super-graph/internal/serv/internal/auth/jwt.go

package auth

import (
	"context"
	"encoding/json"
	"io/ioutil"
	"net/http"
	"strconv"
	"strings"
	"time"

	jwt "github.com/dgrijalva/jwt-go"
	"github.com/dosco/super-graph/core"
)

const (
	authHeader               = "Authorization"
	jwtAuth0             int = iota + 1
	jwtFirebase          int = iota + 2
	firebasePKEndpoint       = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
	firebaseIssuerPrefix     = "https://securetoken.google.com/"
)

type firebasePKCache struct {
	PublicKeys map[string]string
	Expiration time.Time
}

var firebasePublicKeys firebasePKCache

func JwtHandler(ac *Auth, next http.Handler) (http.HandlerFunc, error) {
	var key interface{}
	var jwtProvider int

	cookie := ac.Cookie

	if ac.JWT.Provider == "auth0" {
		jwtProvider = jwtAuth0
	} else if ac.JWT.Provider == "firebase" {
		jwtProvider = jwtFirebase
	}

	secret := ac.JWT.Secret
	publicKeyFile := ac.JWT.PubKeyFile

	switch {
	case secret != "":
		key = []byte(secret)

	case publicKeyFile != "":
		kd, err := ioutil.ReadFile(publicKeyFile)
		if err != nil {
			return nil, err
		}

		switch ac.JWT.PubKeyType {
		case "ecdsa":
			key, err = jwt.ParseECPublicKeyFromPEM(kd)

		case "rsa":
			key, err = jwt.ParseRSAPublicKeyFromPEM(kd)

		default:
			key, err = jwt.ParseECPublicKeyFromPEM(kd)

		}

		if err != nil {
			return nil, err
		}
	}

	return func(w http.ResponseWriter, r *http.Request) {

		var tok string

		if cookie != "" {
			ck, err := r.Cookie(cookie)
			if err != nil {
				next.ServeHTTP(w, r)
				return
			}
			tok = ck.Value
		} else {
			ah := r.Header.Get(authHeader)
			if len(ah) < 10 {
				next.ServeHTTP(w, r)
				return
			}
			tok = ah[7:]
		}

		var keyFunc jwt.Keyfunc
		if jwtProvider == jwtFirebase {
			keyFunc = firebaseKeyFunction
		} else {
			keyFunc = func(token *jwt.Token) (interface{}, error) {
				return key, nil
			}
		}

		token, err := jwt.ParseWithClaims(tok, &jwt.StandardClaims{}, keyFunc)

		if err != nil {
			next.ServeHTTP(w, r)
			return
		}

		if claims, ok := token.Claims.(*jwt.StandardClaims); ok {
			ctx := r.Context()

			if ac.JWT.Audience != "" && claims.Audience != ac.JWT.Audience {
				next.ServeHTTP(w, r)
				return
			}

			if jwtProvider == jwtAuth0 {
				sub := strings.Split(claims.Subject, "|")
				if len(sub) != 2 {
					ctx = context.WithValue(ctx, core.UserIDProviderKey, sub[0])
					ctx = context.WithValue(ctx, core.UserIDKey, sub[1])
				}
			} else if jwtProvider == jwtFirebase &&
				claims.Issuer == firebaseIssuerPrefix+ac.JWT.Audience {
				ctx = context.WithValue(ctx, core.UserIDKey, claims.Subject)
			} else {
				ctx = context.WithValue(ctx, core.UserIDKey, claims.Subject)
			}

			next.ServeHTTP(w, r.WithContext(ctx))
			return
		}

		next.ServeHTTP(w, r)
	}, nil
}

type firebaseKeyError struct {
	Err     error
	Message string
}

func (e *firebaseKeyError) Error() string {
	return e.Message + " " + e.Err.Error()
}

func firebaseKeyFunction(token *jwt.Token) (interface{}, error) {
	kid, ok := token.Header["kid"]

	if !ok {
		return nil, &firebaseKeyError{
			Message: "Error 'kid' header not found in token",
		}
	}

	if firebasePublicKeys.Expiration.Before(time.Now()) {
		resp, err := http.Get(firebasePKEndpoint)

		if err != nil {
			return nil, &firebaseKeyError{
				Message: "Error connecting to firebase certificate server",
				Err:     err,
			}
		}

		defer resp.Body.Close()

		data, err := ioutil.ReadAll(resp.Body)

		if err != nil {
			return nil, &firebaseKeyError{
				Message: "Error reading firebase certificate server response",
				Err:     err,
			}
		}

		cachePolicy := resp.Header.Get("cache-control")
		ageIndex := strings.Index(cachePolicy, "max-age=")

		if ageIndex < 0 {
			return nil, &firebaseKeyError{
				Message: "Error parsing cache-control header: 'max-age=' not found",
			}
		}

