initial commit
This commit is contained in:
@@ -0,0 +1,131 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrInvalidToken = errors.New("invalid or expired token")
|
||||
ErrNoToken = errors.New("no authorization token")
|
||||
)
|
||||
|
||||
// Claims for our JWT (minimal, matching original style).
|
||||
type Claims struct {
|
||||
UserID int `json:"user_id"`
|
||||
Email string `json:"email"`
|
||||
Name string `json:"name"`
|
||||
Roles []string `json:"roles"`
|
||||
jwt.RegisteredClaims
|
||||
}
|
||||
|
||||
// Context key for user info.
|
||||
type contextKey string
|
||||
|
||||
const UserContextKey contextKey = "user"
|
||||
|
||||
// JWTManager handles signing and validation.
|
||||
type JWTManager struct {
|
||||
secret []byte
|
||||
}
|
||||
|
||||
// NewJWTManager creates a manager. In real use, load secret from secure store or env (never commit real secret).
|
||||
// For demo we accept a secret; in production rotate and use env/JWT_SECRET or db meta.
|
||||
func NewJWTManager(secret string) *JWTManager {
|
||||
if secret == "" {
|
||||
secret = "dev-only-insecure-secret-change-in-prod"
|
||||
}
|
||||
return &JWTManager{secret: []byte(secret)}
|
||||
}
|
||||
|
||||
// GenerateToken creates a JWT for the given user (1 hour expiry like typical).
|
||||
func (m *JWTManager) GenerateToken(userID int, email, name string, roles []string) (string, error) {
|
||||
now := time.Now()
|
||||
if roles == nil {
|
||||
roles = []string{}
|
||||
}
|
||||
claims := Claims{
|
||||
UserID: userID,
|
||||
Email: email,
|
||||
Name: name,
|
||||
Roles: roles,
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
ExpiresAt: jwt.NewNumericDate(now.Add(1 * time.Hour)),
|
||||
IssuedAt: jwt.NewNumericDate(now),
|
||||
NotBefore: jwt.NewNumericDate(now),
|
||||
Issuer: "helix-proxy",
|
||||
},
|
||||
}
|
||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
return token.SignedString(m.secret)
|
||||
}
|
||||
|
||||
// ValidateToken parses and validates the token, returns claims.
|
||||
func (m *JWTManager) ValidateToken(tokenStr string) (*Claims, error) {
|
||||
token, err := jwt.ParseWithClaims(tokenStr, &Claims{}, func(t *jwt.Token) (interface{}, error) {
|
||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
||||
}
|
||||
return m.secret, nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, ErrInvalidToken
|
||||
}
|
||||
if claims, ok := token.Claims.(*Claims); ok && token.Valid {
|
||||
return claims, nil
|
||||
}
|
||||
return nil, ErrInvalidToken
|
||||
}
|
||||
|
||||
// Middleware returns a chi/http middleware that validates Bearer token and injects user into context.
|
||||
// Skips if no token (for public endpoints like /login we handle separately).
|
||||
// On failure returns 401.
|
||||
func (m *JWTManager) Middleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
authHeader := r.Header.Get("Authorization")
|
||||
if authHeader == "" {
|
||||
// No token: let handler decide (some endpoints public)
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
parts := strings.SplitN(authHeader, " ", 2)
|
||||
if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") {
|
||||
http.Error(w, "invalid authorization header", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
claims, err := m.ValidateToken(parts[1])
|
||||
if err != nil {
|
||||
http.Error(w, "invalid token", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
// Inject into context
|
||||
ctx := context.WithValue(r.Context(), UserContextKey, claims)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
|
||||
// GetUserFromContext extracts claims if present (for handlers that require auth).
|
||||
func GetUserFromContext(ctx context.Context) (*Claims, bool) {
|
||||
claims, ok := ctx.Value(UserContextKey).(*Claims)
|
||||
return claims, ok
|
||||
}
|
||||
|
||||
// RequireAuth is a simple helper that can be used inside handlers for protected routes
|
||||
// (alternative to middleware if you want per-route).
