adam-hanna / jwt-auth Goto Github PK
View Code? Open in Web Editor NEWThis package provides json web token (jwt) middleware for goLang http servers
License: MIT License
This package provides json web token (jwt) middleware for goLang http servers
License: MIT License
Looked through the code and examples, this is a nice looking JWT package. I do have a suggestion though: rename the /src directory to /jwt so the package name is jwt. A package name of "src" is very confusing, and not idiomatic in Go. I'm looking forward to playing with this.
When using bearer tokens, you'll need to include the auth and refresh jwt's (along with your csrf secret) in each request.
The whole point of the auth token is so that we don't need to send the refresh token each time?
I did a "go get go get github.com/adam-hanna/jwt-auth/src" then I tried to run the QuickStart example with "go run quickstart.go" and I get the error:
# github.com/adam-hanna/jwt-auth/src
../github.com/adam-hanna/jwt-auth/src/jwt.go:20: undefined: jwt.StandardClaims
I assume I am missing a library can you tell me what it is?
It would be useful to have AuthToken, RefreshToken, X-Csrf-Token and expiration in the request.Context(). This is useful if you need to send tokens in request body or do something else with tokens
authTokenString := jwtauth.GetAuthTokenFromContext(r.Context())
refreshTokenString := jwtauth.GetRefreshTokenFromContext(r.Context())
csrfTokenString := jwtauth.GetCSRFTokenFromContext(r.Context())
// do stuffs with tokens
// tokens are in cookies
// note: don't use an "Expires" in auth cookies bc browsers won't send expired cookies?
authCookie := http.Cookie{
Name: a.options.AuthTokenName,
Value: authTokenString,
Path: "/",
// Expires: time.Now().Add(a.options.AuthTokenValidTime),
HttpOnly: true,
Secure: !a.options.IsDevEnv,
}
http.SetCookie(w, &authCookie)
You've commented "Expires" and you're not setting "MaxAge" either:
MaxAge: int(a.options.AuthTokenValidTime.Seconds()),
Hi,
First of all, echo example seems kind of outdated. I need to use something like this, to make things work (with echo v3):
e.Use(echo.WrapMiddleware(restrictedRoute.Handler))
and (with echo v2):
e.Use(standard.WrapMiddleware(restrictedRoute.Handler))
Second, it seems that this thing works really weird in here. When i define routes:
/foo
/bar
--- here, i'm using restrictedRoute handler as middleware ----
/baz
/bam
Instead of "protecting" routes /baz and /bam it goes global and includes routes /foo and /bar. Why is that?
ERROR
http: panic serving 127.0.0.1:49244: runtime error: invalid memory address or nil pointer dereference
echo: http: panic serving 127.0.0.1:49244: runtime error: invalid memory address or nil pointer dereference
goroutine 16 [running]:
net/http.(*conn).serve.func1(0xc4201ae500)
/usr/lib/go-1.8/src/net/http/server.go:1721 +0xd0
panic(0x897be0, 0xb59280)
/usr/lib/go-1.8/src/runtime/panic.go:489 +0x2cf
/adam-hanna/jwt-auth/jwt.(*credentials).validateCsrfStringAgainstCredentials(0xc4201736d0, 0x1bf08eb000)
/adam-hanna/jwt-auth/jwt/credentials.go:93 +0x3e
/adam-hanna/jwt-auth/jwt.(*credentials).validateAndUpdateCredentials(0xc4201736d0, 0xc420326000)
/adam-hanna/jwt-auth/jwt/credentials.go:162 +0x43
/adam-hanna/jwt-auth/jwt.(*Auth).Process(0xc4202020f0, 0xb32e60, 0xc420173630, 0xc420326000, 0x8d43e0)
/adam-hanna/jwt-auth/jwt/auth.go:337 +0x249
/adam-hanna/jwt-auth/jwt.(*Auth).Handler.func1(0xb32e60, 0xc420173630, 0xc420326000)
/adam-hanna/jwt-auth/jwt/auth.go:275 +0x7a
