func validateJWT(ih bittorrent.InfoHash, jwtBytes []byte, cfgIss, cfgAud string, publicKeys map[string]crypto.PublicKey) error {
parsedJWT, err := jws.ParseJWT(jwtBytes)
if err != nil {
return err
}
claims := parsedJWT.Claims()
if iss, ok := claims.Issuer(); !ok || iss != cfgIss {
return jwt.ErrInvalidISSClaim
}
if aud, ok := claims.Audience(); !ok || !validAudience(aud, cfgAud) {
return jwt.ErrInvalidAUDClaim
}
if ihClaim, ok := claims.Get("infohash").(string); !ok || !validInfoHash(ihClaim, ih) {
return errors.New("claim \"infohash\" is invalid")
}
parsedJWS := parsedJWT.(jws.JWS)
kid, ok := parsedJWS.Protected().Get("kid").(string)
if !ok {
return errors.New("invalid kid")
}
publicKey, ok := publicKeys[kid]
if !ok {
return errors.New("signed by unknown kid")
}
return parsedJWS.Verify(publicKey, jc.SigningMethodRS256)
}
func TestMultipleAudienceFix_AfterMarshal(t *testing.T) {
// Create JWS claims
claims := jws.Claims{}
claims.SetAudience("example.com", "api.example.com")
token := jws.NewJWT(claims, crypto.SigningMethodHS256)
serializedToken, _ := token.Serialize([]byte("abcdef"))
// Unmarshal JSON
newToken, _ := jws.ParseJWT(serializedToken)
c := newToken.Claims()
// Get Audience
aud, ok := c.Audience()
if !ok {
// Fails
t.Fail()
}
t.Logf("aud len(): %d", len(aud))
t.Logf("aud Value: %s", aud)
t.Logf("aud Type : %T", aud)
}
// ValidateClaim validate the JWT token and return the user model
// decoded from the claim
func ValidateClaim(certs *Certs, token string) (*models.User, error) {
usr := new(models.User)
w, err := jws.ParseJWT([]byte(token))
if err != nil {
return nil, err
}
if err := w.Validate(certs.PublicKey, crypto.SigningMethodRS512); err != nil {
return nil, err
}
_, isExpired := w.Claims().Expiration()
if !isExpired {
return nil, ErrTokenExpired
}
usr.Email = extractKey("email", w.Claims())
usr.Login = extractKey("login", w.Claims())
usr.ID = extractKey("user_id", w.Claims())
return usr, nil
}
func ValidateToken(token string) bool {
parsed, err := jws.ParseJWT([]byte(token))
if err != nil {
return false
}
id := int(parsed.Claims().Get("id").(float64))
if id > 0 {
fmt.Printf("parsed: %d : %v\n", id, parsed)
db, err := sql.Open("postgres", config.DbConnection)
if err != nil {
fmt.Println(err.Error())
}
defer db.Close()
stmt, err := db.Prepare("SELECT token FROM tokens where user_id = $1;")
if err != nil {
fmt.Printf("ERROR prepare: %s\n", err.Error())
return false
}
defer stmt.Close()
row := stmt.QueryRow(id)
var dbToken string
err = row.Scan(&dbToken)
if err != nil {
fmt.Println(err.Error())
return false
}
return token == dbToken
} else {
return false
}
}
//Validate check jwt
func (p *Jwt) Validate(buf []byte) (jwt.Claims, error) {
tk, err := jws.ParseJWT(buf)
if err != nil {
return nil, err
}
err = tk.Validate(p.Key, p.Method)
return tk.Claims(), err
}
func decodeUserFromJWT(accessToken string) (User, error) {
if accessToken == "" {
return User{}, nil
}
token, err := jws.ParseJWT([]byte(accessToken[7:]))
if err != nil {
return User{}, err
}
claims := token.Claims()
return User{
Name: claims.Get("user_name").(string),
}, nil
}
// TestTimeValuesThroughJSON verifies that the time values
// that are set via the Set{IssuedAt,NotBefore,Expiration}()
// methods can actually be parsed back
func TestTimeValuesThroughJSON(t *testing.T) {
now := time.Unix(time.Now().Unix(), 0)
c := jws.Claims{}
c.SetIssuedAt(now)
c.SetNotBefore(now)
c.SetExpiration(now)
// serialize to JWT
tok := jws.NewJWT(c, crypto.SigningMethodHS256)
b, err := tok.Serialize([]byte("key"))
if err != nil {
t.Fatal(err)
}
// parse the JWT again
tok2, err := jws.ParseJWT(b)
if err != nil {
t.Fatal(err)
}
c2 := tok2.Claims()
iat, ok1 := c2.IssuedAt()
nbf, ok2 := c2.NotBefore()
exp, ok3 := c2.Expiration()
if !ok1 || !ok2 || !ok3 {
t.Fatal("got false want true")
}
if got, want := iat, now; !got.Equal(want) {
t.Errorf("%s: got %v want %v", "iat", got, want)
}
if got, want := nbf, now; !got.Equal(want) {
t.Errorf("%s: got %v want %v", "nbf", got, want)
}
if got, want := exp, now; !got.Equal(want) {
t.Errorf("%s: got %v want %v", "exp", got, want)
}
}