		ageToEnd := cachePolicy[ageIndex+8:]
		endIndex := strings.Index(ageToEnd, ",")
		if endIndex < 0 {
			endIndex = len(ageToEnd) - 1
		}
		ageString := ageToEnd[:endIndex]

		age, err := strconv.ParseInt(ageString, 10, 64)

		if err != nil {
			return nil, &firebaseKeyError{
				Message: "Error parsing max-age cache policy",
				Err:     err,
			}
		}

		expiration := time.Now().Add(time.Duration(time.Duration(age) * time.Second))

		err = json.Unmarshal(data, &firebasePublicKeys.PublicKeys)

		if err != nil {
			firebasePublicKeys = firebasePKCache{}
			return nil, &firebaseKeyError{
				Message: "Error unmarshalling firebase public key json",
				Err:     err,
			}
		}

		firebasePublicKeys.Expiration = expiration
	}

	if key, found := firebasePublicKeys.PublicKeys[kid.(string)]; found {
		k, err := jwt.ParseRSAPublicKeyFromPEM([]byte(key))
		return k, err
	}

	return nil, &firebaseKeyError{
		Message: "Error no matching public key for kid supplied in jwt",
	}
}
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`package auth`
First commit 2019-03-24 14:57:29 +01:00
			`import (`
			`"context"`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`"encoding/json"`
First commit 2019-03-24 14:57:29 +01:00			`"io/ioutil"`
			`"net/http"`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`"strconv"`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`"strings"`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`"time"`
First commit 2019-03-24 14:57:29 +01:00
			`jwt "github.com/dgrijalva/jwt-go"`
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`"github.com/dosco/super-graph/core"`
First commit 2019-03-24 14:57:29 +01:00			`)`

Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`const (`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`authHeader = "Authorization"`
			`jwtAuth0 int = iota + 1`
			`jwtFirebase int = iota + 2`
			`firebasePKEndpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"`
			`firebaseIssuerPrefix = "https://securetoken.google.com/"`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`)`

feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`type firebasePKCache struct {`
			`PublicKeys map[string]string`
			`Expiration time.Time`
			`}`

			`var firebasePublicKeys firebasePKCache`

Remove config package 2020-04-11 08:45:06 +02:00			`func JwtHandler(ac *Auth, next http.Handler) (http.HandlerFunc, error) {`
First commit 2019-03-24 14:57:29 +01:00			`var key interface{}`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`var jwtProvider int`
First commit 2019-03-24 14:57:29 +01:00
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`cookie := ac.Cookie`
First commit 2019-03-24 14:57:29 +01:00
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`if ac.JWT.Provider == "auth0" {`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`jwtProvider = jwtAuth0`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`} else if ac.JWT.Provider == "firebase" {`
			`jwtProvider = jwtFirebase`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`}`

Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`secret := ac.JWT.Secret`
			`publicKeyFile := ac.JWT.PubKeyFile`
First commit 2019-03-24 14:57:29 +01:00
			`switch {`
fix: implement various deepsource suggestions 2020-06-15 16:16:47 +02:00			`case secret != "":`
First commit 2019-03-24 14:57:29 +01:00			`key = []byte(secret)`

fix: implement various deepsource suggestions 2020-06-15 16:16:47 +02:00			`case publicKeyFile != "":`
First commit 2019-03-24 14:57:29 +01:00			`kd, err := ioutil.ReadFile(publicKeyFile)`
			`if err != nil {`
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`return nil, err`
First commit 2019-03-24 14:57:29 +01:00			`}`

Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`switch ac.JWT.PubKeyType {`
First commit 2019-03-24 14:57:29 +01:00			`case "ecdsa":`
			`key, err = jwt.ParseECPublicKeyFromPEM(kd)`

			`case "rsa":`
			`key, err = jwt.ParseRSAPublicKeyFromPEM(kd)`

			`default:`
			`key, err = jwt.ParseECPublicKeyFromPEM(kd)`

			`}`

			`if err != nil {`
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`return nil, err`
First commit 2019-03-24 14:57:29 +01:00			`}`
			`}`

			`return func(w http.ResponseWriter, r *http.Request) {`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00
First commit 2019-03-24 14:57:29 +01:00			`var tok string`

fix: implement various deepsource suggestions 2020-06-15 16:16:47 +02:00			`if cookie != "" {`
First commit 2019-03-24 14:57:29 +01:00			`ck, err := r.Cookie(cookie)`
			`if err != nil {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`tok = ck.Value`
			`} else {`
			`ah := r.Header.Get(authHeader)`
			`if len(ah) < 10 {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`tok = ah[7:]`
			`}`

feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`var keyFunc jwt.Keyfunc`
			`if jwtProvider == jwtFirebase {`
			`keyFunc = firebaseKeyFunction`
			`} else {`
			`keyFunc = func(token *jwt.Token) (interface{}, error) {`
			`return key, nil`
			`}`
			`}`

