✨ Auth stuff

2024-10-22 00:12:28 +08:00
parent 85783aa331
commit ed05782319
12 changed files with 236 additions and 18 deletions
--- a/pkg/nex/sec/const.go
+++ b/pkg/nex/sec/const.go
@ -0,0 +1,12 @@
+package sec
+
+const (
+	CookieAccessToken  = "nex_atk"
+	CookieRefreshToken = "nex_rtk"
+)
+
+const (
+	TokenTypeAccess  = "access_token"
+	RefreshTokenType = "refresh_token"
+	IdTokenType      = "id_token"
+)
--- a/pkg/nex/sec/jwt_claims.go
+++ b/pkg/nex/sec/jwt_claims.go
@ -0,0 +1,27 @@
+package sec
+
+import (
+	"github.com/golang-jwt/jwt/v5"
+	"time"
+)
+
+type JwtClaims struct {
+	jwt.RegisteredClaims
+
+	// Nexus Standard
+	Session  int           `json:"sed"`
+	CacheTTL time.Duration `json:"ttl,omitempty"`
+
+	// OIDC Standard
+	Name  string `json:"name,omitempty"`
+	Nick  string `json:"preferred_username,omitempty"`
+	Email string `json:"email,omitempty"`
+
+	// OAuth2 Standard
+	AuthorizedParties string `json:"azp,omitempty"`
+	Nonce             string `json:"nonce,omitempty"`
+
+	// The usage of this token
+	// Can be access_token, refresh_token or id_token
+	Type string `json:"typ"`
+}
--- a/pkg/nex/sec/jwt_reader.go
+++ b/pkg/nex/sec/jwt_reader.go
@ -0,0 +1,61 @@
+package sec
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"github.com/golang-jwt/jwt/v5"
+	"os"
+)
+
+type JwtReader struct {
+	key *rsa.PublicKey
+}
+
+func NewJwtReader(fp string) (*JwtReader, error) {
+	privateKeyBytes, err := os.ReadFile(fp)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(privateKeyBytes)
+	if block == nil || block.Type != "PUBLIC KEY" {
+		return nil, fmt.Errorf("failed to decode PEM block containing private key")
+	}
+
+	anyPk, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	pk, ok := anyPk.(*rsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("not an RSA public key")
+	}
+
+	return &JwtReader{
+		key: pk,
+	}, nil
+}
+
+func ReadJwt[T jwt.Claims](v *JwtReader, in string) (T, error) {
+	var out T
+	token, err := jwt.Parse(in, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return v.key, nil
+	})
+	if err != nil {
+		return out, err
+	} else if !token.Valid {
+		return out, fmt.Errorf("token is not valid")
+	}
+
+	if claims, ok := token.Claims.(T); ok {
+		return claims, nil
+	} else {
+		return out, err
+	}
+}
--- a/pkg/nex/sec/jwt_writer.go
+++ b/pkg/nex/sec/jwt_writer.go
@ -0,0 +1,49 @@
+package sec
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"github.com/golang-jwt/jwt/v5"
+	"os"
+)
+
+type JwtWriter struct {
+	key *rsa.PrivateKey
+}
+
+func NewJwtWriter(fp string) (*JwtWriter, error) {
+	rawPk, err := os.ReadFile(fp)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(rawPk)
+	if block == nil || block.Type != "PRIVATE KEY" {
+		return nil, fmt.Errorf("failed to decode PEM block containing private key")
+	}
+
+	anyPk, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	pk, ok := anyPk.(*rsa.PrivateKey)
+	if !ok {
+		return nil, fmt.Errorf("not an RSA private key")
+	}
+
+	return &JwtWriter{
+		key: pk,
+	}, nil
+}
+
+func WriteJwt[T jwt.Claims](v *JwtWriter, in T) (string, error) {
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, in)
+	ss, err := token.SignedString(v.key)
+	if err != nil {
+		return "", err
+	}
+	return ss, nil
+}