Basic logout flow and better UX

This commit is contained in:
wpetit 2020-05-26 11:11:53 +02:00
parent 44338f06e3
commit 2851c879b6
21 changed files with 298 additions and 75 deletions

View File

@ -34,7 +34,9 @@ create-default-client:
hydra \ hydra \
hydra clients create \ hydra clients create \
-c http://localhost:3002/oauth2/callback \ -c http://localhost:3002/oauth2/callback \
--post-logout-callbacks http://localhost:3002 --post-logout-callbacks http://localhost:3002 \
-n "Default App" \
-a "openid" -a "email"
list-clients: list-clients:

View File

@ -1,4 +1,4 @@
{{define "title"}}Connexion{{end}} {{define "title"}}Courriel envoyé.{{end}}
{{define "body"}} {{define "body"}}
<section class="hero is-fullheight"> <section class="hero is-fullheight">
<div class="hero-body"> <div class="hero-body">

View File

@ -0,0 +1,20 @@
{{define "title"}}Erreur{{end}}
{{define "body"}}
<section class="hero is-fullheight">
<div class="hero-body">
<div class="container">
<div class="columns">
<div class="column is-4 is-offset-4">
<div class="message is-danger">
<div class="message-body">
<p class="title is-size-4 has-text-danger">{{ .ErrorTitle }}</p>
<p>{{ .ErrorDescription }}</p>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
{{end}}
{{template "base" .}}

View File

@ -0,0 +1,22 @@
{{define "title"}}Connexion{{end}}
{{define "body"}}
<section class="hero is-fullheight">
<div class="hero-body">
<div class="container has-text-centered">
<div class="columns">
<div class="column is-4 is-offset-4">
<p class="has-text-black title">
Hydra Password<span class="has-text-grey">less</span>
</p>
<p class="is-size-7">
Version: {{ .BuildInfo.ProjectVersion }} |
Réf.: {{ .BuildInfo.GitRef }} |
Date de construction: {{ .BuildInfo.BuildDate }}
</p>
</div>
</div>
</div>
</div>
</section>
{{end}}
{{template "base" .}}

View File

@ -7,7 +7,7 @@
<div class="column is-4 is-offset-4"> <div class="column is-4 is-offset-4">
{{template "flash" .}} {{template "flash" .}}
<p class="has-text-black title"> <p class="has-text-black title">
Connexion Connexion à <a href="{{.ClientURI }}" class="has-text-info">{{ .ClientName }}</a>
</p> </p>
<p class="has-text-black subtitle"> <p class="has-text-black subtitle">
Veuillez entrer votre adresse courriel. Veuillez entrer votre adresse courriel.
@ -21,6 +21,14 @@
name="email" placeholder="john.doe@email.com" /> name="email" placeholder="john.doe@email.com" />
</div> </div>
</div> </div>
<div class="field is-grouped is-grouped-right">
<p class="control">
<label class="checkbox">
<input type="checkbox" name="rememberMe">
Se souvenir de moi
</label>
</p>
</div>
{{ .csrfField }} {{ .csrfField }}
<input name="challenge" type="hidden" value="{{ .LoginChallenge }}" /> <input name="challenge" type="hidden" value="{{ .LoginChallenge }}" />
<button type="submit" class="button is-link is-medium is-block is-fullwidth">Envoyer</button> <button type="submit" class="button is-link is-medium is-block is-fullwidth">Envoyer</button>

View File

@ -4,8 +4,8 @@
<table border="0" cellpadding="0" cellspacing="0"> <table border="0" cellpadding="0" cellspacing="0">
<tr> <tr>
<td> <td>
<p>Bonjour {{ .Email }}</p> <p>Bonjour,</p>
<p>Vous avez demandé à accéder à l'application "{{ .AppTitle }}". Cliquez sur le lien ci dessous pour vous authentifier. </p> <p>Vous avez demandé à accéder à l'application <a href="{{ .ClientURI }}">"{{ .ClientName }}"</a>. Cliquez sur le lien ci dessous pour vous authentifier. </p>
<table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary"> <table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
<tbody> <tbody>
<tr> <tr>

