Passport/pkg/internal/services/jwt.go

package services

import (
	"fmt"
	"time"

	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
	"github.com/golang-jwt/jwt/v5"
	"github.com/spf13/viper"
)

type PayloadClaims struct {
	jwt.RegisteredClaims

	// Internal Stuff
	SessionID string `json:"sed"`

	// ID Token Stuff
	Name  string `json:"name,omitempty"`
	Nick  string `json:"preferred_username,omitempty"`
	Email string `json:"email,omitempty"`

	// Additional Stuff
	AuthorizedParties string `json:"azp,omitempty"`
	Nonce             string `json:"nonce,omitempty"`
	Type              string `json:"typ"`
}

const (
	JwtAccessType  = "access"
	JwtRefreshType = "refresh"
)

func EncodeJwt(id string, typ, sub, sed string, nonce *string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {
	var azp string
	for _, item := range aud {
		if item != InternalTokenAudience {
			azp = item
			break
		}
	}

	claims := PayloadClaims{
		RegisteredClaims: jwt.RegisteredClaims{
			Subject:   sub,
			Audience:  aud,
			Issuer:    viper.GetString("security.issuer"),
			ExpiresAt: jwt.NewNumericDate(exp),
			NotBefore: jwt.NewNumericDate(time.Now()),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			ID:        id,
		},
		AuthorizedParties: azp,
		SessionID:         sed,
		Type:              typ,
	}

	if len(idTokenUser) > 0 {
		user := idTokenUser[0]
		claims.Name = user.Name
		claims.Nick = user.Nick
		claims.Email = user.GetPrimaryEmail().Content
	}

	if nonce != nil {
		claims.Nonce = *nonce
	}

	tk := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)

	return tk.SignedString([]byte(viper.GetString("secret")))
}

func DecodeJwt(str string) (PayloadClaims, error) {
	var claims PayloadClaims
	tk, err := jwt.ParseWithClaims(str, &claims, func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}
		return []byte(viper.GetString("secret")), nil
	})
	if err != nil {
		return claims, err
	}

	if data, ok := tk.Claims.(*PayloadClaims); ok {
		return *data, nil
	} else {
		return claims, fmt.Errorf("unexpected token payload: not payload claims type")
	}
}
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`package services`
:tada: Initial Commit 2024-01-06 17:56:32 +00:00
			`import (`
			`"fmt"`
			`"time"`

:sparkles: Better id token in oidc 2024-07-28 12:04:22 +00:00			`"git.solsynth.dev/hydrogen/passport/pkg/internal/models"`
:tada: Initial Commit 2024-01-06 17:56:32 +00:00			`"github.com/golang-jwt/jwt/v5"`
			`"github.com/spf13/viper"`
			`)`

			`type PayloadClaims struct {`
			`jwt.RegisteredClaims`

:sparkles: Better id token in oidc 2024-07-28 12:04:22 +00:00			`// Internal Stuff`
			SessionID string `json:"sed"`

			`// ID Token Stuff`
			Name string `json:"name,omitempty"`
			Nick string `json:"preferred_username,omitempty"`
			Email string `json:"email,omitempty"`

:recycle: Separate application domain and token issuer 2024-08-12 12:58:20 +00:00			`// Additional Stuff`
:sparkles: Present azp in token 2024-07-28 11:50:49 +00:00			AuthorizedParties string `json:"azp,omitempty"`
:sparkles: Present nonce in id token 2024-07-28 14:30:51 +00:00			Nonce string `json:"nonce,omitempty"`
:sparkles: Present azp in token 2024-07-28 11:50:49 +00:00			Type string `json:"typ"`
:tada: Initial Commit 2024-01-06 17:56:32 +00:00			`}`

			`const (`
			`JwtAccessType = "access"`
			`JwtRefreshType = "refresh"`
			`)`

:sparkles: Present nonce in id token 2024-07-28 14:30:51 +00:00			`func EncodeJwt(id string, typ, sub, sed string, nonce *string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {`
:sparkles: Present azp in token 2024-07-28 11:50:49 +00:00			`var azp string`
			`for _, item := range aud {`
			`if item != InternalTokenAudience {`
			`azp = item`
			`break`
			`}`
			`}`

:sparkles: Better id token in oidc 2024-07-28 12:04:22 +00:00			`claims := PayloadClaims{`
:sparkles: Present azp in token 2024-07-28 11:50:49 +00:00			`RegisteredClaims: jwt.RegisteredClaims{`
:tada: Initial Commit 2024-01-06 17:56:32 +00:00			`Subject: sub,`
			`Audience: aud,`
:recycle: Separate application domain and token issuer 2024-08-12 12:58:20 +00:00			`Issuer: viper.GetString("security.issuer"),`
:tada: Initial Commit 2024-01-06 17:56:32 +00:00			`ExpiresAt: jwt.NewNumericDate(exp),`
			`NotBefore: jwt.NewNumericDate(time.Now()),`
			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`ID: id,`
			`},`
:sparkles: Present azp in token 2024-07-28 11:50:49 +00:00			`AuthorizedParties: azp,`
			`SessionID: sed,`
			`Type: typ,`
:sparkles: Better id token in oidc 2024-07-28 12:04:22 +00:00			`}`

			`if len(idTokenUser) > 0 {`
			`user := idTokenUser[0]`
			`claims.Name = user.Name`
			`claims.Nick = user.Nick`
			`claims.Email = user.GetPrimaryEmail().Content`
			`}`

:sparkles: Present nonce in id token 2024-07-28 14:30:51 +00:00			`if nonce != nil {`
			`claims.Nonce = *nonce`
			`}`

:sparkles: Better id token in oidc 2024-07-28 12:04:22 +00:00			`tk := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)`
:tada: Initial Commit 2024-01-06 17:56:32 +00:00
			`return tk.SignedString([]byte(viper.GetString("secret")))`
			`}`

			`func DecodeJwt(str string) (PayloadClaims, error) {`
			`var claims PayloadClaims`
			`tk, err := jwt.ParseWithClaims(str, &claims, func(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])`
			`}`
			`return []byte(viper.GetString("secret")), nil`
			`})`
			`if err != nil {`
			`return claims, err`
			`}`

			`if data, ok := tk.Claims.(*PayloadClaims); ok {`
			`return *data, nil`
			`} else {`
			`return claims, fmt.Errorf("unexpected token payload: not payload claims type")`
			`}`
			`}`