			`token, err := jwt.ParseWithClaims(tok, &jwt.StandardClaims{}, keyFunc)`
First commit 2019-03-24 14:57:29 +01:00
			`if err != nil {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`

			`if claims, ok := token.Claims.(*jwt.StandardClaims); ok {`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`ctx := r.Context()`

feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`if ac.JWT.Audience != "" && claims.Audience != ac.JWT.Audience {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`

Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`if jwtProvider == jwtAuth0 {`
			`sub := strings.Split(claims.Subject, "\|")`
			`if len(sub) != 2 {`
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`ctx = context.WithValue(ctx, core.UserIDProviderKey, sub[0])`
			`ctx = context.WithValue(ctx, core.UserIDKey, sub[1])`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`}`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00			`} else if jwtProvider == jwtFirebase &&`
			`claims.Issuer == firebaseIssuerPrefix+ac.JWT.Audience {`
			`ctx = context.WithValue(ctx, core.UserIDKey, claims.Subject)`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`} else {`
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`ctx = context.WithValue(ctx, core.UserIDKey, claims.Subject)`
Add Auth0 JWT support 2019-03-29 03:34:42 +01:00			`}`
Fix issues with JWT auth 2019-11-15 07:35:19 +01:00
First commit 2019-03-24 14:57:29 +01:00			`next.ServeHTTP(w, r.WithContext(ctx))`
Fix issues with JWT auth 2019-11-15 07:35:19 +01:00			`return`
First commit 2019-03-24 14:57:29 +01:00			`}`
Fix issues with JWT auth 2019-11-15 07:35:19 +01:00
First commit 2019-03-24 14:57:29 +01:00			`next.ServeHTTP(w, r)`
Refactor Super Graph into a library #26 2020-04-10 08:27:43 +02:00			`}, nil`
First commit 2019-03-24 14:57:29 +01:00			`}`
feat: Add firebase auth support and JWT audience check (#71) 2020-06-06 00:48:17 +02:00
			`type firebaseKeyError struct {`
			`Err error`
			`Message string`
			`}`

			`func (e *firebaseKeyError) Error() string {`
			`return e.Message + " " + e.Err.Error()`
			`}`

			`func firebaseKeyFunction(token *jwt.Token) (interface{}, error) {`
			`kid, ok := token.Header["kid"]`

			`if !ok {`
			`return nil, &firebaseKeyError{`
			`Message: "Error 'kid' header not found in token",`
			`}`
			`}`

			`if firebasePublicKeys.Expiration.Before(time.Now()) {`
			`resp, err := http.Get(firebasePKEndpoint)`

			`if err != nil {`
			`return nil, &firebaseKeyError{`
			`Message: "Error connecting to firebase certificate server",`
			`Err: err,`
			`}`
			`}`

			`defer resp.Body.Close()`

			`data, err := ioutil.ReadAll(resp.Body)`

			`if err != nil {`
			`return nil, &firebaseKeyError{`
			`Message: "Error reading firebase certificate server response",`
			`Err: err,`
			`}`
			`}`

			`cachePolicy := resp.Header.Get("cache-control")`
			`ageIndex := strings.Index(cachePolicy, "max-age=")`

			`if ageIndex < 0 {`
			`return nil, &firebaseKeyError{`
			`Message: "Error parsing cache-control header: 'max-age=' not found",`
			`}`
			`}`

			`ageToEnd := cachePolicy[ageIndex+8:]`
			`endIndex := strings.Index(ageToEnd, ",")`
			`if endIndex < 0 {`
			`endIndex = len(ageToEnd) - 1`
			`}`
			`ageString := ageToEnd[:endIndex]`

			`age, err := strconv.ParseInt(ageString, 10, 64)`

			`if err != nil {`
			`return nil, &firebaseKeyError{`
			`Message: "Error parsing max-age cache policy",`
			`Err: err,`
			`}`
			`}`

			`expiration := time.Now().Add(time.Duration(time.Duration(age) * time.Second))`

			`err = json.Unmarshal(data, &firebasePublicKeys.PublicKeys)`

			`if err != nil {`
			`firebasePublicKeys = firebasePKCache{}`
			`return nil, &firebaseKeyError{`
			`Message: "Error unmarshalling firebase public key json",`
			`Err: err,`
			`}`
			`}`

			`firebasePublicKeys.Expiration = expiration`
			`}`

			`if key, found := firebasePublicKeys.PublicKeys[kid.(string)]; found {`
			`k, err := jwt.ParseRSAPublicKeyFromPEM([]byte(key))`
			`return k, err`
			`}`

			`return nil, &firebaseKeyError{`
			`Message: "Error no matching public key for kid supplied in jwt",`
			`}`
			`}`