token validation extended

Marko Tikvić
1 parent 61efd58cdb
Showing 1 changed file with 10 additions and 29 deletions Show diff stats
auth_utility.go
@@ -119,12 +119,20 @@ func RefreshAuthToken(req *http.Request) (TokenClaims, error) {
 	tokenstr := strings.TrimPrefix(authHead, "Bearer ")
 	token, err := jwt.ParseWithClaims(tokenstr, &TokenClaims{}, secretFunc)
 	if err != nil {
-		return TokenClaims{}, err
+		if validation, ok := err.(*jwt.ValidationError); ok {
+			// don't return error if token is expired
+			// just extend it
+			if !(validation.Errors&jwt.ValidationErrorExpired != 0) {
+				return TokenClaims{}, err
+			}
+		} else {
+			return TokenClaims{}, err
+		}
 	}
  
 	// type assertion
 	claims, ok := token.Claims.(*TokenClaims)
-	if !ok || !token.Valid {
+	if !ok {
 		return TokenClaims{}, errors.New("token is not valid")
 	}
  
@@ -164,33 +172,6 @@ func RbacCheck(req *http.Request, authRoles []string) bool {
 	return false
 }
  
-// TODO
-func AuthCheck(req *http.Request, authRoles []string) (*TokenClaims, error) {
-	if authRoles == nil {
-		return &TokenClaims{}, nil
-	}
-
-	// validate token and check expiration date
-	claims, err := GetTokenClaims(req)
-	if err != nil {
-		return &TokenClaims{}, err
-	}
-	// check if token has expired
-	if claims.ExpiresAt < (time.Now()).Unix() {
-		return &TokenClaims{}, errors.New("token has expired")
-	}
-
-	// check if role extracted from token matches
-	// any of the provided (allowed) ones
-	for _, r := range authRoles {
-		if claims.Role == r || r == "*" {
-			return claims, nil
-		}
-	}
-
-	return claims, errors.New("role is not authorized")
-}
-
 // GetTokenClaims extracts JWT claims from Authorization header of the request.
 // Returns token claims or an error.
 func GetTokenClaims(req *http.Request) (*TokenClaims, error) {
...	...	@@ -119,12 +119,20 @@ func RefreshAuthToken(req *http.Request) (TokenClaims, error) {
119	119	tokenstr := strings.TrimPrefix(authHead, "Bearer ")
120	120	token, err := jwt.ParseWithClaims(tokenstr, &TokenClaims{}, secretFunc)
121	121	if err != nil {
122		- return TokenClaims{}, err
	122	+ if validation, ok := err.(*jwt.ValidationError); ok {
	123	+ // don't return error if token is expired
	124	+ // just extend it
	125	+ if !(validation.Errors&jwt.ValidationErrorExpired != 0) {
	126	+ return TokenClaims{}, err
	127	+ }
	128	+ } else {
	129	+ return TokenClaims{}, err
	130	+ }
123	131	}
124	132
125	133	// type assertion
126	134	claims, ok := token.Claims.(*TokenClaims)
127		- if !ok \|\| !token.Valid {
	135	+ if !ok {
128	136	return TokenClaims{}, errors.New("token is not valid")
129	137	}
130	138
...	...	@@ -164,33 +172,6 @@ func RbacCheck(req *http.Request, authRoles []string) bool {
164	172	return false
165	173	}
166	174
167		-// TODO
168		-func AuthCheck(req http.Request, authRoles []string) (TokenClaims, error) {
169		- if authRoles == nil {
170		- return &TokenClaims{}, nil
171		- }
172		-
173		- // validate token and check expiration date
174		- claims, err := GetTokenClaims(req)
175		- if err != nil {
176		- return &TokenClaims{}, err
177		- }
178		- // check if token has expired
179		- if claims.ExpiresAt < (time.Now()).Unix() {
180		- return &TokenClaims{}, errors.New("token has expired")
181		- }
182		-
183		- // check if role extracted from token matches
184		- // any of the provided (allowed) ones
185		- for _, r := range authRoles {
186		- if claims.Role == r \|\| r == "*" {
187		- return claims, nil
188		- }
189		- }
190		-
191		- return claims, errors.New("role is not authorized")
192		-}
193		-
194	175	// GetTokenClaims extracts JWT claims from Authorization header of the request.
195	176	// Returns token claims or an error.
196	177	func GetTokenClaims(req http.Request) (TokenClaims, error) {
...	...