gwt

package
v0.60.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 2, 2026 License: MIT Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultCookieName = "g" // g as in garcon
	// DefaultPlan is the plan name in absence of "permissions" parametric parameters.
	DefaultPlan = "VIP"
	// DefaultPerm is the perm value in absence of "permissions" parametric parameters.
	DefaultPerm = 1
)

Variables

View Source 
var (
	ErrColumnInKey     = errors.New("found a column symbol in the key string but NemHMAC() does not support AlgoKey scheme => use NewVerifier(algoKey)")
	ErrECDSAPubKey     = errors.New("cannot parse the DER bytes as a valid ECDSA public key")
	ErrEdDSAPubKey     = errors.New("cannot decode the EdDSA public key, please provide 88 hexadecimal digits or a Base64 string containing about 59 characters")
	ErrES256PubKey     = errors.New("cannot decode the ECDSA-P256-SHA256 public key, please provide 182 hexadecimal digits or a Base64 string containing about 122 characters")
	ErrES384PubKey     = errors.New("cannot decode the ECDSA-P384-SHA384 public key, please provide 240 hexadecimal digits or a Base64 string containing 160 characters")
	ErrES512PubKey     = errors.New("cannot decode the ECDSA-P512-SHA512 public key, please provide 316 hexadecimal digits or a Base64 string containing about 211 characters")
	ErrExpiredToken    = errors.New("expired or invalid access token")
	ErrHMACKey         = errors.New("cannot decode the HMAC key, please provide a key in hexadecimal or Base64 form (64, 96 or 128 hexadecimal digits ; 43, 64 or 86 Base64 characters)")
	ErrHS256PubKey     = errors.New("cannot decode the HMAC-SHA256 key, please provide 64 hexadecimal digits or a Base64 string containing about 43 characters")
	ErrHS384PubKey     = errors.New("cannot decode the HMAC-SHA384 key, please provide 96 hexadecimal digits or a Base64 string containing 64 characters")
	ErrHS512PubKey     = errors.New("cannot decode the HMAC-SHA512 key, please provide 128 hexadecimal digits or a Base64 string containing about 86 characters")
	ErrJWTSignature    = errors.New("JWT signature mismatch")
	ErrNoAuthorization = errors.New("provide your JWT within the 'Authorization Bearer' HTTP header")
	ErrNoBase64JWT     = errors.New("the token claims (second part of the JWT) is not base64-valid")
	ErrNoBearer        = errors.New("malformed HTTP Authorization, must be Bearer")
	ErrNoValidJWT      = errors.New("cannot find a valid JWT in either the cookie or the first 'Authorization' HTTP header")
	ErrThreeParts      = errors.New("JWT must be composed of three parts separated by periods")
)
View Source 
var EncodingKey []byte

EncodingKey is used to encode each JWT secret key in the DB.

Functions

func AesGcmDecryptBin 

func AesGcmDecryptBin(encryptedBytes []byte) ([]byte, error)

func AesGcmDecryptHex 

func AesGcmDecryptHex(encryptedString string) (string, error)

AesGcmDecryptHex : decrypt content.

func AesGcmEncryptBin 

func AesGcmEncryptBin(plaintext []byte) ([]byte, error)

AesGcmEncryptBin : encrypt content.

func AesGcmEncryptHex 

func AesGcmEncryptHex(plaintext string) (string, error)

AesGcmEncryptHex : encrypt content.

func B64Decode 

func B64Decode(b64 []byte, reuse bool) ([]byte, error)

B64Decode avoid allocating memory when reuse=true by reusing the input buffer to return the base64-decoded result.

func DecryptVerificationKeyDER 

func DecryptVerificationKeyDER(algo string, accessKey []byte) ([]byte, error)

DecryptVerificationKeyDER returns the secret key for symmetric algos (like HMAC), or the public key for asymmetric algos (like RSA, EdDSA). The returned key is in DER format.

func GenAccessToken 

func GenAccessToken(timeout, maxTTL, user string, groups, orgs []string, secretKey []byte) (string, error)

GenAccessToken generates an access token with HS256 signing algo. Deprecated: Use `GenAccessTokenWithAlgo("HMAC", ...)`.

func GenAccessTokenWithAlgo 

func GenAccessTokenWithAlgo(algo, timeout, maxTTL, user string, groups, orgs []string, keyDER []byte) (string, error)

GenAccessTokenWithAlgo creates an Access Token with the JSON fields "exp", "usr", "grp" and "org".

func GenRefreshToken 

func GenRefreshToken(timeout, maxTTL, namespace, user string, secretKey []byte) (string, error)

GenRefreshToken generates a refresh token for a user in a namespace.

func GenerateEdDSAKey 

func GenerateEdDSAKey() []byte

GenerateEdDSAKey generates a random EdDSA-25519 key in DER format.

func GenerateKeyECDSA 

func GenerateKeyECDSA(c elliptic.Curve) []byte

GenerateKeyECDSA generates a random ECDSA private key in DER format.