View File

@ -16,6 +16,10 @@ services:
DSN: mysql://hydra:hydra@tcp(mysql:3306)/hydra DSN: mysql://hydra:hydra@tcp(mysql:3306)/hydra
URLS_LOGIN: http://localhost:3000/login URLS_LOGIN: http://localhost:3000/login
URLS_CONSENT: http://localhost:3000/consent URLS_CONSENT: http://localhost:3000/consent
URLS_LOGOUT: http://localhost:3000/logout
SUPPORTED_SCOPES: email
SUPPORTED_CLAIMS: email,email_verified
SECRETS_SYSTEM: fAAya66yXNib52lbXpo16bxy1jD4NZrX
ports: ports:
- 4444:4444 - 4444:4444
- 4445:4445 - 4445:4445

View File

@ -4,7 +4,6 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"log"
"forge.cadoles.com/wpetit/hydra-passwordless/internal/config" "forge.cadoles.com/wpetit/hydra-passwordless/internal/config"
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra" "forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
@ -23,6 +22,9 @@ type SendConfirmationEmailRequest struct {
Challenge string Challenge string
DefaultScheme string DefaultScheme string
DefaultAddress string DefaultAddress string
RememberMe bool
ClientName string
ClientURI string
} }
func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) error { func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) error {
@ -48,6 +50,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
conf.HTTP.TokenEncryptionKey, conf.HTTP.TokenEncryptionKey,
req.Email, req.Email,
req.Challenge, req.Challenge,
req.RememberMe,
) )
if err != nil { if err != nil {
return errors.Wrap(err, "could not generate jwt") return errors.Wrap(err, "could not generate jwt")
@ -67,13 +70,11 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
scheme = conf.HTTP.PublicScheme scheme = conf.HTTP.PublicScheme
} }
log.Println(req, scheme)
verificationLink := fmt.Sprintf("%s//%s/verify?token=%s", scheme, address, token) verificationLink := fmt.Sprintf("%s//%s/verify?token=%s", scheme, address, token)
log.Println(verificationLink)
data := template.Data{ data := template.Data{
"ClientName": req.ClientName,
"ClientURI": req.ClientURI,
"BuildInfo": info, "BuildInfo": info,
"VerificationLink": verificationLink, "VerificationLink": verificationLink,
} }
@ -92,7 +93,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
err = ml.Send( err = ml.Send(
mail.WithSender(conf.SMTP.SenderAddress, conf.SMTP.SenderName), mail.WithSender(conf.SMTP.SenderAddress, conf.SMTP.SenderName),
mail.WithRecipients(req.Email), mail.WithRecipients(req.Email),
mail.WithSubject(fmt.Sprintf("[Authentification]")), mail.WithSubject(fmt.Sprintf("[%s] Connexion", req.ClientName)),
mail.WithBody(mail.ContentTypeHTML, html, nil), mail.WithBody(mail.ContentTypeHTML, html, nil),
mail.WithAlternativeBody(mail.ContentTypeText, "", nil), mail.WithAlternativeBody(mail.ContentTypeText, "", nil),
) )

