jwt/jwt.go

package jwt

import (
	"encoding/base64"
	"encoding/json"
	"errors"
	"net/http"
	"strings"
	"time"
)

// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
// You can override it to use another time value.  This is useful for testing or if your
// server uses a different time zone than your tokens.
var TimeFunc = time.Now

// Parse methods use this callback function to supply
// the key for verification.  The function receives the parsed,
// but unverified Token.  This allows you to use propries in the
// Header of the token (such as `kid`) to identify which key to use.
type Keyfunc func(*Token) ([]byte, error)

// A JWT Token
type Token struct {
	Raw    string
	Header map[string]interface{}
	Claims map[string]interface{}
	Method SigningMethod
	// This is only populated when you Parse a token
	Signature string
	// This is only populated when you Parse/Verify a token
	Valid bool
}

func New(method SigningMethod) *Token {
	return &Token{
		Header: map[string]interface{}{
			"typ": "JWT",
			"alg": method.Alg(),
		},
		Claims: make(map[string]interface{}),
		Method: method,
	}
}

// Get the complete, signed token
func (t *Token) SignedString(key []byte) (string, error) {
	var sig, sstr string
	var err error
	if sstr, err = t.SigningString(); err != nil {
		return "", err
	}
	if sig, err = t.Method.Sign(sstr, key); err != nil {
		return "", err
	}
	return strings.Join([]string{sstr, sig}, "."), nil
}

// Generate the signing string.  This is the
// most expensive part of the whole deal.  Unless you
// need this for something special, just go straight for
// the SignedString.
func (t *Token) SigningString() (string, error) {
	var err error
	parts := make([]string, 2)
	for i, _ := range parts {
		var source map[string]interface{}
		if i == 0 {
			source = t.Header
		} else {
			source = t.Claims
		}

		var jsonValue []byte
		if jsonValue, err = json.Marshal(source); err != nil {
			return "", err
		}

		parts[i] = EncodeSegment(jsonValue)
	}
	return strings.Join(parts, "."), nil
}

// Parse, validate, and return a token.
// keyFunc will receive the parsed token and should return the key for validating.
// If everything is kosher, err will be nil
func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
	parts := strings.Split(tokenString, ".")
	if len(parts) == 3 {
		var err error
		token := &Token{Raw: tokenString}
		// parse Header
		var headerBytes []byte
		if headerBytes, err = DecodeSegment(parts[0]); err != nil {
			return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}
		}
		if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
			return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}
		}

		// parse Claims
		var claimBytes []byte
		if claimBytes, err = DecodeSegment(parts[1]); err != nil {
			return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}
		}
		if err = json.Unmarshal(claimBytes, &token.Claims); err != nil {
			return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}
		}

		// Lookup signature method
		if method, ok := token.Header["alg"].(string); ok {
			if token.Method = GetSigningMethod(method); token.Method == nil {
				return token, &ValidationError{err: "Signing method (alg) is unavailable.", Errors: ValidationErrorUnverifiable}
			}
		} else {
			return token, &ValidationError{err: "Signing method (alg) is unspecified.", Errors: ValidationErrorUnverifiable}
		}

		// Lookup key
		var key []byte
		if key, err = keyFunc(token); err != nil {
			return token, &ValidationError{err: err.Error(), Errors: ValidationErrorUnverifiable}
		}

		// Check expiration times
		vErr := &ValidationError{}
		now := TimeFunc().Unix()
		if exp, ok := token.Claims["exp"].(float64); ok {
			if now > int64(exp) {
				vErr.err = "Token is expired"
				vErr.Errors |= ValidationErrorExpired
			}
		}
		if nbf, ok := token.Claims["nbf"].(float64); ok {
			if now < int64(nbf) {
				vErr.err = "Token is not valid yet"
				vErr.Errors |= ValidationErrorNotValidYet
			}
		}

		// Perform validation
		if err = token.Method.Verify(strings.Join(parts[0:2], "."), parts[2], key); err != nil {
			vErr.err = err.Error()
			vErr.Errors |= ValidationErrorSignatureInvalid
		}

		if vErr.valid() {
			token.Valid = true
			return token, nil
		}

		return token, vErr

	} else {
		return nil, &ValidationError{err: "Token contains an invalid number of segments", Errors: ValidationErrorMalformed}
	}
}

// The errors that might occur when parsing and validating a token
const (
	ValidationErrorMalformed        uint32 = 1 << iota // Token is malformed
	ValidationErrorUnverifiable                        // Token could not be verified because of signing problems
	ValidationErrorSignatureInvalid                    // Signature validation failed
	ValidationErrorExpired                             // Exp validation failed
	ValidationErrorNotValidYet                         // NBF validation failed
)

// The error from Parse if token is not valid
type ValidationError struct {
	err    string
	Errors uint32 // bitfield.  see ValidationError... constants
}

// Validation error is an error type
func (e *ValidationError) Error() string {
	if e.err == "" {
		return "Token is invalid"
	}
	return e.err
}

