einherjar/auth-jwt
2
0
Fork 0
Code Issues Pull Requests Packages Releases 1 Activity

feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0)

Browse Source 
Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware
and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt
from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error
for consistent 401 responses, and added ECDSA support.

Signers and Verifiers (one file per implementation — CT-6 compliant):
- Verifier interface — Verify(tokenString string) (*jwt.Token, error)
- Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error)
- signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify
- signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256
- verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only
- signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm
  auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512)
- verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only

Token lifecycle:
- TokenConfig struct — AccessTTL, RefreshTTL, Issuer
- TokenPair struct — AccessToken, RefreshToken, ExpiresIn
- IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh
  carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks
- Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing
- ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection
- RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair

HTTP middleware:
- AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls
  authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level);
  publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce
  narrowest-interface principle for verify-only services

Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file),
compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify,
algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/
revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware
valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData.

Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1.

- identifiable.go: package-level Module variable (observability.Identifiable) for version
  identification — auth-jwt is a function library; not registered with the launcher
This commit is contained in:
Rene Nochebuena
2026-05-29 16:13:01 +00:00
commit a9c9f3434e
27 changed files with 2545 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
tokens.go Normal file
View File

@@ -0,0 +1,62 @@
package authjwt
import (
"crypto/rand"
"fmt"
"time"
"github.com/golang-jwt/jwt/v5"
)
// IssueTokenPair signs a new access + refresh token pair for uid.
// customClaims are merged into the access token at the top level. Use this to embed
// per-resource permission masks so ClaimsPermissionProvider can read them without a DB call.
// The refresh token carries only sub, iss, iat, exp, jti, and fam (token family).
func IssueTokenPair(signer Signer, uid string, customClaims map[string]any, cfg TokenConfig) (TokenPair, error) {
now := time.Now()
accessClaims := jwt.MapClaims{
"sub": uid,
"iss": cfg.Issuer,
"iat": jwt.NewNumericDate(now),
"exp": jwt.NewNumericDate(now.Add(cfg.AccessTTL)),
"jti": newJTI(),
}
for k, v := range customClaims {
accessClaims[k] = v
}
accessToken, err := signer.Sign(accessClaims)
if err != nil {
return TokenPair{}, fmt.Errorf("sign access token: %w", err)
}
refreshClaims := jwt.MapClaims{
"sub": uid,
"iss": cfg.Issuer,
"iat": jwt.NewNumericDate(now),
"exp": jwt.NewNumericDate(now.Add(cfg.RefreshTTL)),
"jti": newJTI(),
"fam": newJTI(),
}
refreshToken, err := signer.Sign(refreshClaims)
if err != nil {
return TokenPair{}, fmt.Errorf("sign refresh token: %w", err)
}
return TokenPair{
AccessToken: accessToken,
RefreshToken: refreshToken,
ExpiresIn: int64(cfg.AccessTTL.Seconds()),
}, nil
}
func newJTI() string {
b := make([]byte, 16)
_, _ = rand.Read(b)
b[6] = (b[6] & 0x0f) | 0x40
b[8] = (b[8] & 0x3f) | 0x80
return fmt.Sprintf("%08x-%04x-%04x-%04x-%012x",
b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
}