func validateJWT(ih bittorrent.InfoHash, jwtBytes []byte, cfgIss, cfgAud string, publicKeys map[string]crypto.PublicKey) error { parsedJWT, err := jws.ParseJWT(jwtBytes) if err != nil { return err } claims := parsedJWT.Claims() if iss, ok := claims.Issuer(); !ok || iss != cfgIss { return jwt.ErrInvalidISSClaim } if aud, ok := claims.Audience(); !ok || !validAudience(aud, cfgAud) { return jwt.ErrInvalidAUDClaim } if ihClaim, ok := claims.Get("infohash").(string); !ok || !validInfoHash(ihClaim, ih) { return errors.New("claim \"infohash\" is invalid") } parsedJWS := parsedJWT.(jws.JWS) kid, ok := parsedJWS.Protected().Get("kid").(string) if !ok { return errors.New("invalid kid") } publicKey, ok := publicKeys[kid] if !ok { return errors.New("signed by unknown kid") } return parsedJWS.Verify(publicKey, jc.SigningMethodRS256) }
func TestMultipleAudienceFix_AfterMarshal(t *testing.T) { // Create JWS claims claims := jws.Claims{} claims.SetAudience("example.com", "api.example.com") token := jws.NewJWT(claims, crypto.SigningMethodHS256) serializedToken, _ := token.Serialize([]byte("abcdef")) // Unmarshal JSON newToken, _ := jws.ParseJWT(serializedToken) c := newToken.Claims() // Get Audience aud, ok := c.Audience() if !ok { // Fails t.Fail() } t.Logf("aud len(): %d", len(aud)) t.Logf("aud Value: %s", aud) t.Logf("aud Type : %T", aud) }
// ValidateClaim validate the JWT token and return the user model // decoded from the claim func ValidateClaim(certs *Certs, token string) (*models.User, error) { usr := new(models.User) w, err := jws.ParseJWT([]byte(token)) if err != nil { return nil, err } if err := w.Validate(certs.PublicKey, crypto.SigningMethodRS512); err != nil { return nil, err } _, isExpired := w.Claims().Expiration() if !isExpired { return nil, ErrTokenExpired } usr.Email = extractKey("email", w.Claims()) usr.Login = extractKey("login", w.Claims()) usr.ID = extractKey("user_id", w.Claims()) return usr, nil }
func ValidateToken(token string) bool { parsed, err := jws.ParseJWT([]byte(token)) if err != nil { return false } id := int(parsed.Claims().Get("id").(float64)) if id > 0 { fmt.Printf("parsed: %d : %v\n", id, parsed) db, err := sql.Open("postgres", config.DbConnection) if err != nil { fmt.Println(err.Error()) } defer db.Close() stmt, err := db.Prepare("SELECT token FROM tokens where user_id = $1;") if err != nil { fmt.Printf("ERROR prepare: %s\n", err.Error()) return false } defer stmt.Close() row := stmt.QueryRow(id) var dbToken string err = row.Scan(&dbToken) if err != nil { fmt.Println(err.Error()) return false } return token == dbToken } else { return false } }
//Validate check jwt func (p *Jwt) Validate(buf []byte) (jwt.Claims, error) { tk, err := jws.ParseJWT(buf) if err != nil { return nil, err } err = tk.Validate(p.Key, p.Method) return tk.Claims(), err }
func decodeUserFromJWT(accessToken string) (User, error) { if accessToken == "" { return User{}, nil } token, err := jws.ParseJWT([]byte(accessToken[7:])) if err != nil { return User{}, err } claims := token.Claims() return User{ Name: claims.Get("user_name").(string), }, nil }
// TestTimeValuesThroughJSON verifies that the time values // that are set via the Set{IssuedAt,NotBefore,Expiration}() // methods can actually be parsed back func TestTimeValuesThroughJSON(t *testing.T) { now := time.Unix(time.Now().Unix(), 0) c := jws.Claims{} c.SetIssuedAt(now) c.SetNotBefore(now) c.SetExpiration(now) // serialize to JWT tok := jws.NewJWT(c, crypto.SigningMethodHS256) b, err := tok.Serialize([]byte("key")) if err != nil { t.Fatal(err) } // parse the JWT again tok2, err := jws.ParseJWT(b) if err != nil { t.Fatal(err) } c2 := tok2.Claims() iat, ok1 := c2.IssuedAt() nbf, ok2 := c2.NotBefore() exp, ok3 := c2.Expiration() if !ok1 || !ok2 || !ok3 { t.Fatal("got false want true") } if got, want := iat, now; !got.Equal(want) { t.Errorf("%s: got %v want %v", "iat", got, want) } if got, want := nbf, now; !got.Equal(want) { t.Errorf("%s: got %v want %v", "nbf", got, want) } if got, want := exp, now; !got.Equal(want) { t.Errorf("%s: got %v want %v", "exp", got, want) } }