woodpecker/shared/token/token.go

130 lines
2.9 KiB
Go

package token
import (
"fmt"
"net/http"
"github.com/dgrijalva/jwt-go"
)
type SecretFunc func(*Token) (string, error)
const (
UserToken = "user"
SessToken = "sess"
HookToken = "hook"
CsrfToken = "csrf"
)
// Default algorithm used to sign JWT tokens.
const SignerAlgo = "HS256"
type Token struct {
Kind string
Text string
}
func Parse(raw string, fn SecretFunc) (*Token, error) {
token := &Token{}
parsed, err := jwt.Parse(raw, keyFunc(token, fn))
if err != nil {
return nil, err
} else if !parsed.Valid {
return nil, jwt.ValidationError{}
}
return token, nil
}
func ParseRequest(r *http.Request, fn SecretFunc) (*Token, error) {
var token = r.Header.Get("Authorization")
// first we attempt to get the token from the
// authorization header.
if len(token) != 0 {
token = r.Header.Get("Authorization")
fmt.Sscanf(token, "Bearer %s", &token)
return Parse(token, fn)
}
// then we attempt to get the token from the
// access_token url query parameter
token = r.FormValue("access_token")
if len(token) != 0 {
return Parse(token, fn)
}
// and finally we attempt to get the token from
// the user session cookie
cookie, err := r.Cookie("user_sess")
if err != nil {
return nil, err
}
return Parse(cookie.Value, fn)
}
func CheckCsrf(r *http.Request, fn SecretFunc) error {
// get and options requests are always
// enabled, without CSRF checks.
switch r.Method {
case "GET", "OPTIONS":
return nil
}
// parse the raw CSRF token value and validate
raw := r.Header.Get("X-CSRF-TOKEN")
_, err := Parse(raw, fn)
return err
}
func New(kind, text string) *Token {
return &Token{Kind: kind, Text: text}
}
// Sign signs the token using the given secret hash
// and returns the string value.
func (t *Token) Sign(secret string) (string, error) {
return t.SignExpires(secret, 0)
}
// Sign signs the token using the given secret hash
// with an expiration date.
func (t *Token) SignExpires(secret string, exp int64) (string, error) {
token := jwt.New(jwt.SigningMethodHS256)
token.Claims["type"] = t.Kind
token.Claims["text"] = t.Text
if exp > 0 {
token.Claims["exp"] = float64(exp)
}
return token.SignedString([]byte(secret))
}
func keyFunc(token *Token, fn SecretFunc) jwt.Keyfunc {
return func(t *jwt.Token) (interface{}, error) {
// validate the correct algorithm is being used
if t.Method.Alg() != SignerAlgo {
return nil, jwt.ErrSignatureInvalid
}
// extract the token kind and cast to
// the expected type.
kindv, ok := t.Claims["type"]
if !ok {
return nil, jwt.ValidationError{}
}
token.Kind, _ = kindv.(string)
// extract the token value and cast to
// exepected type.
textv, ok := t.Claims["text"]
if !ok {
return nil, jwt.ValidationError{}
}
token.Text, _ = textv.(string)
// invoke the callback function to retrieve
// the secret key used to verify
secret, err := fn(token)
return []byte(secret), err
}
}