func GenerateKeyHMAC 

func GenerateKeyHMAC(bits int) []byte

GenerateKeyHMAC generates a random HMAC-SHA256 key.

func GenerateKeyRSA 

func GenerateKeyRSA(bits int) []byte

GenerateKeyRSA generates a random RSA private key in DER format.

func GenerateSigningKey 

func GenerateSigningKey(algo string) ([]byte, error)

GenerateSigningKey produces the private key of the given algorithm. Supported algorithms:

- HS256 = HMAC using SHA-256 - HS384 = HMAC using SHA-384 - HS512 = HMAC using SHA-512 - RS256 = RSASSA-PKCS-v1.5 using SHA-256 - RS384 = RSASSA-PKCS-v1.5 using SHA-384 - RS512 = RSASSA-PKCS-v1.5 using SHA-512 - ES256 = ECDSA using P-256 and SHA-256 - ES384 = ECDSA using P-384 and SHA-384 - ES512 = ECDSA using P-521 and SHA-512 - EdDSA = Ed25519.

func GenerateSigningKeyHex 

func GenerateSigningKeyHex(algo string) (string, error)

GenerateSigningKeyHex produces the private key in hexadecimal form.

func NewAccessToken 

func NewAccessToken(maxTTL, user string, groups, orgs []string, hexKey string) string

func NewCookie 

func NewCookie(tokenizer Tokenizer, name, plan, user string, secure bool, dns, dir string) http.Cookie

func ParsePublicDER 

func ParsePublicDER(algo string, der []byte) (any, error)

ParsePublicDER converts a public key in DER form into the original public key.

func PrivateDER2Public 

func PrivateDER2Public(algo string, der []byte) (any, error)

PrivateDER2Public converts a private key into a public key depending on the algo.

func PrivateDER2PublicDER 

func PrivateDER2PublicDER(algo string, privateDER []byte) ([]byte, error)

PrivateDER2PublicDER converts a private key into a public key depending on the algo. The input and output are in DER form.

func SplitThreeParts 

func SplitThreeParts(jwt []byte) (p1, p2 int, _ error)

SplitThreeParts returns the period position decompose the JWT in three parts.

func ValidAccessToken 

func ValidAccessToken(accessToken, algo string, verificationKeyDER []byte) error

Types

type AccessClaims 

type AccessClaims struct {
	jwt.RegisteredClaims

	Username string   `json:"usr,omitempty"`
	Groups   []string `json:"grp,omitempty"`
	Orgs     []string `json:"org,omitempty"`
}

AccessClaims is the standard claims for a user access token.

func AccessClaimsFromBase64 

func AccessClaimsFromBase64(payload []byte, reuse bool) (*AccessClaims, error)

type Base 

type Base struct {
	// contains filtered or unexported fields
}

func (Base) Reuse 

func (b Base) Reuse() bool

type BytesKey 

type BytesKey struct {
	Base
	// contains filtered or unexported fields
}

type ECDSA 

type ECDSA struct {
	Base
	// contains filtered or unexported fields
}

type ES256 

type ES256 struct{ ECDSA }

func NewES256 

func NewES256(keyTxt string, reuse bool) (*ES256, error)

func (*ES256) Claims 

func (v *ES256) Claims(jwt []byte) (*AccessClaims, error)

func (*ES256) Verify 

func (v *ES256) Verify(hp, sig []byte) bool

type ES384 

type ES384 struct{ ECDSA }

func NewES384 

func NewES384(keyTxt string, reuse bool) (*ES384, error)

func (*ES384) Claims 

func (v *ES384) Claims(jwt []byte) (*AccessClaims, error)

func (*ES384) Verify 

func (v *ES384) Verify(hp, sig []byte) bool

type ES512 

type ES512 struct{ ECDSA }

func NewES512 

func NewES512(keyTxt string, reuse bool) (*ES512, error)

func (*ES512) Claims 

func (v *ES512) Claims(jwt []byte) (*AccessClaims, error)

func (*ES512) Verify 

func (v *ES512) Verify(hp, sig []byte) bool

type EdDSA 

type EdDSA struct{ BytesKey }

func NewEdDSA 

func NewEdDSA(keyTxt string, reuse bool) (*EdDSA, error)

func (*EdDSA) Claims 

func (v *EdDSA) Claims(jwt []byte) (*AccessClaims, error)

func (*EdDSA) Verify 

func (v *EdDSA) Verify(hp, sig []byte) bool

type HS256 

type HS256 struct{ BytesKey }

func NewHS256 

func NewHS256(keyTxt string, reuse bool) (*HS256, error)

func (*HS256) Claims 

func (v *HS256) Claims(jwt []byte) (*AccessClaims, error)

func (*HS256) GenAccessToken 

func (v *HS256) GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)

func (*HS256) Sign 

func (v *HS256) Sign(hp []byte) []byte

Sign return the signature of the first two parts. It allocates hmac.New() each time to avoid race condition.

