mirror of
https://github.com/Dvorinka/Bookra.git
synced 2026-06-03 20:13:00 +00:00
Tomas Dvorak
83 lines
1.7 KiB
Go
83 lines
1.7 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/MicahParks/keyfunc/v3"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
type Verifier struct {
|
|
jwks keyfunc.Keyfunc
|
|
expectedIssuer string
|
|
enabled bool
|
|
cancel context.CancelFunc
|
|
}
|
|
|
|
func NewVerifier(neonAuthURL string) (*Verifier, error) {
|
|
trimmed := strings.TrimSpace(neonAuthURL)
|
|
if trimmed == "" {
|
|
return &Verifier{enabled: false}, nil
|
|
}
|
|
|
|
parsed, err := url.Parse(trimmed)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("parse neon auth url: %w", err)
|
|
}
|
|
|
|
expectedIssuer := fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host)
|
|
jwksURL := fmt.Sprintf("%s/.well-known/jwks.json", trimmed)
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
|
|
jwks, err := keyfunc.NewDefaultCtx(ctx, []string{jwksURL})
|
|
if err != nil {
|
|
cancel()
|
|
return nil, fmt.Errorf("create jwks: %w", err)
|
|
}
|
|
|
|
return &Verifier{
|
|
jwks: jwks,
|
|
expectedIssuer: expectedIssuer,
|
|
enabled: true,
|
|
cancel: cancel,
|
|
}, nil
|
|
}
|
|
|
|
func (v *Verifier) Enabled() bool {
|
|
return v.enabled
|
|
}
|
|
|
|
func (v *Verifier) Close() {
|
|
if v.cancel != nil {
|
|
v.cancel()
|
|
}
|
|
}
|
|
|
|
func (v *Verifier) Verify(tokenString string) (jwt.MapClaims, error) {
|
|
if !v.enabled {
|
|
return nil, errors.New("neon auth verifier is disabled")
|
|
}
|
|
|
|
token, err := jwt.Parse(tokenString, v.jwks.Keyfunc,
|
|
jwt.WithIssuer(v.expectedIssuer),
|
|
jwt.WithValidMethods([]string{"EdDSA"}),
|
|
jwt.WithAudience(v.expectedIssuer),
|
|
jwt.WithLeeway(15*time.Second),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
if !ok || !token.Valid {
|
|
return nil, errors.New("invalid token claims")
|
|
}
|
|
return claims, nil
|
|
}
|