adam-hanna / jwt-auth Goto Github PK

Looked through the code and examples, this is a nice looking JWT package. I do have a suggestion though: rename the /src directory to /jwt so the package name is jwt. A package name of "src" is very confusing, and not idiomatic in Go. I'm looking forward to playing with this.

When using bearer tokens, you'll need to include the auth and refresh jwt's (along with your csrf secret) in each request.

The whole point of the auth token is so that we don't need to send the refresh token each time?

I did a "go get go get github.com/adam-hanna/jwt-auth/src" then I tried to run the QuickStart example with "go run quickstart.go" and I get the error:

# github.com/adam-hanna/jwt-auth/src
../github.com/adam-hanna/jwt-auth/src/jwt.go:20: undefined: jwt.StandardClaims

I assume I am missing a library can you tell me what it is?

It would be useful to have AuthToken, RefreshToken, X-Csrf-Token and expiration in the request.Context(). This is useful if you need to send tokens in request body or do something else with tokens

    authTokenString := jwtauth.GetAuthTokenFromContext(r.Context())
    refreshTokenString := jwtauth.GetRefreshTokenFromContext(r.Context())
    csrfTokenString := jwtauth.GetCSRFTokenFromContext(r.Context())

    // do stuffs with tokens

// tokens are in cookies
// note: don't use an "Expires" in auth cookies bc browsers won't send expired cookies?
authCookie := http.Cookie{
Name: a.options.AuthTokenName,
Value: authTokenString,
Path: "/",
// Expires: time.Now().Add(a.options.AuthTokenValidTime),
HttpOnly: true,
Secure: !a.options.IsDevEnv,
}
http.SetCookie(w, &authCookie)

You've commented "Expires" and you're not setting "MaxAge" either:
MaxAge: int(a.options.AuthTokenValidTime.Seconds()),

Hi,

First of all, echo example seems kind of outdated. I need to use something like this, to make things work (with echo v3):

e.Use(echo.WrapMiddleware(restrictedRoute.Handler))

and (with echo v2):

e.Use(standard.WrapMiddleware(restrictedRoute.Handler))

Second, it seems that this thing works really weird in here. When i define routes:

/foo
/bar
--- here, i'm using restrictedRoute handler as middleware ----
/baz
/bam

Instead of "protecting" routes /baz and /bam it goes global and includes routes /foo and /bar. Why is that?

ERROR
http: panic serving 127.0.0.1:49244: runtime error: invalid memory address or nil pointer dereference

