Skip to content

Commit

Permalink
Update Verifier for locating jwt token; removing TokenFromQuery from …
Browse files Browse the repository at this point in the history
…defaults
  • Loading branch information
pkieltyka committed Dec 12, 2020
1 parent b8af768 commit 38df5c8
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 17 deletions.
13 changes: 6 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# jwtauth - JWT authentication middleware for Go HTTP services
# jwtauth - JWT authentication middleware for HTTP services

[![GoDoc Widget]][godoc]

Expand All @@ -23,12 +23,11 @@ your flow (ie. with a JSON error response body).

By default, the `Verifier` will search for a JWT token in a http request, in the order:

1. 'jwt' URI query parameter
2. 'Authorization: BEARER T' request header
3. 'jwt' Cookie value
1. 'Authorization: BEARER T' request header
2. 'jwt' Cookie value

The first JWT string that is found as a query parameter, authorization header
or cookie header is then decoded by the `jwt-go` library and a \*jwt.Token
The first JWT string that is found as an authorization header
or cookie header is then decoded by the `lestrrat-go/jwx` library and a jwt.Token
object is set on the request context. In the case of a signature decoding error
the Verifier will also set the error on the request context.

Expand All @@ -39,7 +38,7 @@ http response.

Note: jwtauth supports custom verification sequences for finding a token
from a request by using the `Verify` middleware instantiator directly. The default
`Verifier` is instantiated by calling `Verify(ja, TokenFromQuery, TokenFromHeader, TokenFromCookie)`.
`Verifier` is instantiated by calling `Verify(ja, TokenFromHeader, TokenFromCookie)`.

# Usage

Expand Down
26 changes: 16 additions & 10 deletions jwtauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,18 @@ import (
"github.com/lestrrat-go/jwx/jwt"
)

// Context keys
type JWTAuth struct {
alg jwa.SignatureAlgorithm
signKey interface{} // private-key
verifyKey interface{} // public-key, only used by RSA and ECDSA algorithms
verifier jwt.ParseOption
}

var (
TokenCtxKey = &contextKey{"Token"}
ErrorCtxKey = &contextKey{"Error"}
)

// Library errors
var (
ErrUnauthorized = errors.New("token is unauthorized")
ErrExpired = errors.New("token is expired")
Expand All @@ -28,13 +33,6 @@ var (
ErrAlgoInvalid = errors.New("algorithm mismatch")
)

type JWTAuth struct {
alg jwa.SignatureAlgorithm
signKey interface{} // private-key
verifyKey interface{} // public-key, only used by RSA and ECDSA algorithms
verifier jwt.ParseOption
}

func New(alg string, signKey interface{}, verifyKey interface{}) *JWTAuth {
ja := &JWTAuth{alg: jwa.SignatureAlgorithm(alg), signKey: signKey, verifyKey: verifyKey}

Expand Down Expand Up @@ -65,7 +63,7 @@ func New(alg string, signKey interface{}, verifyKey interface{}) *JWTAuth {
// http response.
func Verifier(ja *JWTAuth) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return Verify(ja, TokenFromQuery, TokenFromHeader, TokenFromCookie)(next)
return Verify(ja, TokenFromHeader, TokenFromCookie)(next)
}
}

Expand Down Expand Up @@ -266,6 +264,14 @@ func TokenFromHeader(r *http.Request) string {

// TokenFromQuery tries to retreive the token string from the "jwt" URI
// query parameter.
//
// To use it, build our own middleware handler, such as:
//
// func Verifier(ja *JWTAuth) func(http.Handler) http.Handler {
// return func(next http.Handler) http.Handler {
// return Verify(ja, TokenFromQuery, TokenFromHeader, TokenFromCookie)(next)
// }
// }
func TokenFromQuery(r *http.Request) string {
// Get token from query param named "jwt".
return r.URL.Query().Get("jwt")
Expand Down

0 comments on commit 38df5c8

Please sign in to comment.