diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2025-03-02 16:42:51 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2025-03-02 16:42:51 +0100 |
| commit | 8488ac928651656c6f7bebf5eaabce62c2b9fb66 (patch) | |
| tree | 94357311026e5ed96862a647400375a4543dd815 /vendor/codeberg.org/superseriousbusiness/oauth2/v4/generates/jwt_access.go | |
| parent | [chore] go-swagger -> codeberg (#3856) (diff) | |
| download | gotosocial-8488ac928651656c6f7bebf5eaabce62c2b9fb66.tar.xz | |
[chore] migrate oauth2 -> codeberg (#3857)
Diffstat (limited to 'vendor/codeberg.org/superseriousbusiness/oauth2/v4/generates/jwt_access.go')
| -rw-r--r-- | vendor/codeberg.org/superseriousbusiness/oauth2/v4/generates/jwt_access.go | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/vendor/codeberg.org/superseriousbusiness/oauth2/v4/generates/jwt_access.go b/vendor/codeberg.org/superseriousbusiness/oauth2/v4/generates/jwt_access.go new file mode 100644 index 000000000..9a621bd4b --- /dev/null +++ b/vendor/codeberg.org/superseriousbusiness/oauth2/v4/generates/jwt_access.go @@ -0,0 +1,104 @@ +package generates + +import ( + "context" + "encoding/base64" + "strings" + "time" + + "codeberg.org/superseriousbusiness/oauth2/v4" + "codeberg.org/superseriousbusiness/oauth2/v4/errors" + "github.com/golang-jwt/jwt" + "github.com/google/uuid" +) + +// JWTAccessClaims jwt claims +type JWTAccessClaims struct { + jwt.StandardClaims +} + +// Valid claims verification +func (a *JWTAccessClaims) Valid() error { + if time.Unix(a.ExpiresAt, 0).Before(time.Now()) { + return errors.ErrInvalidAccessToken + } + return nil +} + +// NewJWTAccessGenerate create to generate the jwt access token instance +func NewJWTAccessGenerate(kid string, key []byte, method jwt.SigningMethod) *JWTAccessGenerate { + return &JWTAccessGenerate{ + SignedKeyID: kid, + SignedKey: key, + SignedMethod: method, + } +} + +// JWTAccessGenerate generate the jwt access token +type JWTAccessGenerate struct { + SignedKeyID string + SignedKey []byte + SignedMethod jwt.SigningMethod +} + +// Token based on the UUID generated token +func (a *JWTAccessGenerate) Token(ctx context.Context, data *oauth2.GenerateBasic, isGenRefresh bool) (string, string, error) { + claims := &JWTAccessClaims{ + StandardClaims: jwt.StandardClaims{ + Audience: data.Client.GetID(), + Subject: data.UserID, + ExpiresAt: data.TokenInfo.GetAccessCreateAt().Add(data.TokenInfo.GetAccessExpiresIn()).Unix(), + }, + } + + token := jwt.NewWithClaims(a.SignedMethod, claims) + if a.SignedKeyID != "" { + token.Header["kid"] = a.SignedKeyID + } + var key interface{} + if a.isEs() { + v, err := jwt.ParseECPrivateKeyFromPEM(a.SignedKey) + if err != nil { + return "", "", err + } + key = v + } else if a.isRsOrPS() { + v, err := jwt.ParseRSAPrivateKeyFromPEM(a.SignedKey) + if err != nil { + return "", "", err + } + key = v + } else if a.isHs() { + key = a.SignedKey + } else { + return "", "", errors.New("unsupported sign method") + } + + access, err := token.SignedString(key) + if err != nil { + return "", "", err + } + refresh := "" + + if isGenRefresh { + t := uuid.NewSHA1(uuid.Must(uuid.NewRandom()), []byte(access)).String() + refresh = base64.URLEncoding.EncodeToString([]byte(t)) + refresh = strings.ToUpper(strings.TrimRight(refresh, "=")) + } + + return access, refresh, nil +} + +func (a *JWTAccessGenerate) isEs() bool { + return strings.HasPrefix(a.SignedMethod.Alg(), "ES") +} + +func (a *JWTAccessGenerate) isRsOrPS() bool { + isRs := strings.HasPrefix(a.SignedMethod.Alg(), "RS") + isPs := strings.HasPrefix(a.SignedMethod.Alg(), "PS") + return isRs || isPs +} + +func (a *JWTAccessGenerate) isHs() bool { + return strings.HasPrefix(a.SignedMethod.Alg(), "HS") +} |