package auth import ( "encoding/base64" "fmt" "os" "time" "codeberg.org/pronounscc/pronouns.cc/backend/db" "codeberg.org/pronounscc/pronouns.cc/backend/log" "emperror.dev/errors" "github.com/golang-jwt/jwt/v4" "github.com/rs/xid" ) // Claims are the claims used in a token. type Claims struct { UserID xid.ID `json:"sub"` TokenID xid.ID `json:"jti"` UserIsAdmin bool `json:"adm"` // APIToken specifies whether this token was generated for the API or for the website. // API tokens cannot perform some destructive actions, such as DELETE /users/@me. APIToken bool `json:"atn"` // TokenWrite specifies whether this token can be used for write actions. // If set to false, this token can only be used for read actions. TokenWrite bool `json:"twr"` jwt.RegisteredClaims } type Verifier struct { key []byte } func New() *Verifier { raw := os.Getenv("HMAC_KEY") if raw == "" { log.Fatal("$HMAC_KEY is not set") } key, err := base64.URLEncoding.DecodeString(raw) if err != nil { log.Fatal("$HMAC_KEY is not a valid base 64 string") } return &Verifier{key: key} } // CreateToken creates a token for the given user ID. // It expires after three months. func (v *Verifier) CreateToken(userID, tokenID xid.ID, isAdmin bool, isAPIToken bool, isWriteToken bool) (token string, err error) { now := time.Now() expires := now.Add(db.TokenExpiryTime) t := jwt.NewWithClaims(jwt.SigningMethodHS256, Claims{ UserID: userID, TokenID: tokenID, UserIsAdmin: isAdmin, APIToken: isAPIToken, TokenWrite: isWriteToken, RegisteredClaims: jwt.RegisteredClaims{ Issuer: "pronouns", ExpiresAt: jwt.NewNumericDate(expires), IssuedAt: jwt.NewNumericDate(now), NotBefore: jwt.NewNumericDate(now), }, }) return t.SignedString(v.key) } // Claims parses the given token and returns its Claims. // If the token is invalid, returns an error. func (v *Verifier) Claims(token string) (c Claims, err error) { parsed, err := jwt.ParseWithClaims(token, &Claims{}, func(t *jwt.Token) (interface{}, error) { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf(`unexpected signing method "%v"`, t.Header["alg"]) } return v.key, nil }) if err != nil { return c, errors.Wrap(err, "parsing token") } if c, ok := parsed.Claims.(*Claims); ok && parsed.Valid { return *c, nil } return c, fmt.Errorf("unknown claims type %T", parsed.Claims) }