✨ Auth stuff
This commit is contained in:
parent
85783aa331
commit
ed05782319
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,3 +1,4 @@
|
|||||||
/dist
|
/dist
|
||||||
/uploads
|
/uploads
|
||||||
/default.etcd
|
/default.etcd
|
||||||
|
/keys
|
||||||
|
1
go.mod
1
go.mod
@ -39,6 +39,7 @@ require (
|
|||||||
github.com/go-playground/universal-translator v0.18.1 // indirect
|
github.com/go-playground/universal-translator v0.18.1 // indirect
|
||||||
github.com/go-sql-driver/mysql v1.8.1 // indirect
|
github.com/go-sql-driver/mysql v1.8.1 // indirect
|
||||||
github.com/gogo/protobuf v1.3.2 // indirect
|
github.com/gogo/protobuf v1.3.2 // indirect
|
||||||
|
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
|
||||||
github.com/golang/protobuf v1.5.4 // indirect
|
github.com/golang/protobuf v1.5.4 // indirect
|
||||||
github.com/google/uuid v1.6.0 // indirect
|
github.com/google/uuid v1.6.0 // indirect
|
||||||
github.com/hashicorp/consul/api v1.30.0 // indirect
|
github.com/hashicorp/consul/api v1.30.0 // indirect
|
||||||
|
2
go.sum
2
go.sum
@ -69,6 +69,8 @@ github.com/gofiber/fiber/v2 v2.52.5/go.mod h1:KEOE+cXMhXG0zHc9d8+E38hoX+ZN7bhOtg
|
|||||||
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||||
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
|
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
|
||||||
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
|
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
|
||||||
|
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
|
||||||
|
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
|
||||||
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
|
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
|
||||||
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
|
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
|
||||||
github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
|
github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
|
||||||
|
@ -1 +0,0 @@
|
|||||||
package auth
|
|
55
pkg/internal/auth/token.go
Normal file
55
pkg/internal/auth/token.go
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
package auth
|
||||||
|
|
||||||
|
import (
|
||||||
|
"git.solsynth.dev/hypernet/nexus/pkg/nex/sec"
|
||||||
|
"github.com/gofiber/fiber/v2"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
var JReader *sec.JwtReader
|
||||||
|
|
||||||
|
func SoftAuthMiddleware(c *fiber.Ctx) error {
|
||||||
|
atk := tokenExtract(c)
|
||||||
|
c.Locals("nex_token", atk)
|
||||||
|
|
||||||
|
if claims, err := tokenRead(atk); err == nil && claims != nil {
|
||||||
|
c.Locals("nex_principal", claims)
|
||||||
|
} else if err != nil {
|
||||||
|
c.Locals("nex_auth_error", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Next()
|
||||||
|
}
|
||||||
|
|
||||||
|
func HardAuthMiddleware(c *fiber.Ctx) error {
|
||||||
|
if c.Locals("nex_principal") == nil {
|
||||||
|
err := c.Locals("nex_auth_error").(error)
|
||||||
|
return fiber.NewError(fiber.StatusUnauthorized, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Next()
|
||||||
|
}
|
||||||
|
|
||||||
|
func tokenExtract(c *fiber.Ctx) string {
|
||||||
|
var atk string
|
||||||
|
if cookie := c.Cookies(sec.CookieAccessToken); len(cookie) > 0 {
|
||||||
|
atk = cookie
|
||||||
|
}
|
||||||
|
if header := c.Get(fiber.HeaderAuthorization); len(header) > 0 {
|
||||||
|
tk := strings.Replace(header, "Bearer", "", 1)
|
||||||
|
atk = strings.TrimSpace(tk)
|
||||||
|
}
|
||||||
|
if tk := c.Query("tk"); len(tk) > 0 {
|
||||||
|
atk = strings.TrimSpace(tk)
|
||||||
|
}
|
||||||
|
return atk
|
||||||
|
}
|
||||||
|
|
||||||
|
func tokenRead(in string) (*sec.JwtClaims, error) {
|
||||||
|
if JReader == nil {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
claims, err := sec.ReadJwt[sec.JwtClaims](JReader, in)
|
||||||
|
return &claims, err
|
||||||
|
}
|
10
pkg/main.go
10
pkg/main.go
@ -2,9 +2,11 @@ package main
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"git.solsynth.dev/hypernet/nexus/pkg/internal/auth"
|
||||||
"git.solsynth.dev/hypernet/nexus/pkg/internal/database"
|
"git.solsynth.dev/hypernet/nexus/pkg/internal/database"
|
||||||
"git.solsynth.dev/hypernet/nexus/pkg/internal/http"
|
"git.solsynth.dev/hypernet/nexus/pkg/internal/http"
|
||||||
"git.solsynth.dev/hypernet/nexus/pkg/internal/kv"
|
"git.solsynth.dev/hypernet/nexus/pkg/internal/kv"
|
||||||
|
"git.solsynth.dev/hypernet/nexus/pkg/nex/sec"
|
||||||
"github.com/fatih/color"
|
"github.com/fatih/color"
|
||||||
"os"
|
"os"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
@ -70,6 +72,14 @@ func main() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Read the public key for jwt
|
||||||
|
if reader, err := sec.NewJwtReader(viper.GetString("security.public_key")); err != nil {
|
||||||
|
log.Error().Err(err).Msg("An error occurred when reading public key for jwt. Authentication related features will be disabled.")
