package auth import ( "context" "errors" "fmt" "net/url" "strings" "time" "github.com/MicahParks/keyfunc/v3" "github.com/golang-jwt/jwt/v5" ) type NeonVerifier struct { jwks keyfunc.Keyfunc expectedIssuer string enabled bool cancel context.CancelFunc } func NewNeonVerifier(neonAuthURL string) (*NeonVerifier, error) { trimmed := strings.TrimRight(strings.TrimSpace(neonAuthURL), "/") if trimmed == "" { return &NeonVerifier{enabled: false}, nil } parsed, err := url.Parse(trimmed) if err != nil { return nil, fmt.Errorf("parse neon auth url: %w", err) } expectedIssuer := fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host) jwksURL := fmt.Sprintf("%s/.well-known/jwks.json", trimmed) ctx, cancel := context.WithCancel(context.Background()) jwks, err := keyfunc.NewDefaultCtx(ctx, []string{jwksURL}) if err != nil { cancel() return nil, fmt.Errorf("create neon jwks: %w", err) } return &NeonVerifier{jwks: jwks, expectedIssuer: expectedIssuer, enabled: true, cancel: cancel}, nil } func (v *NeonVerifier) Enabled() bool { return v != nil && v.enabled } func (v *NeonVerifier) Close() { if v != nil && v.cancel != nil { v.cancel() } } func (v *NeonVerifier) Verify(tokenString string) (*Claims, error) { if !v.Enabled() { return nil, errors.New("neon auth verifier is disabled") } token, err := jwt.Parse(tokenString, v.jwks.Keyfunc, jwt.WithIssuer(v.expectedIssuer), jwt.WithValidMethods([]string{"EdDSA"}), jwt.WithAudience(v.expectedIssuer), jwt.WithLeeway(15*time.Second), ) if err != nil { return nil, err } claims, ok := token.Claims.(jwt.MapClaims) if !ok || !token.Valid { return nil, errors.New("invalid neon claims") } subject, _ := claims["sub"].(string) email, _ := claims["email"].(string) name, _ := claims["name"].(string) if name == "" { name, _ = claims["display_name"].(string) } if strings.TrimSpace(subject) == "" { return nil, errors.New("missing neon subject") } return &Claims{UserID: subject, Email: email, Name: name, Role: "authenticated", Type: "access"}, nil }