View File

@ -70,7 +70,57 @@ func (c *Client) RejectLoginRequest(challenge string, req *RejectRequest) (*Reje
} }
func (c *Client) LogoutRequest(challenge string) (*LogoutResponse, error) { func (c *Client) LogoutRequest(challenge string) (*LogoutResponse, error) {
return nil, nil u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout", url.Values{
"logout_challenge": []string{challenge},
})
res, err := c.http.Get(u)
if err != nil {
return nil, errors.Wrap(err, "could not retrieve logout response")
}
if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest {
return nil, errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode)
}
defer res.Body.Close()
decoder := json.NewDecoder(res.Body)
logoutRes := &LogoutResponse{}
if err := decoder.Decode(logoutRes); err != nil {
return nil, errors.Wrap(err, "could not decode json response")
}
return logoutRes, nil
}
func (c *Client) AcceptLogoutRequest(challenge string) (*AcceptResponse, error) {
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/accept", url.Values{
"logout_challenge": []string{challenge},
})
res := &AcceptResponse{}
if err := c.putJSON(u, nil, res); err != nil {
return nil, err
}
return res, nil
}
func (c *Client) RejectLogoutRequest(challenge string, req *RejectRequest) (*RejectResponse, error) {
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/reject", url.Values{
"logout_challenge": []string{challenge},
})
res := &RejectResponse{}
if err := c.putJSON(u, req, res); err != nil {
return nil, err
}
return res, nil
} }
func (c *Client) ConsentRequest(challenge string) (*ConsentResponse, error) { func (c *Client) ConsentRequest(challenge string) (*ConsentResponse, error) {

View File

@ -5,8 +5,11 @@ type AcceptLoginRequest struct {
Remember bool `json:"remember"` Remember bool `json:"remember"`
RememberFor int `json:"remember_for"` RememberFor int `json:"remember_for"`
ACR string `json:"acr"` ACR string `json:"acr"`
Context map[string]interface{} `json:"context"`
} }
type AcceptLogoutRequest struct{}
type AcceptConsentRequest struct { type AcceptConsentRequest struct {
GrantScope []string `json:"grant_scope"` GrantScope []string `json:"grant_scope"`
GrantAccessTokenAudience []string `json:"grant_access_token_audience"` GrantAccessTokenAudience []string `json:"grant_access_token_audience"`

View File

@ -68,6 +68,10 @@ type RejectResponse struct {
} }
type LogoutResponse struct { type LogoutResponse struct {
Subject string `json:"subject"`
SessionID string `json:"sid"`
RPInitiated bool `json:"rp_initiated"`
RequestURL string `json:"request_url"`
} }
type ConsentResponse struct { type ConsentResponse struct {
@ -80,4 +84,5 @@ type ConsentResponse struct {
OidcContext OidcContextResponseFragment `json:"oidc_context"` OidcContext OidcContextResponseFragment `json:"oidc_context"`
RequestedAccessTokenAudience []string `json:"requested_access_token_audience"` RequestedAccessTokenAudience []string `json:"requested_access_token_audience"`
SessionID string `json:"session_id"` SessionID string `json:"session_id"`
Context map[string]interface{} `json:"context"`
} }

View File

@ -17,6 +17,7 @@ type VerifyUserRequest struct {
type VerifyUserData struct { type VerifyUserData struct {
Email string Email string
Challenge string Challenge string
RememberMe bool
} }
func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{}, error) { func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{}, error) {
@ -28,7 +29,7 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
ctn := container.Must(ctx) ctn := container.Must(ctx)
conf := config.Must(ctn) conf := config.Must(ctn)
email, challenge, err := token.Verify( email, challenge, rememberMe, err := token.Verify(
conf.HTTP.TokenSigningKey, conf.HTTP.TokenSigningKey,
conf.HTTP.TokenEncryptionKey, conf.HTTP.TokenEncryptionKey,
req.Token, req.Token,
@ -41,6 +42,7 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
data := &VerifyUserData{ data := &VerifyUserData{
Email: email, Email: email,
Challenge: challenge, Challenge: challenge,
RememberMe: rememberMe,
} }
return data, nil return data, nil