net/http.HandlerFunc.ServeHTTP(0xc4201b0880, 0xb32e60, 0xc420173630, 0xc420326000)
/usr/lib/go-1.8/src/net/http/server.go:1942 +0x44
/vendor/github.com/labstack/echo.WrapMiddleware.func1.1(0xb3a3c0, 0xc42014f570, 0x20, 0x8c4b80)
/vendor/github.com/labstack/echo/echo.go:694 +0x174
/vendor/github.com/labstack/echo.(*Echo).Add.func1(0xb3a3c0, 0xc42014f570, 0xc420173630, 0xb334a0)
/vendor/github.com/labstack/echo/echo.go:477 +0x90
/vendor/github.com/labstack/echo/middleware.GzipWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0x0, 0x0)
/vendor/github.com/labstack/echo/middleware/compress.go:92 +0x173
/vendor/github.com/labstack/echo/middleware.CORSWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0xf, 0x91aff1)
/vendor/github.com/labstack/echo/middleware/cors.go:113 +0x2e7
/vendor/github.com/labstack/echo/middleware.SecureWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0xb658e0, 0xc420057b18)
/vendor/github.com/labstack/echo/middleware/secure.go:113 +0x2af
/vendor/github.com/labstack/echo/middleware.LoggerWithConfig.func2.1(0xb3a3c0, 0xc42014f570, 0x0, 0x0)
/vendor/github.com/labstack/echo/middleware/logger.go:111 +0x12b
...
/vendor/github.com/labstack/echo.(*Echo).ServeHTTP.func1(0xb3a3c0, 0xc42014f570, 0xc420198ef8, 0x914a60)
/vendor/github.com/labstack/echo/echo.go:574 +0x10e
/vendor/github.com/labstack/echo.(*Echo).ServeHTTP(0xc420198ea0, 0xb334a0, 0xc4201550a0, 0xc420326000)
/vendor/github.com/labstack/echo/echo.go:583 +0x24d
net/http.serverHandler.ServeHTTP(0xc4201b60b0, 0xb334a0, 0xc4201550a0, 0xc420326000)
/usr/lib/go-1.8/src/net/http/server.go:2568 +0x92
net/http.(*conn).serve(0xc4201ae500, 0xb33f20, 0xc4201aa900)
/usr/lib/go-1.8/src/net/http/server.go:1825 +0x612
created by net/http.(*Server).Serve
/usr/lib/go-1.8/src/net/http/server.go:2668 +0x2ce
REQUEST HEADER
X-Auth-Token : null
X-Refresh-Token : null
X-Csrf-Token : null
PANIC
credentials.go:92
func (c *credentials) validateCsrfStringAgainstCredentials() *jwtError {
authTokenClaims, ok := c.AuthToken.Token.Claims.(*ClaimsType) <<< PANIC! ( c.AuthToken.Token is nil )
c.AuthToken.Token is nil
c.RefreshToken.Token is nil
MY BUGFIX
jwtToken.go:42
if token == nil {
token = new(jwtGo.Token)
token.Claims = new(ClaimsType)
c.myLog("token is nil, set empty token (parse error=" + err.Error() + ")")
}
There were a few issues within the README so I added clarity and made grammatical corrections.
I've gone ahead and made a pull request if you find the changes to be suitable.
Hey you used the function log
instead of using myLog
line 84-85 of the file auth-util.go
.
Due to that even if you set the options.Debug
to false it keeps displaying logs.
It's not a big issue but it can get quite annoying as this the concerned function is called quite often ;)
The Auth's process function is unexported, so I can't use it when work with Gin and Iris.
Hello there
Although this is a quite unlikely scenario, the auth.Handler will panic, caused by line 412 in auth.go
, if the refresh token is not sent with the request.
Maybe error branching after calling err := auth.Process()
instead of just checking for not err != nil
would be a viable solution?
Kind Regards
Hi there
In the NullifyTokens()
func you want to delete / invalidate the authCookie
and refreshCookie
.
Unfortunately this does not work if the cookie has no value for the path attribute. The browsers ignores the Set-Cookie headers and the cookies are preserved.
Kind Regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.