✨ Auth stuff

pkg/internal/auth/jwt.go

@@ -1 +0,0 @@
-package auth

pkg/internal/auth/token.go

@@ -0,0 +1,55 @@
+package auth
+
+import (
+	"git.solsynth.dev/hypernet/nexus/pkg/nex/sec"
+	"github.com/gofiber/fiber/v2"
+	"strings"
+)
+
+var JReader *sec.JwtReader
+
+func SoftAuthMiddleware(c *fiber.Ctx) error {
+	atk := tokenExtract(c)
+	c.Locals("nex_token", atk)
+
+	if claims, err := tokenRead(atk); err == nil && claims != nil {
+		c.Locals("nex_principal", claims)
+	} else if err != nil {
+		c.Locals("nex_auth_error", err)
+	}
+
+	return c.Next()
+}
+
+func HardAuthMiddleware(c *fiber.Ctx) error {
+	if c.Locals("nex_principal") == nil {
+		err := c.Locals("nex_auth_error").(error)
+		return fiber.NewError(fiber.StatusUnauthorized, err.Error())
+	}
+
+	return c.Next()
+}
+
+func tokenExtract(c *fiber.Ctx) string {
+	var atk string
+	if cookie := c.Cookies(sec.CookieAccessToken); len(cookie) > 0 {
+		atk = cookie
+	}
+	if header := c.Get(fiber.HeaderAuthorization); len(header) > 0 {
+		tk := strings.Replace(header, "Bearer", "", 1)
+		atk = strings.TrimSpace(tk)
+	}
+	if tk := c.Query("tk"); len(tk) > 0 {
+		atk = strings.TrimSpace(tk)
+	}
+	return atk
+}
+
+func tokenRead(in string) (*sec.JwtClaims, error) {
+	if JReader == nil {
+		return nil, nil
+	}
+
+	claims, err := sec.ReadJwt[sec.JwtClaims](JReader, in)
+	return &claims, err
+}

pkg/main.go

@@ -2,9 +2,11 @@ package main
 
 import (
 	"fmt"
+	"git.solsynth.dev/hypernet/nexus/pkg/internal/auth"
 	"git.solsynth.dev/hypernet/nexus/pkg/internal/database"
 	"git.solsynth.dev/hypernet/nexus/pkg/internal/http"
 	"git.solsynth.dev/hypernet/nexus/pkg/internal/kv"
+	"git.solsynth.dev/hypernet/nexus/pkg/nex/sec"
 	"github.com/fatih/color"
 	"os"
 	"os/signal"
@@ -70,6 +72,14 @@ func main() {
 		}
 	}
 
+	// Read the public key for jwt
+	if reader, err := sec.NewJwtReader(viper.GetString("security.public_key")); err != nil {
+		log.Error().Err(err).Msg("An error occurred when reading public key for jwt. Authentication related features will be disabled.")
+	} else {
+		auth.JReader = reader
+		log.Info().Msg("Jwt public key loaded.")
+	}
+
 	// Server
 	go server.NewServer().Listen()
 

pkg/nex/README.md

@@ -0,0 +1,15 @@
+# Nex
+
+The Hypernet.Nexus development SDK.
+Defined the useful functions and ways to handle data for both server side and client.
+
+## Parts
+
+### Nex.Cruda
+
+Create Read Update Delete Accelerator, aka. Cruda.
+Cruda will help you to build a simplified database access layer based on the command system in nexus. 
+
+### Nex.Sec
+
+The security part of nexus, including signing and validating the tokens and much more.

pkg/nex/sec/const.go

@@ -0,0 +1,12 @@
+package sec
+
+const (
+	CookieAccessToken  = "nex_atk"
+	CookieRefreshToken = "nex_rtk"
+)
+
+const (
+	TokenTypeAccess  = "access_token"
+	RefreshTokenType = "refresh_token"
+	IdTokenType      = "id_token"
+)

pkg/nex/sec/jwt_claims.go

@@ -0,0 +1,27 @@
+package sec
+
+import (
+	"github.com/golang-jwt/jwt/v5"
+	"time"
+)
+
+type JwtClaims struct {
+	jwt.RegisteredClaims
+
+	// Nexus Standard
+	Session  int           `json:"sed"`
+	CacheTTL time.Duration `json:"ttl,omitempty"`
+
+	// OIDC Standard
+	Name  string `json:"name,omitempty"`
+	Nick  string `json:"preferred_username,omitempty"`
+	Email string `json:"email,omitempty"`
+
+	// OAuth2 Standard
+	AuthorizedParties string `json:"azp,omitempty"`
+	Nonce             string `json:"nonce,omitempty"`
+
+	// The usage of this token
+	// Can be access_token, refresh_token or id_token
+	Type string `json:"typ"`
+}

pkg/nex/sec/jwt_reader.go

@@ -0,0 +1,61 @@
+package sec
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"github.com/golang-jwt/jwt/v5"
+	"os"
+)
+
+type JwtReader struct {
+	key *rsa.PublicKey
+}
+
+func NewJwtReader(fp string) (*JwtReader, error) {
+	privateKeyBytes, err := os.ReadFile(fp)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(privateKeyBytes)
+	if block == nil || block.Type != "PUBLIC KEY" {
+		return nil, fmt.Errorf("failed to decode PEM block containing private key")
+	}
+
+	anyPk, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	pk, ok := anyPk.(*rsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("not an RSA public key")
+	}
+
+	return &JwtReader{
+		key: pk,
+	}, nil
+}
+
+func ReadJwt[T jwt.Claims](v *JwtReader, in string) (T, error) {
+	var out T
+	token, err := jwt.Parse(in, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return v.key, nil
+	})
+	if err != nil {
+		return out, err
+	} else if !token.Valid {
+		return out, fmt.Errorf("token is not valid")
+	}
+
+	if claims, ok := token.Claims.(T); ok {
+		return claims, nil
+	} else {
+		return out, err
+	}
+}

pkg/nex/sec/jwt_writer.go

@@ -0,0 +1,49 @@
+package sec
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"github.com/golang-jwt/jwt/v5"
+	"os"
+)
+
+type JwtWriter struct {
+	key *rsa.PrivateKey
+}
+
+func NewJwtWriter(fp string) (*JwtWriter, error) {
+	rawPk, err := os.ReadFile(fp)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(rawPk)
+	if block == nil || block.Type != "PRIVATE KEY" {
+		return nil, fmt.Errorf("failed to decode PEM block containing private key")
+	}
+
+	anyPk, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	pk, ok := anyPk.(*rsa.PrivateKey)
+	if !ok {
+		return nil, fmt.Errorf("not an RSA private key")
+	}
+
+	return &JwtWriter{
+		key: pk,
+	}, nil
+}
+
+func WriteJwt[T jwt.Claims](v *JwtWriter, in T) (string, error) {
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, in)
+	ss, err := token.SignedString(v.key)
+	if err != nil {
+		return "", err
+	}
+	return ss, nil
+}