From 052f8a3a63bf8c52b72b5e20ffd0a5d22372e5ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Tikvi=C4=87?= Date: Mon, 5 Mar 2018 15:59:27 +0100 Subject: [PATCH] token validation extended --- auth_utility.go | 39 ++++++++++----------------------------- 1 file changed, 10 insertions(+), 29 deletions(-) diff --git a/auth_utility.go b/auth_utility.go index 7833b40..2348f8b 100644 --- a/auth_utility.go +++ b/auth_utility.go @@ -119,12 +119,20 @@ func RefreshAuthToken(req *http.Request) (TokenClaims, error) { tokenstr := strings.TrimPrefix(authHead, "Bearer ") token, err := jwt.ParseWithClaims(tokenstr, &TokenClaims{}, secretFunc) if err != nil { - return TokenClaims{}, err + if validation, ok := err.(*jwt.ValidationError); ok { + // don't return error if token is expired + // just extend it + if !(validation.Errors&jwt.ValidationErrorExpired != 0) { + return TokenClaims{}, err + } + } else { + return TokenClaims{}, err + } } // type assertion claims, ok := token.Claims.(*TokenClaims) - if !ok || !token.Valid { + if !ok { return TokenClaims{}, errors.New("token is not valid") } @@ -164,33 +172,6 @@ func RbacCheck(req *http.Request, authRoles []string) bool { return false } -// TODO -func AuthCheck(req *http.Request, authRoles []string) (*TokenClaims, error) { - if authRoles == nil { - return &TokenClaims{}, nil - } - - // validate token and check expiration date - claims, err := GetTokenClaims(req) - if err != nil { - return &TokenClaims{}, err - } - // check if token has expired - if claims.ExpiresAt < (time.Now()).Unix() { - return &TokenClaims{}, errors.New("token has expired") - } - - // check if role extracted from token matches - // any of the provided (allowed) ones - for _, r := range authRoles { - if claims.Role == r || r == "*" { - return claims, nil - } - } - - return claims, errors.New("role is not authorized") -} - // GetTokenClaims extracts JWT claims from Authorization header of the request. // Returns token claims or an error. func GetTokenClaims(req *http.Request) (*TokenClaims, error) { -- 1.8.1.2