refactor auth module

Restructure module Separate JWT auth variants Cleanup code Fixes #189
2025-07-23 12:51:40 +02:00 · 2023-08-11 10:00:23 +02:00
parent bc6e6250e1
commit b8273a9b02
9 changed files with 630 additions and 451 deletions
--- a/internal/auth/jwtSession.go
+++ b/internal/auth/jwtSession.go
@@ -0,0 +1,103 @@
+// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package auth
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/golang-jwt/jwt/v4"
+)
+
+type JWTSessionAuthenticator struct {
+	auth *Authentication
+
+	loginTokenKey []byte // HS256 key
+}
+
+var _ Authenticator = (*JWTSessionAuthenticator)(nil)
+
+func (ja *JWTSessionAuthenticator) Init(auth *Authentication, conf interface{}) error {
+
+	ja.auth = auth
+
+	if pubKey := os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
+		bytes, err := base64.StdEncoding.DecodeString(pubKey)
+		if err != nil {
+			log.Warn("Could not decode cross login JWT HS512 key")
+			return err
+		}
+		ja.loginTokenKey = bytes
+	}
+
+	return nil
+}
+
+func (ja *JWTSessionAuthenticator) CanLogin(
+	user *User,
+	rw http.ResponseWriter,
+	r *http.Request) bool {
+
+	return r.Header.Get("Authorization") != ""
+}
+
+func (ja *JWTSessionAuthenticator) Login(
+	user *User,
+	rw http.ResponseWriter,
+	r *http.Request) (*User, error) {
+
+	rawtoken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
+		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
+			return ja.loginTokenKey, nil
+		}
+		return nil, fmt.Errorf("AUTH/JWT > unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())
+	})
+	if err != nil {
+		log.Warn("Error while parsing jwt token")
+		return nil, err
+	}
+
+	if err = token.Claims.Valid(); err != nil {
+		log.Warn("jwt token claims are not valid")
+		return nil, err
+	}
+
+	claims := token.Claims.(jwt.MapClaims)
+	sub, _ := claims["sub"].(string)
+	exp, _ := claims["exp"].(float64)
+
+	var name string
+	if val, ok := claims["name"]; ok {
+		name, _ = val.(string)
+	}
+
+	var roles []string
+	if rawroles, ok := claims["roles"]; ok {
+		for _, r := range rawroles.([]string) {
+			if isValidRole(r) {
+				roles = append(roles, r)
+			}
+		}
+	}
+
+	if user == nil {
+		user = &User{
+			Username:   sub,
+			Name:       name,
+			Roles:      roles,
+			AuthType:   AuthSession,
+			AuthSource: AuthViaToken,
+		}
+	}
+
+	user.Expiration = time.Unix(int64(exp), 0)
+	return user, nil
+}