//Validate access token func (s *Server) validateAccessLoginToken(token string) (string, bool) { btok, err := base64.URLEncoding.DecodeString(token) if err != nil { return "", false } k := fernet.MustDecodeKeys(s.config.Clients["browser"].Secret) email := fernet.VerifyAndDecrypt(btok, 60*time.Second, k) c := s.redisConn() defer c.Close() status, err := redis.String(c.Do("GET", email)) if err != nil { return "", false } if status == "loggedin" { return string(email), true } else { return "", false } }
// ParseAndDecrypt returns the outlet's API credentials which // are expected to be signed & encrypted and stuffed into the // authorization header of the HTTP request. func ParseAndDecrypt(r *http.Request) (string, string, error) { header, err := parseAuthHeader(r) if err != nil { return "", "", err } user, _, err := ParseRaw(header) if err != nil { return "", "", err } // If we have gotten here, we have a signed, authentication request. // If we can verify & decrypt, then we will pass the decrypted credenti // to the caller. Most of the time, the username and password will be // credentials to Librato metric API. We don't care about the // validity of those credentials here. If they are wrong // the metrics will be dropped in the outlet. Keep an eye on HTTP // authentication errors from the log output of the outlets. if len(keys) > 0 { s := fernet.VerifyAndDecrypt([]byte(user), ttl, keys) if s != nil { parts := strings.Split(string(s), ":") return parts[0], parts[1], nil } } return "", "", errors.New("End of Authentication chain reached.") }
func Parse(r *http.Request) (string, string, error) { header, err := parseAuthHeader(r) if err != nil { return "", "", err } user, _, err := ParseRaw(header) if err != nil { return "", "", err } //If we have gotten here, we have a signed, db-less authentication reque //If we can verify and decrypt, then we will pass the decrypted credenti //to the caller. Most of the time, the username and password will be //credentials to outlet providers. (e.g. Librato creds or Graphite creds //We care about the validity of those credentials here. If they are wron //the metrics will be dropped at the outlet. Keep an eye on http //authentication errors from the log output of the outlets. if len(keys) > 0 { if s := fernet.VerifyAndDecrypt([]byte(user), OneHundredYears, keys); s != nil { parts := strings.Split(string(s), ":") return parts[0], parts[1], nil } } return "", "", errors.New("End of Authentication chain reached.") }
func Example() { k := fernet.MustDecodeKeys("cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4=") tok, err := fernet.EncryptAndSign([]byte("hello"), k[0]) if err != nil { panic(err) } msg := fernet.VerifyAndDecrypt(tok, 60*time.Second, k) fmt.Println(string(msg)) // Output: // hello }
//Validate access token func (s *Server) validateSharedToken(token string) bool { btok, err := base64.URLEncoding.DecodeString(token) if err != nil { return false } k := fernet.MustDecodeKeys(s.config.Clients["browser"].Secret) shared_token := fernet.VerifyAndDecrypt(btok, 60*10*time.Second, k) if string(shared_token) == string(s.config.Clients["browser"].Token) { return true } else { return false } }
func ParseAuth(r *http.Request) (string, string, error) { header, err := parseAuthHeader(r) if err != nil { return "", "", err } user, _, err := parseAuthValue(header) if err != nil { return "", "", err } //If we have gotten here, we have a signed, db-less authentication reque //If we can verify and decrypt, then we will pass the decrypted credenti //to the caller. Most of the time, the username and password will be //credentials to outlet providers. (e.g. Librato creds or Graphite creds //We care about the validity of those credentials here. If they are wron //the metrics will be dropped at the outlet. Keep an eye on http //authentication errors from the log output of the outlets. if len(keys) > 0 { if s := fernet.VerifyAndDecrypt([]byte(user), OneHundredYears, keys); s != nil { parts := strings.Split(string(s), ":") return parts[0], parts[1], nil } } //If the user is not == "l2met" then dbless-auth is requested. //ATM we assume the first part (user field) contains a base64 encoded //representation of the outlet credentials. if len(user) > 0 { trimmedUser := strings.Replace(user, ":", "", -1) decodedUser, err := base64.StdEncoding.DecodeString(trimmedUser) if err != nil { return trimmedUser, "", err } outletCreds := strings.Split(string(decodedUser), ":") //If the : is absent in parts[0], outletCreds[0] will contain the entire string in parts[0]. u := outletCreds[0] //It is not required for the outletCreds to contain a pass. //The empty string that is returned will be handled by the outlet. var p string if len(outletCreds) > 1 { p = outletCreds[1] } return u, p, nil } return "", "", errors.New("End of Authe chain reached.") }
func TestFernet(t *testing.T) { k := fernet.MustDecodeKeys("YI1ZYdopn6usnQ/5gMAHg8+pNh6D0DdaJkytdoLWUj0=") tok, err := fernet.EncryptAndSign([]byte("mysharedtoken"), k[0]) if err != nil { t.Fatalf("fernet encryption failed %v\n", err) } stok := base64.URLEncoding.EncodeToString(tok) btok, err := base64.URLEncoding.DecodeString(stok) //fmt.Println(btok) if err != nil { t.Fatalf("fernet key decryption failed %v\n", err) } msg := fernet.VerifyAndDecrypt(btok, 60*time.Second, k) if string(msg) != "mysharedtoken" { t.Fatalf("verification failed!\n") } }