// No errors
func (e *ValidationError) valid() bool {
	if e.Errors > 0 {
		return false
	}
	return true
}

// Try to find the token in an http.Request.
// This method will call ParseMultipartForm if there's no token in the header.
// Currently, it looks in the Authorization header as well as
// looking for an 'access_token' request parameter in req.Form.
func ParseFromRequest(req *http.Request, keyFunc Keyfunc) (token *Token, err error) {

	// Look for an Authorization header
	if ah := req.Header.Get("Authorization"); ah != "" {
		// Should be a bearer token
		if len(ah) > 6 && strings.ToUpper(ah[0:6]) == "BEARER" {
			return Parse(ah[7:], keyFunc)
		}
	}

	// Look for "access_token" parameter
	req.ParseMultipartForm(10e6)
	if tokStr := req.Form.Get("access_token"); tokStr != "" {
		return Parse(tokStr, keyFunc)
	}

	return nil, errors.New("No token present in request.")

}

// Encode JWT specific base64url encoding with padding stripped
func EncodeSegment(seg []byte) string {
	return strings.TrimRight(base64.URLEncoding.EncodeToString(seg), "=")
}

// Decode JWT specific base64url encoding with padding stripped
func DecodeSegment(seg string) ([]byte, error) {
	// len % 4
	switch len(seg) % 4 {
	case 2:
		seg = seg + "=="
	case 3:
		seg = seg + "==="
	}

	return base64.URLEncoding.DecodeString(seg)
}
starting to work on it 2012-04-18 03:49:21 +04:00			`package jwt`

			`import (`
			`"encoding/base64"`
			`"encoding/json"`
gofmt 2012-04-18 23:59:37 +04:00			`"errors"`
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`"net/http"`
gofmt 2012-04-18 23:59:37 +04:00			`"strings"`
			`"time"`
starting to work on it 2012-04-18 03:49:21 +04:00			`)`

updated TimeFunc documentation 2014-02-11 05:27:59 +04:00			`// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).`
			`// You can override it to use another time value. This is useful for testing or if your`
			`// server uses a different time zone than your tokens.`
make time function overrideable 2014-02-06 03:07:40 +04:00			`var TimeFunc = time.Now`

made Keyfunc a fixed type so it could be documented more easily 2012-07-07 03:16:34 +04:00			`// Parse methods use this callback function to supply`
			`// the key for verification. The function receives the parsed,`
			`// but unverified Token. This allows you to use propries in the`
			// Header of the token (such as `kid`) to identify which key to use.
			`type Keyfunc func(*Token) ([]byte, error)`

starting to work on it 2012-04-18 03:49:21 +04:00			`// A JWT Token`
			`type Token struct {`
capture raw string when parsing a token 2012-10-03 06:13:21 +04:00			`Raw string`
gofmt 2012-07-07 04:02:20 +04:00			`Header map[string]interface{}`
			`Claims map[string]interface{}`
			`Method SigningMethod`
signingn 2012-07-07 03:07:55 +04:00			`// This is only populated when you Parse a token`
starting to work on it 2012-04-18 03:49:21 +04:00			`Signature string`
documentation 2012-07-07 03:12:33 +04:00			`// This is only populated when you Parse/Verify a token`
gofmt 2012-07-07 04:02:20 +04:00			`Valid bool`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`

gofmt 2012-07-07 04:02:20 +04:00			`func New(method SigningMethod) *Token {`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`return &Token{`
			`Header: map[string]interface{}{`
			`"typ": "JWT",`
			`"alg": method.Alg(),`
			`},`
			`Claims: make(map[string]interface{}),`
fixes 2012-07-07 23:12:49 +04:00			`Method: method,`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`}`
			`}`

documentation 2012-07-07 03:12:33 +04:00			`// Get the complete, signed token`
gofmt 2012-07-07 04:02:20 +04:00			`func (t *Token) SignedString(key []byte) (string, error) {`
signingn 2012-07-07 03:07:55 +04:00			`var sig, sstr string`
			`var err error`
			`if sstr, err = t.SigningString(); err != nil {`
			`return "", err`
			`}`
			`if sig, err = t.Method.Sign(sstr, key); err != nil {`
			`return "", err`
			`}`
			`return strings.Join([]string{sstr, sig}, "."), nil`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`}`

documentation 2012-07-07 03:12:33 +04:00			`// Generate the signing string. This is the`
			`// most expensive part of the whole deal. Unless you`
			`// need this for something special, just go straight for`
			`// the SignedString.`
gofmt 2012-07-07 04:02:20 +04:00			`func (t *Token) SigningString() (string, error) {`
signingn 2012-07-07 03:07:55 +04:00			`var err error`
			`parts := make([]string, 2)`
			`for i, _ := range parts {`
			`var source map[string]interface{}`
			`if i == 0 {`
			`source = t.Header`
			`} else {`
			`source = t.Claims`
			`}`
gofmt 2012-07-07 04:02:20 +04:00
signingn 2012-07-07 03:07:55 +04:00			`var jsonValue []byte`
			`if jsonValue, err = json.Marshal(source); err != nil {`
			`return "", err`
			`}`
gofmt 2012-07-07 04:02:20 +04:00
signingn 2012-07-07 03:07:55 +04:00			`parts[i] = EncodeSegment(jsonValue)`
			`}`
			`return strings.Join(parts, "."), nil`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`}`