View File

@ -10,7 +10,6 @@ import (
func serveConsentPage(w http.ResponseWriter, r *http.Request) { func serveConsentPage(w http.ResponseWriter, r *http.Request) {
ctn := container.Must(r.Context()) ctn := container.Must(r.Context())
//tmpl := template.Must(ctn)
hydr := hydra.Must(ctn) hydr := hydra.Must(ctn)
challenge, err := hydr.ConsentChallenge(r) challenge, err := hydr.ConsentChallenge(r)
@ -24,43 +23,29 @@ func serveConsentPage(w http.ResponseWriter, r *http.Request) {
panic(errors.Wrap(err, "could not retrieve consent challenge")) panic(errors.Wrap(err, "could not retrieve consent challenge"))
} }
res, err := hydr.ConsentRequest(challenge) consentRes, err := hydr.ConsentRequest(challenge)
if err != nil { if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra consent response")) panic(errors.Wrap(err, "could not retrieve hydra consent response"))
} }
if res.Skip { scopes := []string{"email"}
res, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{ scopes = append(scopes, consentRes.RequestedScope...)
GrantScope: res.RequestedScope,
GrantAccessTokenAudience: res.RequestedAccessTokenAudience, acceptConsentReq := &hydra.AcceptConsentRequest{
}) GrantScope: scopes,
GrantAccessTokenAudience: consentRes.RequestedAccessTokenAudience,
Session: hydra.AcceptConsentSession{
IDToken: map[string]interface{}{
"email": consentRes.Context["email"],
"email_verified": true,
},
},
}
acceptRes, err := hydr.AcceptConsentRequest(challenge, acceptConsentReq)
if err != nil { if err != nil {
panic(errors.Wrap(err, "could not accept hydra consent request")) panic(errors.Wrap(err, "could not accept hydra consent request"))
} }
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect) http.Redirect(w, r, acceptRes.RedirectTo, http.StatusTemporaryRedirect)
return
}
res2, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{
GrantScope: res.RequestedScope,
GrantAccessTokenAudience: res.RequestedAccessTokenAudience,
})
if err != nil {
panic(errors.Wrap(err, "could not accept hydra consent request"))
}
http.Redirect(w, r, res2.RedirectTo, http.StatusTemporaryRedirect)
// spew.Dump(res)
// data := extendTemplateData(w, r, template.Data{
// csrf.TemplateTag: csrf.TemplateField(r),
// "RequestedScope": res.RequestedScope,
// "ConsentChallenge": challenge,
// })
// if err := tmpl.RenderPage(w, "consent.html.tmpl", data); err != nil {
// panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
// }
} }

View File

@ -22,3 +22,21 @@ func extendTemplateData(w http.ResponseWriter, r *http.Request, data template.Da
return data return data
} }
func renderErrorPage(w http.ResponseWriter, r *http.Request, statusCode int, title, description string) error {
ctn := container.Must(r.Context())
tmpl := template.Must(ctn)
data := extendTemplateData(w, r, template.Data{
"ErrorTitle": title,
"ErrorDescription": description,
})
w.WriteHeader(statusCode)
if err := tmpl.RenderPage(w, "error.html.tmpl", data); err != nil {
return errors.Wrap(err, "could not render error page")
}
return nil
}

20
internal/route/home.go Normal file
View File

@ -0,0 +1,20 @@
package route
import (
"net/http"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/middleware/container"
"gitlab.com/wpetit/goweb/service/template"
)
func serveHomePage(w http.ResponseWriter, r *http.Request) {
ctn := container.Must(r.Context())
tmpl := template.Must(ctn)
data := extendTemplateData(w, r, template.Data{})
if err := tmpl.RenderPage(w, "home.html.tmpl", data); err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
}

