2023-07-31 15:55:40 +03:00
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
2023-09-14 15:16:17 +03:00
|
|
|
"fmt"
|
2023-07-31 15:55:40 +03:00
|
|
|
"time"
|
2023-09-14 15:16:17 +03:00
|
|
|
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
2023-07-31 15:55:40 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// issuer is the issuer of the jwt token.
|
|
|
|
Issuer = "memos"
|
|
|
|
// Signing key section. For now, this is only used for signing, not for verifying since we only
|
|
|
|
// have 1 version. But it will be used to maintain backward compatibility if we change the signing mechanism.
|
|
|
|
KeyID = "v1"
|
|
|
|
// AccessTokenAudienceName is the audience name of the access token.
|
|
|
|
AccessTokenAudienceName = "user.access-token"
|
|
|
|
AccessTokenDuration = 7 * 24 * time.Hour
|
|
|
|
|
|
|
|
// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
|
|
|
|
// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
|
|
|
|
CookieExpDuration = AccessTokenDuration - 1*time.Minute
|
|
|
|
// AccessTokenCookieName is the cookie name of access token.
|
|
|
|
AccessTokenCookieName = "memos.access-token"
|
|
|
|
)
|
2023-09-14 15:16:17 +03:00
|
|
|
|
|
|
|
type ClaimsMessage struct {
|
|
|
|
Name string `json:"name"`
|
|
|
|
jwt.RegisteredClaims
|
|
|
|
}
|
|
|
|
|
|
|
|
// GenerateAccessToken generates an access token.
|
2023-09-20 15:48:34 +03:00
|
|
|
func GenerateAccessToken(username string, userID int32, expirationTime time.Time, secret []byte) (string, error) {
|
|
|
|
return generateToken(username, userID, AccessTokenAudienceName, expirationTime, secret)
|
2023-09-14 15:16:17 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// generateToken generates a jwt token.
|
|
|
|
func generateToken(username string, userID int32, audience string, expirationTime time.Time, secret []byte) (string, error) {
|
|
|
|
registeredClaims := jwt.RegisteredClaims{
|
|
|
|
Issuer: Issuer,
|
|
|
|
Audience: jwt.ClaimStrings{audience},
|
|
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
|
|
Subject: fmt.Sprint(userID),
|
|
|
|
}
|
2023-09-20 15:48:34 +03:00
|
|
|
if !expirationTime.IsZero() {
|
2023-09-14 15:16:17 +03:00
|
|
|
registeredClaims.ExpiresAt = jwt.NewNumericDate(expirationTime)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Declare the token with the HS256 algorithm used for signing, and the claims.
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, &ClaimsMessage{
|
|
|
|
Name: username,
|
|
|
|
RegisteredClaims: registeredClaims,
|
|
|
|
})
|
|
|
|
token.Header["kid"] = KeyID
|
|
|
|
|
|
|
|
// Create the JWT string.
|
|
|
|
tokenString, err := token.SignedString(secret)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return tokenString, nil
|
|
|
|
}
|