|
||||
func RequireAuth(w http.ResponseWriter, r *http.Request) (*Claims, bool) {
|
||||
claims, ok := GetUserFromContext(r.Context())
|
||||
if !ok {
|
||||
http.Error(w, "authentication required", http.StatusUnauthorized)
|
||||
return nil, false
|
||||
}
|
||||
return claims, true
|
||||
}
|
||||
@@ -0,0 +1,128 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestJWTManager_GenerateValidate_Roundtrip(t *testing.T) {
|
||||
m := NewJWTManager("test-secret-123")
|
||||
token, err := m.GenerateToken(42, "user@example.com", "User", []string{"admin", "user"})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if token == "" {
|
||||
t.Error("empty token")
|
||||
}
|
||||
|
||||
claims, err := m.ValidateToken(token)
|
||||
if err != nil {
|
||||
t.Fatalf("validate: %v", err)
|
||||
}
|
||||
if claims.UserID != 42 || claims.Email != "user@example.com" || len(claims.Roles) != 2 {
|
||||
t.Errorf("claims: %+v", claims)
|
||||
}
|
||||
if claims.ExpiresAt == nil || time.Until(claims.ExpiresAt.Time) > time.Hour {
|
||||
t.Error("expiry not ~1h")
|
||||
}
|
||||
}
|
||||
|
||||
func TestJWTManager_DevSecretFallback(t *testing.T) {
|
||||
m := NewJWTManager("") // empty -> dev
|
||||
token, _ := m.GenerateToken(1, "a@b", "A", nil)
|
||||
_, err := m.ValidateToken(token)
|
||||
if err != nil {
|
||||
t.Error("dev secret should allow roundtrip")
|
||||
}
|
||||
}
|
||||
|
||||
func TestJWTManager_BadToken(t *testing.T) {
|
||||
m := NewJWTManager("s")
|
||||
if _, err := m.ValidateToken("not.a.jwt"); err == nil {
|
||||
t.Error("bad token should err")
|
||||
}
|
||||
// wrong sig
|
||||
m2 := NewJWTManager("other")
|
||||
tok, _ := m2.GenerateToken(1, "e", "n", nil)
|
||||
if _, err := m.ValidateToken(tok); err == nil {
|
||||
t.Error("wrong sig should invalid")
|
||||
}
|
||||
}
|
||||
|
||||
func TestJWTManager_Middleware(t *testing.T) {
|
||||
m := NewJWTManager("sec")
|
||||
token, _ := m.GenerateToken(7, "m@e", "M", []string{"admin"})
|
||||
|
||||
// with valid bearer
|
||||
h := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
c, ok := GetUserFromContext(r.Context())
|
||||
if !ok || c.UserID != 7 {
|
||||
t.Error("claims not in ctx")
|
||||
}
|
||||
w.WriteHeader(200)
|
||||
}))
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+token)
|
||||
rr := httptest.NewRecorder()
|
||||
h.ServeHTTP(rr, req)
|
||||
if rr.Code != 200 {
|
||||
t.Errorf("valid bearer: %d", rr.Code)
|
||||
}
|
||||
|
||||
// no token: passes through (no 401)
|
||||
h2 := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(204)
|
||||
}))
|
||||
req2 := httptest.NewRequest("GET", "/", nil)
|
||||
rr2 := httptest.NewRecorder()
|
||||
h2.ServeHTTP(rr2, req2)
|
||||
if rr2.Code != 204 {
|
||||
t.Error("no token should pass")
|
||||
}
|
||||
|
||||
// bad token: 401
|
||||
req3 := httptest.NewRequest("GET", "/", nil)
|
||||
req3.Header.Set("Authorization", "Bearer bad")
|
||||
rr3 := httptest.NewRecorder()
|
||||
h.ServeHTTP(rr3, req3)
|
||||
if rr3.Code != 401 {
|
||||
t.Errorf("bad token 401: %d", rr3.Code)
|
||||
}
|
||||
|
||||
// wrong scheme
|
||||
req4 := httptest.NewRequest("GET", "/", nil)
|
||||
req4.Header.Set("Authorization", "Basic foo")
|
||||
rr4 := httptest.NewRecorder()
|
||||
h.ServeHTTP(rr4, req4)
|
||||
if rr4.Code != 401 {
|
||||
t.Errorf("bad scheme: %d", rr4.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRequireAuth(t *testing.T) {
|
||||
// direct, needs ctx with claims
|
||||
m := NewJWTManager("s")
|
||||
tok, _ := m.GenerateToken(99, "r@a", "R", nil)
|
||||
claims, _ := m.ValidateToken(tok)
|
||||
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
// without ctx
|
||||
rr := httptest.NewRecorder()
|
||||
c, ok := RequireAuth(rr, req)
|
||||
if ok || c != nil || rr.Code != 401 {
|
||||
t.Error("require without claims should 401")
|
||||
}
|
||||
|
||||
// with ctx set via context value
|
||||
req2 := httptest.NewRequest("GET", "/", nil)
|
||||
ctx := context.WithValue(req2.Context(), UserContextKey, claims)
|
||||
req2 = req2.WithContext(ctx)
|
||||
rr2 := httptest.NewRecorder()
|
||||
c2, ok2 := RequireAuth(rr2, req2)
|
||||
if !ok2 || c2.UserID != 99 {
|
||||
t.Error("require with claims failed")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user