View File

@ -21,7 +21,15 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
challenge, err := hydr.LoginChallenge(r) challenge, err := hydr.LoginChallenge(r)
if err != nil { if err != nil {
if err == hydra.ErrChallengeNotFound { if err == hydra.ErrChallengeNotFound {
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) err := renderErrorPage(
w, r,
http.StatusBadRequest,
"Requête invalide",
"Certaines informations requises afin de réaliser votre requête sont absentes.",
)
if err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
return return
} }
@ -35,15 +43,20 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
} }
if res.Skip { if res.Skip {
res, err := hydr.RejectLoginRequest(challenge, &hydra.RejectRequest{ accept := &hydra.AcceptLoginRequest{
Error: "email_not_validated", Subject: res.Subject,
ErrorDescription: "The email adress could not be verified.", Context: map[string]interface{}{
}) "email": res.Subject,
if err != nil { },
panic(errors.Wrap(err, "could not reject hydra authentication request"))
} }
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect) res, err := hydr.AcceptLoginRequest(challenge, accept)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra accept response"))
}
http.Redirect(w, r, res.RedirectTo, http.StatusSeeOther)
return return
} }
@ -53,6 +66,8 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
csrf.TemplateTag: csrf.TemplateField(r), csrf.TemplateTag: csrf.TemplateField(r),
"LoginChallenge": challenge, "LoginChallenge": challenge,
"Email": "", "Email": "",
"ClientName": res.Client.ClientName,
"ClientURI": res.Client.ClientURI,
}) })
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil { if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
@ -64,6 +79,7 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
ctx := r.Context() ctx := r.Context()
ctn := container.Must(ctx) ctn := container.Must(ctx)
tmpl := template.Must(ctn) tmpl := template.Must(ctn)
hydr := hydra.Must(ctn)
bus := cqrs.Must(ctn) bus := cqrs.Must(ctn)
if err := r.ParseForm(); err != nil { if err := r.ParseForm(); err != nil {
@ -72,9 +88,30 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
return return
} }
email := r.Form.Get("email")
challenge := r.Form.Get("challenge") challenge := r.Form.Get("challenge")
if challenge == "" {
err := renderErrorPage(
w, r,
http.StatusBadRequest,
"Requête invalide",
"Certaines informations requises sont manquantes pour pouvoir réaliser votre requête.",
)
if err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
return
}
res, err := hydr.LoginRequest(challenge)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra login response"))
}
email := r.Form.Get("email")
rememberMe := r.Form.Get("rememberMe")
renderFlashError := func(message string) { renderFlashError := func(message string) {
sess, err := session.Must(ctn).Get(w, r) sess, err := session.Must(ctn).Get(w, r)
if err != nil { if err != nil {
@ -91,6 +128,8 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
csrf.TemplateTag: csrf.TemplateField(r), csrf.TemplateTag: csrf.TemplateField(r),
"LoginChallenge": challenge, "LoginChallenge": challenge,
"Email": email, "Email": email,
"ClientName": res.Client.ClientName,
"ClientURI": res.Client.ClientURI,
}) })
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil { if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
@ -104,17 +143,14 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
return return
} }
if challenge == "" {
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
return
}
cmd := &command.SendConfirmationEmailRequest{ cmd := &command.SendConfirmationEmailRequest{
Email: email, Email: email,
Challenge: challenge, Challenge: challenge,
DefaultScheme: r.URL.Scheme, DefaultScheme: r.URL.Scheme,
DefaultAddress: r.Host, DefaultAddress: r.Host,
RememberMe: rememberMe == "on",
ClientName: res.Client.ClientName,
ClientURI: res.Client.ClientURI,
} }
if _, err := bus.Exec(ctx, cmd); err != nil { if _, err := bus.Exec(ctx, cmd); err != nil {
panic(errors.Wrap(err, "could not execute command")) panic(errors.Wrap(err, "could not execute command"))

View File

@ -2,8 +2,36 @@ package route
import ( import (
"net/http" "net/http"
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/middleware/container"
) )
func serveLogoutPage(w http.ResponseWriter, r *http.Request) { func serveLogoutPage(w http.ResponseWriter, r *http.Request) {
ctn := container.Must(r.Context())
hydr := hydra.Must(ctn)
challenge, err := hydr.LogoutChallenge(r)
if err != nil {
if err == hydra.ErrChallengeNotFound {
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
return
}
panic(errors.Wrap(err, "could not retrieve logout challenge"))
}
_, err = hydr.LogoutRequest(challenge)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra logout response"))
}
acceptRes, err := hydr.AcceptLogoutRequest(challenge)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra accept logout response"))
}
http.Redirect(w, r, acceptRes.RedirectTo, http.StatusSeeOther)
} }