|
||||||
|
} else {
|
||||||
|
auth.JReader = reader
|
||||||
|
log.Info().Msg("Jwt public key loaded.")
|
||||||
|
}
|
||||||
|
|
||||||
// Server
|
// Server
|
||||||
go server.NewServer().Listen()
|
go server.NewServer().Listen()
|
||||||
|
|
||||||
|
15
pkg/nex/README.md
Normal file
15
pkg/nex/README.md
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# Nex
|
||||||
|
|
||||||
|
The Hypernet.Nexus development SDK.
|
||||||
|
Defined the useful functions and ways to handle data for both server side and client.
|
||||||
|
|
||||||
|
## Parts
|
||||||
|
|
||||||
|
### Nex.Cruda
|
||||||
|
|
||||||
|
Create Read Update Delete Accelerator, aka. Cruda.
|
||||||
|
Cruda will help you to build a simplified database access layer based on the command system in nexus.
|
||||||
|
|
||||||
|
### Nex.Sec
|
||||||
|
|
||||||
|
The security part of nexus, including signing and validating the tokens and much more.
|
12
pkg/nex/sec/const.go
Normal file
12
pkg/nex/sec/const.go
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
package sec
|
||||||
|
|
||||||
|
const (
|
||||||
|
CookieAccessToken = "nex_atk"
|
||||||
|
CookieRefreshToken = "nex_rtk"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
TokenTypeAccess = "access_token"
|
||||||
|
RefreshTokenType = "refresh_token"
|
||||||
|
IdTokenType = "id_token"
|
||||||
|
)
|
27
pkg/nex/sec/jwt_claims.go
Normal file
27
pkg/nex/sec/jwt_claims.go
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
package sec
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/golang-jwt/jwt/v5"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
type JwtClaims struct {
|
||||||
|
jwt.RegisteredClaims
|
||||||
|
|
||||||
|
// Nexus Standard
|
||||||
|
Session int `json:"sed"`
|
||||||
|
CacheTTL time.Duration `json:"ttl,omitempty"`
|
||||||
|
|
||||||
|
// OIDC Standard
|
||||||
|
Name string `json:"name,omitempty"`
|
||||||
|
Nick string `json:"preferred_username,omitempty"`
|
||||||
|
Email string `json:"email,omitempty"`
|
||||||
|
|
||||||
|
// OAuth2 Standard
|
||||||
|
AuthorizedParties string `json:"azp,omitempty"`
|
||||||
|
Nonce string `json:"nonce,omitempty"`
|
||||||
|
|
||||||
|
// The usage of this token
|
||||||
|
// Can be access_token, refresh_token or id_token
|
||||||
|
Type string `json:"typ"`
|
||||||
|
}
|
61
pkg/nex/sec/jwt_reader.go
Normal file
61
pkg/nex/sec/jwt_reader.go
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
package sec
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rsa"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"fmt"
|
||||||
|
"github.com/golang-jwt/jwt/v5"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
type JwtReader struct {
|
||||||
|
key *rsa.PublicKey
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewJwtReader(fp string) (*JwtReader, error) {
|
||||||
|
privateKeyBytes, err := os.ReadFile(fp)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
block, _ := pem.Decode(privateKeyBytes)
|
||||||
|
if block == nil || block.Type != "PUBLIC KEY" {
|
||||||
|
return nil, fmt.Errorf("failed to decode PEM block containing private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
anyPk, err := x509.ParsePKIXPublicKey(block.Bytes)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
pk, ok := anyPk.(*rsa.PublicKey)
|
||||||
|
if !ok {
|
||||||
|
return nil, fmt.Errorf("not an RSA public key")
|
||||||
|
}
|
||||||
|
|
||||||
|
return &JwtReader{
|
||||||
|
key: pk,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func ReadJwt[T jwt.Claims](v *JwtReader, in string) (T, error) {
