all repos

onasty @ efd970430597e242aa15c24f868fc0e7103b45ac

a one-time notes service

onasty/internal/jwtutil/jwtutil.go(view raw) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
package jwtutil

import (
	"crypto/rand"
	"encoding/hex"
	"errors"
	"time"

	"github.com/golang-jwt/jwt/v5"
)

var (
	ErrUnexpectedSigningMethod = errors.New("unexpected signing method")
	ErrTokenSignatureInvalid   = errors.New("token signature invalid")
	ErrTokenExpired            = errors.New("token expired")
)

type JWTTokenizer interface {
	// AccessToken generates a new access token with the given [Payload].
	AccessToken(pl Payload) (string, error)

	// RefreshToken generates a random string of 64 chars.
	RefreshToken() (string, error)

	// Parse parses the token and returns its [Payload].
	Parse(token string) (Payload, error)
}

// Payload the access token payload
type Payload struct {
	UserID string
}

var _ JWTTokenizer = (*JWTUtil)(nil)

type JWTUtil struct {
	signingKey     string
	accessTokenTTL time.Duration
}

func NewJWTUtil(signingKey string, accessTokenTTL time.Duration) *JWTUtil {
	return &JWTUtil{
		signingKey:     signingKey,
		accessTokenTTL: accessTokenTTL,
	}
}

func (j *JWTUtil) AccessToken(pl Payload) (string, error) {
	tok := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
		Subject:   pl.UserID,
		ExpiresAt: jwt.NewNumericDate(time.Now().Add(j.accessTokenTTL)),
	})
	return tok.SignedString([]byte(j.signingKey))
}

func (j *JWTUtil) RefreshToken() (string, error) {
	b := make([]byte, 32)
	if _, err := rand.Read(b); err != nil {
		return "", err
	}
	return hex.EncodeToString(b), nil
}

func (j *JWTUtil) Parse(token string) (Payload, error) {
	var claims jwt.RegisteredClaims
	_, err := jwt.ParseWithClaims(token, &claims, func(t *jwt.Token) (any, error) {
		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, ErrUnexpectedSigningMethod
		}
		return []byte(j.signingKey), nil
	})

	if errors.Is(err, jwt.ErrTokenExpired) {
		return Payload{}, ErrTokenExpired
	}

	if errors.Is(err, jwt.ErrTokenSignatureInvalid) {
		return Payload{}, ErrTokenSignatureInvalid
	}

	return Payload{
		UserID: claims.Subject,
	}, err
}