View File

@ -23,7 +23,7 @@ func Mount(r *chi.Mux, config *config.Config) error {
r.Group(func(r chi.Router) { r.Group(func(r chi.Router) {
r.Use(csrfMiddleware) r.Use(csrfMiddleware)
r.Get("/", serveHomePage)
r.Get("/login", serveLoginPage) r.Get("/login", serveLoginPage)
r.Post("/login", handleLoginForm) r.Post("/login", handleLoginForm)
r.Get("/logout", serveLogoutPage) r.Get("/logout", serveLogoutPage)

View File

@ -32,6 +32,18 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
logger.Error(ctx, "could not verify token", logger.E(err)) logger.Error(ctx, "could not verify token", logger.E(err))
err := renderErrorPage(
w, r,
http.StatusBadRequest,
"Lien invalide",
"Le lien de connexion utilisé est invalide ou a expiré.",
)
if err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
return
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
} }
@ -44,6 +56,11 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
accept := &hydra.AcceptLoginRequest{ accept := &hydra.AcceptLoginRequest{
Subject: verifyUserData.Email, Subject: verifyUserData.Email,
Remember: verifyUserData.RememberMe,
RememberFor: 3600,
Context: map[string]interface{}{
"email": verifyUserData.Email,
},
} }
res, err := hydr.AcceptLoginRequest(verifyUserData.Challenge, accept) res, err := hydr.AcceptLoginRequest(verifyUserData.Challenge, accept)

View File

@ -12,9 +12,10 @@ const (
type privateClaims struct { type privateClaims struct {
Challenge string `json:"challenge"` Challenge string `json:"challenge"`
RememberMe bool `json:"remember"`
} }
func Generate(signingKey, encryptionKey, email, challenge string) (string, error) { func Generate(signingKey, encryptionKey, email, challenge string, rememberMe bool) (string, error) {
sig, err := jose.NewSigner( sig, err := jose.NewSigner(
jose.SigningKey{ jose.SigningKey{
Algorithm: jose.HS256, Algorithm: jose.HS256,
@ -45,6 +46,7 @@ func Generate(signingKey, encryptionKey, email, challenge string) (string, error
privateClaims := privateClaims{ privateClaims := privateClaims{
Challenge: challenge, Challenge: challenge,
RememberMe: rememberMe,
} }
raw, err := jwt.SignedAndEncrypted(sig, enc).Claims(claims).Claims(privateClaims).CompactSerialize() raw, err := jwt.SignedAndEncrypted(sig, enc).Claims(claims).Claims(privateClaims).CompactSerialize()

View File

@ -5,23 +5,23 @@ import (
"gopkg.in/square/go-jose.v2/jwt" "gopkg.in/square/go-jose.v2/jwt"
) )
func Verify(signingKey, encryptionKey, raw string) (string, string, error) { func Verify(signingKey, encryptionKey, raw string) (string, string, bool, error) {
token, err := jwt.ParseSignedAndEncrypted(raw) token, err := jwt.ParseSignedAndEncrypted(raw)
if err != nil { if err != nil {
return "", "", errors.Wrap(err, "could not parse token") return "", "", false, errors.Wrap(err, "could not parse token")
} }
nested, err := token.Decrypt([]byte(encryptionKey)) nested, err := token.Decrypt([]byte(encryptionKey))
if err != nil { if err != nil {
return "", "", errors.Wrap(err, "could not decrypt token") return "", "", false, errors.Wrap(err, "could not decrypt token")
} }
baseClaims := jwt.Claims{} baseClaims := jwt.Claims{}
privateClaims := privateClaims{} privateClaims := privateClaims{}
if err := nested.Claims([]byte(signingKey), &baseClaims, &privateClaims); err != nil { if err := nested.Claims([]byte(signingKey), &baseClaims, &privateClaims); err != nil {
return "", "", errors.Wrap(err, "could not validate claims") return "", "", false, errors.Wrap(err, "could not validate claims")
} }
return baseClaims.Subject, privateClaims.Challenge, nil return baseClaims.Subject, privateClaims.Challenge, privateClaims.RememberMe, nil
} }