echo: http: panic serving 127.0.0.1:49244: runtime error: invalid memory address or nil pointer dereference
goroutine 16 [running]:
net/http.(*conn).serve.func1(0xc4201ae500)
/usr/lib/go-1.8/src/net/http/server.go:1721 +0xd0
panic(0x897be0, 0xb59280)
/usr/lib/go-1.8/src/runtime/panic.go:489 +0x2cf
/adam-hanna/jwt-auth/jwt.(*credentials).validateCsrfStringAgainstCredentials(0xc4201736d0, 0x1bf08eb000)
/adam-hanna/jwt-auth/jwt/credentials.go:93 +0x3e
/adam-hanna/jwt-auth/jwt.(*credentials).validateAndUpdateCredentials(0xc4201736d0, 0xc420326000)
/adam-hanna/jwt-auth/jwt/credentials.go:162 +0x43
/adam-hanna/jwt-auth/jwt.(*Auth).Process(0xc4202020f0, 0xb32e60, 0xc420173630, 0xc420326000, 0x8d43e0)
/adam-hanna/jwt-auth/jwt/auth.go:337 +0x249
/adam-hanna/jwt-auth/jwt.(*Auth).Handler.func1(0xb32e60, 0xc420173630, 0xc420326000)
/adam-hanna/jwt-auth/jwt/auth.go:275 +0x7a
net/http.HandlerFunc.ServeHTTP(0xc4201b0880, 0xb32e60, 0xc420173630, 0xc420326000)
/usr/lib/go-1.8/src/net/http/server.go:1942 +0x44
/vendor/github.com/labstack/echo.WrapMiddleware.func1.1(0xb3a3c0, 0xc42014f570, 0x20, 0x8c4b80)
/vendor/github.com/labstack/echo/echo.go:694 +0x174
/vendor/github.com/labstack/echo.(*Echo).Add.func1(0xb3a3c0, 0xc42014f570, 0xc420173630, 0xb334a0)
/vendor/github.com/labstack/echo/echo.go:477 +0x90
/vendor/github.com/labstack/echo/middleware.GzipWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0x0, 0x0)
/vendor/github.com/labstack/echo/middleware/compress.go:92 +0x173
/vendor/github.com/labstack/echo/middleware.CORSWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0xf, 0x91aff1)
/vendor/github.com/labstack/echo/middleware/cors.go:113 +0x2e7
/vendor/github.com/labstack/echo/middleware.SecureWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0xb658e0, 0xc420057b18)
/vendor/github.com/labstack/echo/middleware/secure.go:113 +0x2af
/vendor/github.com/labstack/echo/middleware.LoggerWithConfig.func2.1(0xb3a3c0, 0xc42014f570, 0x0, 0x0)
/vendor/github.com/labstack/echo/middleware/logger.go:111 +0x12b
...
/vendor/github.com/labstack/echo.(*Echo).ServeHTTP.func1(0xb3a3c0, 0xc42014f570, 0xc420198ef8, 0x914a60)
/vendor/github.com/labstack/echo/echo.go:574 +0x10e
/vendor/github.com/labstack/echo.(*Echo).ServeHTTP(0xc420198ea0, 0xb334a0, 0xc4201550a0, 0xc420326000)
/vendor/github.com/labstack/echo/echo.go:583 +0x24d
net/http.serverHandler.ServeHTTP(0xc4201b60b0, 0xb334a0, 0xc4201550a0, 0xc420326000)
/usr/lib/go-1.8/src/net/http/server.go:2568 +0x92
net/http.(*conn).serve(0xc4201ae500, 0xb33f20, 0xc4201aa900)
/usr/lib/go-1.8/src/net/http/server.go:1825 +0x612
created by net/http.(*Server).Serve
/usr/lib/go-1.8/src/net/http/server.go:2668 +0x2ce

REQUEST HEADER
X-Auth-Token : null
X-Refresh-Token : null
X-Csrf-Token : null

PANIC
credentials.go:92
func (c *credentials) validateCsrfStringAgainstCredentials() *jwtError {
authTokenClaims, ok := c.AuthToken.Token.Claims.(*ClaimsType) <<< PANIC! ( c.AuthToken.Token is nil )

c.AuthToken.Token is nil
c.RefreshToken.Token is nil

MY BUGFIX
jwtToken.go:42

if token == nil {
	token = new(jwtGo.Token)
	token.Claims = new(ClaimsType)
	c.myLog("token is nil, set empty token (parse error=" + err.Error() + ")")
}

Changes

There were a few issues within the README so I added clarity and made grammatical corrections.
I've gone ahead and made a pull request if you find the changes to be suitable.

Hey you used the function log instead of using myLog line 84-85 of the file auth-util.go.
Due to that even if you set the options.Debug to false it keeps displaying logs.
It's not a big issue but it can get quite annoying as this the concerned function is called quite often ;)

The Auth's process function is unexported, so I can't use it when work with Gin and Iris.

Hello there

Although this is a quite unlikely scenario, the auth.Handler will panic, caused by line 412 in auth.go, if the refresh token is not sent with the request.

Maybe error branching after calling err := auth.Process() instead of just checking for not err != nil would be a viable solution?

Kind Regards

Hi there

In the NullifyTokens() func you want to delete / invalidate the authCookie and refreshCookie.
Unfortunately this does not work if the cookie has no value for the path attribute. The browsers ignores the Set-Cookie headers and the cookies are preserved.

Kind Regards