@ -0,0 +1,8 @@ +package authjwt + +// TokenPair holds an access token and a refresh token. +type TokenPair struct { + AccessToken string + RefreshToken string + ExpiresIn int64 // seconds until the access token expires +} diff --git a/tokens.go b/tokens.go new file mode 100644 index 0000000..88c0264 --- /dev/null +++ b/tokens.go @@ -0,0 +1,62 @@ +package authjwt + +import ( + "crypto/rand" + "fmt" + "time" + + "github.com/golang-jwt/jwt/v5" +) + +// IssueTokenPair signs a new access + refresh token pair for uid. +// customClaims are merged into the access token at the top level. Use this to embed +// per-resource permission masks so ClaimsPermissionProvider can read them without a DB call. +// The refresh token carries only sub, iss, iat, exp, jti, and fam (token family). +func IssueTokenPair(signer Signer, uid string, customClaims map[string]any, cfg TokenConfig) (TokenPair, error) { + now := time.Now() + + accessClaims := jwt.MapClaims{ + "sub": uid, + "iss": cfg.Issuer, + "iat": jwt.NewNumericDate(now), + "exp": jwt.NewNumericDate(now.Add(cfg.AccessTTL)), + "jti": newJTI(), + } + for k, v := range customClaims { + accessClaims[k] = v + } + + accessToken, err := signer.Sign(accessClaims) + if err != nil { + return TokenPair{}, fmt.Errorf("sign access token: %w", err) + } + + refreshClaims := jwt.MapClaims{ + "sub": uid, + "iss": cfg.Issuer, + "iat": jwt.NewNumericDate(now), + "exp": jwt.NewNumericDate(now.Add(cfg.RefreshTTL)), + "jti": newJTI(), + "fam": newJTI(), + } + + refreshToken, err := signer.Sign(refreshClaims) + if err != nil { + return TokenPair{}, fmt.Errorf("sign refresh token: %w", err) + } + + return TokenPair{ + AccessToken: accessToken, + RefreshToken: refreshToken, + ExpiresIn: int64(cfg.AccessTTL.Seconds()), + }, nil +} + +func newJTI() string { + b := make([]byte, 16) + _, _ = rand.Read(b) + b[6] = (b[6] & 0x0f) | 0x40 + b[8] = (b[8] & 0x3f) | 0x80 + return fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", + b[0:4], b[4:6], b[6:8], b[8:10], b[10:]) +} diff --git a/verifier.go b/verifier.go new file mode 100644 index 0000000..dff4b9c --- /dev/null +++ b/verifier.go @@ -0,0 +1,10 @@ +package authjwt + +import "github.com/golang-jwt/jwt/v5" + +// Verifier validates JWT strings. +// Services that verify tokens but never issue them use a Verifier +// (e.g. NewRSAPublicKeyVerifier, NewECPublicKeyVerifier) instead of the full Signer. +type Verifier interface { + Verify(tokenString string) (*jwt.Token, error) +} diff --git a/verifier_ec.go b/verifier_ec.go new file mode 100644 index 0000000..a86bae0 --- /dev/null +++ b/verifier_ec.go @@ -0,0 +1,46 @@ +package authjwt + +import ( + "crypto/ecdsa" + "crypto/x509" + "encoding/pem" + "fmt" + + "github.com/golang-jwt/jwt/v5" +) + +var _ Verifier = (*ecPublicVerifier)(nil) + +type ecPublicVerifier struct{ public *ecdsa.PublicKey } + +// NewECPublicKeyVerifier returns a Verifier backed by an ECDSA public key. +// Use this in services that verify tokens but never issue them. +func NewECPublicKeyVerifier(publicKey *ecdsa.PublicKey) Verifier { + return &ecPublicVerifier{public: publicKey} +} + +// NewECPublicKeyVerifierFromPEM parses a PKIX PEM-encoded ECDSA public key. +func NewECPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error) { + block, _ := pem.Decode(pemKey) + if block == nil { + return nil, fmt.Errorf("no PEM block found") + } + pub, err := x509.ParsePKIXPublicKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("parse EC public key: %w", err) + } + ecPub, ok := pub.(*ecdsa.PublicKey) + if !ok { + return nil, fmt.Errorf("PEM key is not an EC public key") + } + return NewECPublicKeyVerifier(ecPub), nil +} + +func (v *ecPublicVerifier) Verify(tokenString string) (*jwt.Token, error) { + return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) { + if _, ok := t.Method.(*jwt.SigningMethodECDSA); !ok { + return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) + } + return v.public, nil + }, jwt.WithJSONNumber()) +} diff --git a/verifier_rsa.go b/verifier_rsa.go new file mode 100644 index 0000000..fe1c224 --- /dev/null +++ b/verifier_rsa.go @@ -0,0 +1,50 @@ +package authjwt + +import ( + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "fmt" + + "github.com/golang-jwt/jwt/v5" +) + +var _ Verifier = (*rsaPublicVerifier)(nil) + +type rsaPublicVerifier struct{ public *rsa.PublicKey } + +// NewRSAPublicKeyVerifier returns a Verifier backed by an RSA public key. +// Use this in services that verify tokens but never issue them. +func NewRSAPublicKeyVerifier(publicKey *rsa.PublicKey) Verifier { + return &rsaPublicVerifier{public: publicKey} +} + +// NewRSAPublicKeyVerifierFromPEM parses a PKIX or PKCS#1 PEM-encoded RSA public key. +func NewRSAPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error) { + block, _ := pem.Decode(pemKey) + if block == nil { + return nil, fmt.Errorf("no PEM block found") + } + pub, err := x509.ParsePKIXPublicKey(block.Bytes) + if err != nil { + rsaPub, err2 := x509.ParsePKCS1PublicKey(block.Bytes) + if err2 != nil { + return nil, fmt.Errorf("parse RSA public key: %w", err) + } + return NewRSAPublicKeyVerifier(rsaPub), nil + } + rsaPub, ok := pub.(*rsa.PublicKey) + if !ok { + return nil, fmt.Errorf("PEM key is not an RSA public key") + } + return NewRSAPublicKeyVerifier(rsaPub), nil +} + +func (v *rsaPublicVerifier) Verify(tokenString string) (*jwt.Token, error) { + return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) { + if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok { + return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) + } + return v.public, nil + }, jwt.WithJSONNumber()) +}