feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0)
Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error for consistent 401 responses, and added ECDSA support. Signers and Verifiers (one file per implementation — CT-6 compliant): - Verifier interface — Verify(tokenString string) (*jwt.Token, error) - Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error) - signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify - signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256 - verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only - signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512) - verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only Token lifecycle: - TokenConfig struct — AccessTTL, RefreshTTL, Issuer - TokenPair struct — AccessToken, RefreshToken, ExpiresIn - IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks - Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing - ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection - RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair HTTP middleware: - AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level); publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce narrowest-interface principle for verify-only services Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify, algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/ revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData. Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth-jwt is a function library; not registered with the launcher
This commit is contained in:
66
signer_ec.go
Normal file
66
signer_ec.go
Normal file
@@ -0,0 +1,66 @@
|
||||
package authjwt
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
)
|
||||
|
||||
var _ Signer = (*ecSigner)(nil)
|
||||
|
||||
type ecSigner struct {
|
||||
private *ecdsa.PrivateKey
|
||||
public *ecdsa.PublicKey
|
||||
}
|
||||
|
||||
// NewECSigner returns a Signer backed by ECDSA.
|
||||
// The signing algorithm is auto-detected from the key's curve:
|
||||
// P-256→ES256, P-384→ES384, P-521→ES512.
|
||||
func NewECSigner(privateKey *ecdsa.PrivateKey) Signer {
|
||||
return &ecSigner{private: privateKey, public: &privateKey.PublicKey}
|
||||
}
|
||||
|
||||
// NewECSignerFromPEM parses a PKCS#8 PEM-encoded ECDSA private key.
|
||||
func NewECSignerFromPEM(pemKey []byte) (Signer, error) {
|
||||
block, _ := pem.Decode(pemKey)
|
||||
if block == nil {
|
||||
return nil, fmt.Errorf("no PEM block found")
|
||||
}
|
||||
key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parse EC private key: %w", err)
|
||||
}
|
||||
ecKey, ok := key.(*ecdsa.PrivateKey)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("PEM key is not an EC private key")
|
||||
}
|
||||
return NewECSigner(ecKey), nil
|
||||
}
|
||||
|
||||
func (s *ecSigner) Sign(claims jwt.Claims) (string, error) {
|
||||
return jwt.NewWithClaims(ecAlg(s.private), claims).SignedString(s.private)
|
||||
}
|
||||
|
||||
func (s *ecSigner) Verify(tokenString string) (*jwt.Token, error) {
|
||||
alg := ecAlg(s.private)
|
||||
return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) {
|
||||
if t.Method.Alg() != alg.Alg() {
|
||||
return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"])
|
||||
}
|
||||
return s.public, nil
|
||||
}, jwt.WithJSONNumber())
|
||||
}
|
||||
|
||||
func ecAlg(key *ecdsa.PrivateKey) *jwt.SigningMethodECDSA {
|
||||
switch key.Curve.Params().Name {
|
||||
case "P-384":
|
||||
return jwt.SigningMethodES384
|
||||
case "P-521":
|
||||
return jwt.SigningMethodES512
|
||||
default:
|
||||
return jwt.SigningMethodES256
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user