tokens

package

v1.0.0 Latest Latest Go to latest Published: Sep 19, 2023 License: BSD-3-Clause Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bbengfort/epistolary

Links

Open Source Insights

Documentation ¶

Index ¶

func ExpiresAt(tks string) (_ time.Time, err error)
func NotBefore(tks string) (_ time.Time, err error)
func ParseUnverified(tks string) (claims *jwt.RegisteredClaims, err error)
type Claims
type TokenManager
- func New(conf config.TokenConfig) (tm *TokenManager, err error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ExpiresAt ¶ added in v0.3.0

func ExpiresAt(tks string) (_ time.Time, err error)

func NotBefore ¶ added in v0.3.0

func NotBefore(tks string) (_ time.Time, err error)

func ParseUnverified ¶ added in v0.3.0

func ParseUnverified(tks string) (claims *jwt.RegisteredClaims, err error)

Types ¶

type Claims ¶

type Claims struct {
	jwt.RegisteredClaims
	Name        string   `json:"name,omitempty"`
	Username    string   `json:"username,omitempty"`
	Email       string   `json:"email,omitempty"`
	Role        string   `json:"role,omitempty"`
	Permissions []string `json:"permissions,omitempty"`
}

Claims implements custom claims for the Epistolary application.

func (Claims) HasAllPermissions ¶

func (c Claims) HasAllPermissions(required ...string) bool

func (Claims) HasPermission ¶

func (c Claims) HasPermission(required string) bool

func (*Claims) SetSubjectID ¶

func (c *Claims) SetSubjectID(uid int64)

func (Claims) SubjectID ¶

func (c Claims) SubjectID() (int64, error)

type TokenManager ¶

type TokenManager struct {
	// contains filtered or unexported fields
}

TokenManager handles the creation and verification of RSA signed JWT tokens. To facilitate signing key rollover, TokenManager can accept multiple keys identified by a ulid. JWT tokens generated by token managers include a kid in the header that allows the token manager to verify the key with the specified signature. To sign keys the token manager will always use the latest private key by ulid.

When the TokenManager creates tokens it will use JWT standard claims as well as extended claims based on Oauth credentials. The standard claims included are exp, nbf aud, and sub. The iss claim is optional and would duplicate aud, so it is omitted. On token verification, the exp, nbf, and aud claims are validated. TODO: Create automatic key rotation mechanism rather than loading keys.

func New ¶

func New(conf config.TokenConfig) (tm *TokenManager, err error)

New creates a TokenManager with the specified keys which should be a mapping of ULID strings to paths to files that contain PEM encoded RSA private keys. This input is specifically designed for the config environment variable so that keys can be loaded from k8s or vault secrets that are mounted as files on disk.

func (*TokenManager) CreateAccessToken ¶

func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)

CreateAccessToken from the credential payload or from an previous token if the access token is being reauthorized from previous credentials. Note that the returned token only contains the claims and is unsigned.

func (*TokenManager) CreateRefreshToken ¶

func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)

CreateRefreshToken from the Access token claims with predefined expiration. Note that the returned token only contains the claims and is unsigned.

func (*TokenManager) CreateTokens ¶

func (tm *TokenManager) CreateTokens(claims *Claims) (signedAccessToken, signedRefreshToken string, err error)

CreateTokens creates and signs an access and refresh token in one step.

func (*TokenManager) CurrentKey ¶

func (tm *TokenManager) CurrentKey() ulid.ULID

CurrentKey returns the ulid of the current key being used to sign tokens.

func (*TokenManager) Keys ¶

func (tm *TokenManager) Keys() map[ulid.ULID]*rsa.PublicKey

Keys returns the map of ulid to public key for use externally.

func (*TokenManager) Parse ¶

func (tm *TokenManager) Parse(tks string) (claims *Claims, err error)

Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.

func (*TokenManager) Sign ¶

func (tm *TokenManager) Sign(token *jwt.Token) (tks string, err error)

Sign an access or refresh token and return the token string.

func (*TokenManager) Verify ¶

func (tm *TokenManager) Verify(tks string) (claims *Claims, err error)

Verify an access or a refresh token after parsing and return its claims.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL