// NewToken creates new JWT token for the gien username. It embedds the given
// public key as kontrolKey and signs the token with the private one.
func NewToken(username, private, public string) *jwt.Token {
tknID := uuid.NewV4()
hostname, err := os.Hostname()
if err != nil {
panic(err)
}
if username == "" {
username = "******"
}
if testuser := os.Getenv("TESTKEY_USERNAME"); testuser != "" {
username = testuser
}
claims := &kitekey.KiteClaims{
StandardClaims: jwt.StandardClaims{
Issuer: "testuser",
Subject: username,
Audience: hostname,
IssuedAt: time.Now().UTC().Unix(),
Id: tknID.String(),
},
KontrolKey: public,
KontrolURL: "http://localhost:4000/kite",
}
token := jwt.NewWithClaims(jwt.GetSigningMethod("RS256"), claims)
rsaPrivate, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(private))
if err != nil {
panic(err)
}
token.Raw, err = token.SignedString(rsaPrivate)
if err != nil {
panic(err)
}
// verify the token
_, err = jwt.ParseWithClaims(token.Raw, claims, func(*jwt.Token) (interface{}, error) {
return jwt.ParseRSAPublicKeyFromPEM([]byte(public))
})
if err != nil {
panic(err)
}
token.Valid = true
return token
}
func (a *authService) GenerateToken(user *schema.User) (*TokenFields, error) {
expiresAt := time.Now().Add(time.Hour * 2)
token := jwt.New(jwt.GetSigningMethod("HS256"))
token.Claims["uid"] = user.ID
token.Claims["uname"] = user.Username
token.Claims["iat"] = expiresAt.Unix()
accessToken, err := token.SignedString(a.SigningKey)
if err != nil {
return nil, err
}
// generate JWT access token
token = jwt.New(jwt.GetSigningMethod("HS256"))
token.Claims["uid"] = user.ID
token.Claims["uname"] = user.Username
token.Claims["iat"] = time.Now().Add(time.Hour * 24 * 14).Unix()
refreshToken, err := token.SignedString(a.RefreshKey)
if err != nil {
return nil, err
}
return &TokenFields{AccessToken: accessToken, RefreshToken: refreshToken, ExpiresAt: expiresAt}, nil
}
/**
TODO:
- Get email and password from post request
- Find user
**/
func (a *authController) Login(c *gin.Context) {
var userLogin models.UserLogin
if err := c.Bind(&userLogin); err != nil {
panic(err)
}
user, err := authResource.Login(userLogin.Email, userLogin.Password)
if err != nil {
c.Error(err)
return
}
token := jwt_lib.New(jwt_lib.GetSigningMethod("HS256"))
// Set some claims
token.Claims["exp"] = time.Now().Add(time.Hour * 1).Unix()
// Sign and get the complete encoded token as a string
apiKey, err := token.SignedString([]byte(config.GetSecret()))
if err != nil {
c.Error(apiErrors.ThrowError(apiErrors.ServerError))
return
}
// Remove password
user.Password = ""
c.JSON(200, gin.H{
"user": user,
"api-key": apiKey,
})
}
// New creates a JwtAuth authenticator instance that provides middleware handlers
// and encoding/decoding functions for JWT signing.
func New(alg string, signKey []byte, verifyKey []byte) *JwtAuth {
return &JwtAuth{
signKey: signKey,
verifyKey: verifyKey,
signer: jwt.GetSigningMethod(alg),
}
}
//LoginHandler Hndler for login method
func LoginHandler(context *gin.Context, database *db.Context) {
var model models.LoginModel
err := context.BindJSON(&model)
if err != nil {
log.Println(err)
context.AbortWithError(http.StatusBadRequest, err)
return
}
user := database.FindUser(model.UserID)
storedPassword, _ := base64.URLEncoding.DecodeString(user.Password)
salt, _ := base64.URLEncoding.DecodeString(user.Salt)
checkPassword, _ := util.GeneratePassword([]byte(model.Password), salt)
if bytes.Compare(storedPassword, checkPassword) == 0 {
token := jwt_lib.New(jwt_lib.GetSigningMethod("HS256"))
token.Claims["ID"] = user.Username
token.Claims["exp"] = time.Now().Add(time.Hour * 24).Unix()
tokenString, err := token.SignedString([]byte(secret))
if err != nil {
context.JSON(500, gin.H{"message": "Could not generate token"})
return
}
context.JSON(200, gin.H{"token": tokenString})
} else {
context.JSON(http.StatusUnauthorized, gin.H{"status": "Login or password is incorrect"})
}
}
func main() {
r := gin.Default()
public := r.Group("/api")
public.GET("/", func(c *gin.Context) {
// Create the token
token := jwt_lib.New(jwt_lib.GetSigningMethod("HS256"))
// Set some claims
token.Claims["ID"] = "Christopher"
token.Claims["exp"] = time.Now().Add(time.Hour * 1).Unix()
// Sign and get the complete encoded token as a string
tokenString, err := token.SignedString([]byte(mysupersecretpassword))
if err != nil {
c.JSON(500, gin.H{"message": "Could not generate token"})
}
c.JSON(200, gin.H{"token": tokenString})
})
private := r.Group("/api/private")
private.Use(jwt.Auth(mysupersecretpassword))
/*
Set this header in your request to get here.
Authorization: Bearer `token`
*/
private.GET("/", func(c *gin.Context) {
c.JSON(200, gin.H{"message": "Hello from private"})
})
r.Run("localhost:8080")
}
func TestJWTToken(t *testing.T) {
var err error
if privateKey, err = ioutil.ReadFile("rsa-test.key"); err != nil {
t.Fatal(err)
}
if publicKey, err = ioutil.ReadFile("rsa-test.pub"); err != nil {
t.Fatal(err)
}
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["PERMISSION"] = "admin@tiedot"
token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()
ts, err := token.SignedString(privateKey)
if err != nil {
t.Fatal(err)
}
if token, err = jwt.Parse(ts, func(ts *jwt.Token) (interface{}, error) {
return publicKey, nil
}); err != nil {
t.Fatal(err)
}
if token.Valid {
t.Log(token)
} else {
t.Log(token)
t.Fail()
}
}
// GenerateToken - generate Token string
func GenerateToken() string {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()
tokenString, err := token.SignedString(signKey)
fatal(err)
return tokenString
}
// NewWithParser is the same as New, except it supports custom parser settings
// introduced in ver. 2.4.0 of jwt-go
func NewWithParser(alg string, parser *jwt.Parser, signKey []byte, verifyKey []byte) *JwtAuth {
return &JwtAuth{
signKey: signKey,
verifyKey: verifyKey,
signer: jwt.GetSigningMethod(alg),
parser: parser,
}
}
func NewToken() tokenData {
t := tokenData{}
t.payload = make(map[string]interface{})
// initialize every token with ecryption algorithm and expiration time
t.encrytpionAlg = jwt.GetSigningMethod("RS256")
t.expirationTimeToAdd = expTime
return t
}
func CreateTokenWithPayload(payload map[string]interface{}, privateKey interface{}) string {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims = payload
signed, err := token.SignedString(privateKey)
if err != nil {
log.Fatal("Failed to parse private key.", err)
}
return signed
}
func handleLogin(w http.ResponseWriter, r *http.Request) {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["ID"] = "This is my super fake ID"
token.Claims["exp"] = time.Now().Unix() + 30
tokenString, _ := token.SignedString(privateKey)
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, `{"token": %s}`, tokenString)
}
func CreateToken(hostUuid string, privateKey interface{}) string {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["hostUuid"] = hostUuid
signed, err := token.SignedString(privateKey)
if err != nil {
log.Fatal("Failed to parse private key.", err)
}
return signed
}
func (m *defaultSessionManager) createToken(userID int64) (string, error) {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["uid"] = strconv.FormatInt(userID, 10)
token.Claims["exp"] = time.Now().Add(time.Minute * expiry).Unix()
tokenString, err := token.SignedString(m.signKey)
if err != nil {
return tokenString, errgo.Mask(err)
}
return tokenString, nil
}
func EncodeJwt(secret Secret, claims map[string]interface{}) (EncodedJwt, error) {
if secret == "" {
return "", nil
}
t := jwt.New(jwt.GetSigningMethod("HS256"))
t.Claims = claims
encoded, e := t.SignedString(secret)
return EncodedJwt(encoded), e
}
func EncodeJwt(secret Secret, claims *jwt.StandardClaims) (EncodedJwt, error) {
if secret == "" {
return "", nil
}
t := jwt.New(jwt.GetSigningMethod("HS256"))
t.Claims = claims
encoded, e := t.SignedString(secret)
return EncodedJwt(encoded), e
}
// createJWTToken generates the JWT token to be added to Request Headers
func createJWTToken(userID string) (string, error) {
// Create the token
token := jwt_lib.New(jwt_lib.GetSigningMethod("HS256"))
// Set some claims
token.Claims["ID"] = userID
token.Claims["exp"] = time.Now().Add(time.Hour * 1).Unix()
// Sign and get the complete encoded token as a string
tokenString, err := token.SignedString([]byte(config.TokenSecret))
return tokenString, err
}
func makeRandomUserToken() (username string, tokenString string) {
token := jwt.New(jwt.GetSigningMethod("HS256"))
username, err := randutil.AlphaStringRange(5, 10)
errPanic(err, "Cannot random string, wtf?")
token.Claims["username"] = username
token.Claims["secret"] = time.Now().Add(time.Hour * 72).Unix()
tokenString, err = token.SignedString([]byte(mySigningKey))
errPanic(err, "Cannot sign string, wtf?")
return
}
func (rp *relyingParty) generateAssertion() (string, error) {
now := time.Now().Unix()
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["iss"] = rp.cfg.ServiceAccountEmail
token.Claims["scope"] = "https://www.googleapis.com/auth/identitytoolkit"
token.Claims["aud"] = tokenEndpointURL
token.Claims["lat"] = now
token.Claims["exp"] = now + 3600
return token.SignedString(rp.cfg.priKey)
}
func PostTokenResource(c *gin.Context) {
db := c.MustGet("db").(gorm.DB)
config := c.MustGet("config").(models.Configuration)
var user models.User
c.Bind(&user)
if (user.Username == "") || (user.Password == "") {
response := make(map[string]string)
response["error"] = "Incomplete submission."
c.JSON(400, response)
} else {
var queryUser models.User
db.Where("username = ?", user.Username).First(&queryUser)
if queryUser.Username == "" {
response := make(map[string]string)
response["error"] = "Resource not found."
c.JSON(404, response)
} else {
err := bcrypt.CompareHashAndPassword([]byte(queryUser.Password), []byte(user.Password))
if err != nil {
response := make(map[string]string)
response["error"] = "Invalid credentials."
c.JSON(401, response)
} else {
key, err := ioutil.ReadFile(config.Keys.Private)
if err != nil {
log.Fatal(err)
}
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["id"] = queryUser.Id
expires := time.Now().Add(time.Hour * 72).UTC()
token.Claims["life"] = expires.Format(time.RFC3339)
tokenString, err := token.SignedString(key)
response := make(map[string]string)
response["token"] = tokenString
response["expires"] = expires.String()
c.JSON(200, response)
}
}
}
}
func GetToken(sp string) string {
token := jwt.New(jwt.GetSigningMethod("HS256"))
token.Claims["ID"] = "mujiburTest"
token.Claims["exp"] = time.Now().Add(time.Hour * 1).Unix()
ts, err := token.SignedString([]byte(sp))
if err != nil {
log.Printf("Error to get signed string: %v\n", err)
return ""
}
return ts
}
func createToken(w http.ResponseWriter, userID string) (string, error) {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["uid"] = userID
token.Claims["exp"] = time.Now().Add(time.Minute * expiry).Unix()
tokenString, err := token.SignedString(signKey)
if err != nil {
return "", err
}
w.Header().Set(tokenHeader, tokenString)
return tokenString, nil
}
// Verify user identity and hand out a JWT.
func getJWT(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
addCommonJwtRespHeaders(w, r)
// Verify identity
user := r.FormValue(JWT_USER_ATTR)
if user == "" {
http.Error(w, "Please pass JWT 'user' parameter", http.StatusBadRequest)
return
}
jwtCol := HttpDB.Use(JWT_COL_NAME)
if jwtCol == nil {
http.Error(w, "Server is missing JWT identity collection, please restart the server.", http.StatusInternalServerError)
return
}
userQuery := map[string]interface{}{
"eq": user,
"in": []interface{}{JWT_USER_ATTR}}
userQueryResult := make(map[int]struct{})
if err := db.EvalQuery(userQuery, jwtCol, &userQueryResult); err != nil {
tdlog.CritNoRepeat("Query failed in JWT identity collection : %v", err)
http.Error(w, "Query failed in JWT identity collection", http.StatusInternalServerError)
return
}
// Verify password
pass := r.FormValue(JWT_PASS_ATTR)
for recID := range userQueryResult {
rec, err := jwtCol.Read(recID)
if err != nil {
break
}
if rec[JWT_PASS_ATTR] != pass {
tdlog.CritNoRepeat("JWT: identitify verification failed from request sent by %s", r.RemoteAddr)
break
}
// Successful password match
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims = jwt.MapClaims{
JWT_USER_ATTR: rec[JWT_USER_ATTR],
JWT_COLLECTIONS_ATTR: rec[JWT_COLLECTIONS_ATTR],
JWT_ENDPOINTS_ATTR: rec[JWT_ENDPOINTS_ATTR],
JWT_EXPIRY: time.Now().Add(time.Hour * 72).Unix(),
}
var tokenString string
var e error
if tokenString, e = token.SignedString(privateKey); e != nil {
panic(e)
}
w.Header().Set("Authorization", "Bearer "+tokenString)
w.WriteHeader(http.StatusOK)
return
}
// ... password mismatch
http.Error(w, "Invalid password", http.StatusUnauthorized)
}
// CreateToken return the token
func CreateToken() map[string]string {
log := logs.NewLogger(10000)
log.SetLogger("console", "")
token := goJwt.New(goJwt.GetSigningMethod("RS256")) // Create a Token that will be signed with RSA 256.