func (*HS256) Verify 

func (v *HS256) Verify(hp, sig []byte) bool

type HS384 

type HS384 struct{ BytesKey }

func NewHS384 

func NewHS384(keyTxt string, reuse bool) (*HS384, error)

func (*HS384) Claims 

func (v *HS384) Claims(jwt []byte) (*AccessClaims, error)

func (*HS384) GenAccessToken 

func (v *HS384) GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)

func (*HS384) Sign 

func (v *HS384) Sign(hp []byte) []byte

func (*HS384) Verify 

func (v *HS384) Verify(hp, sig []byte) bool

type HS512 

type HS512 struct{ BytesKey }

func NewHS512 

func NewHS512(keyTxt string, reuse bool) (*HS512, error)

func (*HS512) Claims 

func (v *HS512) Claims(jwt []byte) (*AccessClaims, error)

func (*HS512) GenAccessToken 

func (v *HS512) GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)

func (*HS512) Sign 

func (v *HS512) Sign(hp []byte) []byte

func (*HS512) Verify 

func (v *HS512) Verify(hp, sig []byte) bool

type JWTChecker 

type JWTChecker struct {
	// contains filtered or unexported fields
}

func NewJWTChecker 

func NewJWTChecker(writer gg.Writer, urls []*url.URL, keyTxt, cookieName string, permissions ...any) *JWTChecker

NewJWTChecker supports keyTxt in hexadecimal and Base64 form Moreover the keyTxt parameter can also be prefixed by the signing algorithm. The keyTxt scheme is: `alg:xxxxxxxxxxxxxxxxxxxxxxxxxx` where `alg` is the optional algorithm name, and `xxxxxxxxxxxxxxxxxxxxxxxxxx` is the key encoded in either hexadecimal or unpadded Base64 as defined in RFC 4648 §5 (URL encoding).

func (*JWTChecker) Chk 

func (ck *JWTChecker) Chk(next http.Handler) http.Handler

Chk is a middleware to accept only HTTP requests having a valid cookie. Then, Chk puts the permission (of the JWT) in the request context.

func (*JWTChecker) Cookie 

func (ck *JWTChecker) Cookie(i int) *http.Cookie

Cookie returns a default cookie to facilitate testing.

func (*JWTChecker) PermFromBearerOrCookie 

func (ck *JWTChecker) PermFromBearerOrCookie(r *http.Request) (perm Perm, err []any)

func (*JWTChecker) PermFromCookie 

func (ck *JWTChecker) PermFromCookie(r *http.Request) (perm Perm, err []any)

func (*JWTChecker) PermFromJWT 

func (ck *JWTChecker) PermFromJWT(jwt string) (Perm, []any)

func (*JWTChecker) Set 

func (ck *JWTChecker) Set(next http.Handler) http.Handler

Set is a middleware putting a HttpOnly cookie in the HTTP response header when no valid cookie is present. The new cookie conveys the JWT of the first plan. Set also puts the permission from the JWT in the request context.

func (*JWTChecker) Vet 

func (ck *JWTChecker) Vet(next http.Handler) http.Handler

Vet is a middleware to accept only the HTTP request having a valid JWT. The JWT can be either in the cookie or in the first "Authorization" header. Then, Vet puts the permission (of the JWT) in the request context.

type Perm 

type Perm struct {
	Value int
}

func PermFromCtx 

func PermFromCtx(r *http.Request) Perm

PermFromCtx gets the permission information from the request context.

func (Perm) PutInCtx 

func (perm Perm) PutInCtx(r *http.Request) *http.Request

PutInCtx stores the permission info within the request context.

type RefreshClaims 

type RefreshClaims struct {
	jwt.RegisteredClaims

	Namespace string `json:"namespace,omitempty"`
	Username  string `json:"username,omitempty"`
}

RefreshClaims is the standard claims for a user refresh token.

type Tokenizer 

type Tokenizer interface {
	GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)
	Sign(headerPayload []byte) []byte
	Verifier
}

func NewHMAC 

func NewHMAC(keyTxt string, reuse bool) (Tokenizer, error)

NewHMAC creates an asymmetric-key Tokenizer based on HMAC algorithms.

type Verifier 

type Verifier interface {
	Claims(accessToken []byte) (*AccessClaims, error)
	Verify(headerPayload, signature []byte) bool
	Reuse() bool
}

func NewVerifier 

func NewVerifier(algoKey string, reuse bool) (Verifier, error)

NewVerifier creates a new Verifier to speed up the verification of many Access Tokens with the same verification key.

The parameter algoKey accepts three different schemes:

  1. only a HMAC secret key: algoKey = "9d2e0a02121179a3c3de1b035ae1355b1548781c8ce8538a1dc0853a12dfb13d"

  2. both the signing algo and its verification key: algoKey = "HS256:9d2e0a02121179a3c3de1b035ae1355b1548781c8ce8538a1dc0853a12dfb13d"

  3. the Quid URL to fetch the algo/key info from a given namespace algoKey = "https://lynxai.eu/quid/v1?ns=foobar"

In the two first forms, NewVerifier accepts the key to be in hexadecimal, or in Base64 form. NewVerifier converts the verification key into binary DER form depending on the key string length and the optional algo name. The algo name is case insensitive.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.