|
||||||
|
var out T
|
||||||
|
token, err := jwt.Parse(in, func(token *jwt.Token) (interface{}, error) {
|
||||||
|
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
|
||||||
|
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||||
|
}
|
||||||
|
return v.key, nil
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return out, err
|
||||||
|
} else if !token.Valid {
|
||||||
|
return out, fmt.Errorf("token is not valid")
|
||||||
|
}
|
||||||
|
|
||||||
|
if claims, ok := token.Claims.(T); ok {
|
||||||
|
return claims, nil
|
||||||
|
} else {
|
||||||
|
return out, err
|
||||||
|
}
|
||||||
|
}
|
49
pkg/nex/sec/jwt_writer.go
Normal file
49
pkg/nex/sec/jwt_writer.go
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
package sec
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rsa"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"fmt"
|
||||||
|
"github.com/golang-jwt/jwt/v5"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
type JwtWriter struct {
|
||||||
|
key *rsa.PrivateKey
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewJwtWriter(fp string) (*JwtWriter, error) {
|
||||||
|
rawPk, err := os.ReadFile(fp)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
block, _ := pem.Decode(rawPk)
|
||||||
|
if block == nil || block.Type != "PRIVATE KEY" {
|
||||||
|
return nil, fmt.Errorf("failed to decode PEM block containing private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
anyPk, err := x509.ParsePKCS8PrivateKey(block.Bytes)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
pk, ok := anyPk.(*rsa.PrivateKey)
|
||||||
|
if !ok {
|
||||||
|
return nil, fmt.Errorf("not an RSA private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
return &JwtWriter{
|
||||||
|
key: pk,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func WriteJwt[T jwt.Claims](v *JwtWriter, in T) (string, error) {
|
||||||
|
token := jwt.NewWithClaims(jwt.SigningMethodRS256, in)
|
||||||
|
ss, err := token.SignedString(v.key)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return ss, nil
|
||||||
|
}
|
@ -1,25 +1,11 @@
|
|||||||
bind = "0.0.0.0:8001"
|
bind = "0.0.0.0:8001"
|
||||||
grpc_bind = "0.0.0.0:7001"
|
grpc_bind = "0.0.0.0:7001"
|
||||||
domain = "localhost"
|
domain = "localhost"
|
||||||
secret = "LtTjzAGFLshwXhN4ZD4nG5KlMv1MWcsvfv03TSZYnT1VhiAnLIZFTnHUwR0XhGgi"
|
|
||||||
|
|
||||||
[debug]
|
[debug]
|
||||||
database = false
|
database = false
|
||||||
print_routes = false
|
print_routes = false
|
||||||
|
|
||||||
[mailer]
|
|
||||||
name = "Alphabot <alphabot@smartsheep.studio>"
|
|
||||||
smtp_host = "smtp.exmail.qq.com"
|
|
||||||
smtp_port = 465
|
|
||||||
username = "alphabot@smartsheep.studio"
|
|
||||||
password = "gz937Zxxzfcd9SeH"
|
|
||||||
|
|
||||||
[security]
|
|
||||||
cookie_domain = "localhost"
|
|
||||||
cookie_samesite = "Lax"
|
|
||||||
access_token_duration = 300
|
|
||||||
refresh_token_duration = 2592000
|
|
||||||
|
|
||||||
[services]
|
[services]
|
||||||
aliases = { id = "auth", uc = "files", co = "interactive", im = "messaging" }
|
aliases = { id = "auth", uc = "files", co = "interactive", im = "messaging" }
|
||||||
|
|
||||||
@ -30,5 +16,5 @@ prefix = "sn_"
|
|||||||
[kv]
|
[kv]
|
||||||
endpoints = ["localhost:2379"]
|
endpoints = ["localhost:2379"]
|
||||||
|
|
||||||
[scraper]
|
[security]
|
||||||
user-agent = "SolarBot/1.0"
|
public_key = "keys/public_key.pem"
|
||||||
|
Loading…
Reference in New Issue
Block a user