token.Claims["ID"] = "This is my super fake ID"
token.Claims["exp"] = time.Now().Unix() + 36000
// The claims object allows you to store information in the actual token.
tokenString, _ := token.SignedString(RSAKeys.PrivateKey)
// tokenString Contains the actual token you should share with your client.
return map[string]string{"token": tokenString}
}
/*
Token path
*/
func Token(secretPassword string, claims map[string]interface{}) (string, error) {
// Create the token
token := jwt_lib.New(jwt_lib.GetSigningMethod("HS256"))
// Set some claims
token.Claims = claims
token.Claims["exp"] = time.Now().Add(expirationTime()).Unix()
// Sign and get the complete encoded token as a string
return token.SignedString([]byte(secretPassword))
}
func GenerateToken(userTel string) (string, error) {
token := jwt.New(jwt.GetSigningMethod("HS256"))
token.Claims["exp"] = time.Now().Add(time.Hour * time.Duration(600)).Unix()
token.Claims["iat"] = time.Now().Unix()
token.Claims["sub"] = userTel
tokenString, err := token.SignedString([]byte(secretKey))
if err != nil {
panic(err)
return "", err
}
return tokenString, nil
}
func generateToken(emailPrefix string) string {
token := jwt.New(jwt.GetSigningMethod("HS256"))
token.Claims["email"] = fmt.Sprintf("*****@*****.**", emailPrefix)
token.Claims["exp"] = time.Now().Add(time.Minute * 100).Unix()
token.Claims["groups"] = []string{"sre", "mcdev", "users"}
tokenString, err := token.SignedString([]byte(secretKey))
if err != nil {
panic(err)
}
return tokenString
}
// generateToken returns a JWT token string. Please see the URL for details:
// http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1
func (k *Kontrol) generateToken(aud, username, issuer string, kp *KeyPair) (string, error) {
uniqKey := aud + username + issuer + kp.ID
k.tokenCacheMu.Lock()
defer k.tokenCacheMu.Unlock()
signed, ok := k.tokenCache[uniqKey]
if ok {
return signed, nil
}
rsaPrivate, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(kp.Private))
if err != nil {
return "", err
}
now := time.Now().UTC()
claims := &kitekey.KiteClaims{
StandardClaims: jwt.StandardClaims{
Issuer: issuer,
Subject: username,
Audience: aud,
ExpiresAt: now.Add(k.tokenTTL()).Add(k.tokenLeeway()).UTC().Unix(),
IssuedAt: now.Add(-k.tokenLeeway()).UTC().Unix(),
Id: uuid.NewV4().String(),
},
}
if !k.TokenNoNBF {
claims.NotBefore = now.Add(-k.tokenLeeway()).Unix()
}
signed, err = jwt.NewWithClaims(jwt.GetSigningMethod("RS256"), claims).SignedString(rsaPrivate)
if err != nil {
return "", errors.New("Server error: Cannot generate a token")
}
// cache our token
k.tokenCache[uniqKey] = signed
// cache invalidation, because we cache the token in tokenCache we need to
// invalidate it expiration time. This was handled usually within JWT, but
// now we have to do it manually for our own cache.
time.AfterFunc(TokenTTL-TokenLeeway, func() {
k.tokenCacheMu.Lock()
defer k.tokenCacheMu.Unlock()
delete(k.tokenCache, uniqKey)
})
return signed, nil
}
func Auth(res http.ResponseWriter, req *http.Request) {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["ID"] = "This is my super fake ID"
token.Claims["exp"] = time.Now().Unix() + 36000
tokenString, _ := token.SignedString(privateKey)
rt, _ := json.Marshal(Result{http.StatusOK, "Successful", tokenString})
res.Header().Set("Content-Type", "application/json")
res.WriteHeader(http.StatusOK)
res.Write(rt)
}
func (s *service) generateToken(user BaseUser) string {
//This signing method must be the one that we validate below by calling `if _, ok := token.Method.(*jwt.SigningMethod`
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["exp"] = time.Now().Add(time.Hour * time.Duration(s.jwtExpirationDeltaHours)).Unix()
token.Claims["iat"] = time.Now().Unix()
token.Claims["sub"] = user.UUID()
tokenString, err := token.SignedString(s.privateKeyBytes)
if err != nil {
s.Logger.Error("Cannot generate JWT token: %s", err.Error())
panic(s.ErrorsService.CreateClientError(http.StatusBadRequest, "[1442894957] Token error"))
}
return tokenString
}