some bad documentation 2012-04-18 10:25:22 +04:00			`// Parse, validate, and return a token.`
			`// keyFunc will receive the parsed token and should return the key for validating.`
			`// If everything is kosher, err will be nil`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {`
starting to work on it 2012-04-18 03:49:21 +04:00			`parts := strings.Split(tokenString, ".")`
			`if len(parts) == 3 {`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`var err error`
			`token := &Token{Raw: tokenString}`
starting to work on it 2012-04-18 03:49:21 +04:00			`// parse Header`
			`var headerBytes []byte`
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`if headerBytes, err = DecodeSegment(parts[0]); err != nil {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`
			`if err = json.Unmarshal(headerBytes, &token.Header); err != nil {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`
gofmt 2012-04-18 23:59:37 +04:00
starting to work on it 2012-04-18 03:49:21 +04:00			`// parse Claims`
			`var claimBytes []byte`
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`if claimBytes, err = DecodeSegment(parts[1]); err != nil {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`
			`if err = json.Unmarshal(claimBytes, &token.Claims); err != nil {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return token, &ValidationError{err: err.Error(), Errors: ValidationErrorMalformed}`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`
gofmt 2012-04-18 23:59:37 +04:00
starting to work on it 2012-04-18 03:49:21 +04:00			`// Lookup signature method`
			`if method, ok := token.Header["alg"].(string); ok {`
fixes 2012-07-07 23:12:49 +04:00			`if token.Method = GetSigningMethod(method); token.Method == nil {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return token, &ValidationError{err: "Signing method (alg) is unavailable.", Errors: ValidationErrorUnverifiable}`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`
			`} else {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return token, &ValidationError{err: "Signing method (alg) is unspecified.", Errors: ValidationErrorUnverifiable}`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`}`

			`// Lookup key`
			`var key []byte`
			`if key, err = keyFunc(token); err != nil {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return token, &ValidationError{err: err.Error(), Errors: ValidationErrorUnverifiable}`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`

check nbf claim 2014-02-12 10:31:34 +04:00			`// Check expiration times`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`vErr := &ValidationError{}`
check nbf claim 2014-02-12 10:31:34 +04:00			`now := TimeFunc().Unix()`
check exp time 2012-04-18 03:52:38 +04:00			`if exp, ok := token.Claims["exp"].(float64); ok {`
check nbf claim 2014-02-12 10:31:34 +04:00			`if now > int64(exp) {`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`vErr.err = "Token is expired"`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`vErr.Errors \|= ValidationErrorExpired`
check exp time 2012-04-18 03:52:38 +04:00			`}`
			`}`
check nbf claim 2014-02-12 10:31:34 +04:00			`if nbf, ok := token.Claims["nbf"].(float64); ok {`
			`if now < int64(nbf) {`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`vErr.err = "Token is not valid yet"`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`vErr.Errors \|= ValidationErrorNotValidYet`
check nbf claim 2014-02-12 10:31:34 +04:00			`}`
			`}`
starting to work on it 2012-04-18 03:49:21 +04:00
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`// Perform validation`
			`if err = token.Method.Verify(strings.Join(parts[0:2], "."), parts[2], key); err != nil {`
			`vErr.err = err.Error()`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`vErr.Errors \|= ValidationErrorSignatureInvalid`
framework 2012-04-18 03:58:52 +04:00			`}`
gofmt 2012-04-18 23:59:37 +04:00
documentation fix 2014-03-08 02:46:27 +04:00			`if vErr.valid() {`
framework 2012-04-18 03:58:52 +04:00			`token.Valid = true`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`return token, nil`
framework 2012-04-18 03:58:52 +04:00			`}`
gofmt 2012-04-18 23:59:37 +04:00
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`return token, vErr`

starting to work on it 2012-04-18 03:49:21 +04:00			`} else {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`return nil, &ValidationError{err: "Token contains an invalid number of segments", Errors: ValidationErrorMalformed}`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`}`
			`}`

documentation 2014-03-09 23:26:36 +04:00			`// The errors that might occur when parsing and validating a token`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`const (`
			`ValidationErrorMalformed uint32 = 1 << iota // Token is malformed`
			`ValidationErrorUnverifiable // Token could not be verified because of signing problems`
			`ValidationErrorSignatureInvalid // Signature validation failed`
			`ValidationErrorExpired // Exp validation failed`
			`ValidationErrorNotValidYet // NBF validation failed`
			`)`

documentation fix 2014-03-08 02:46:27 +04:00			`// The error from Parse if token is not valid`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`type ValidationError struct {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`err string`
			`Errors uint32 // bitfield. see ValidationError... constants`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`}`

documentation fix 2014-03-08 02:46:27 +04:00			`// Validation error is an error type`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`func (e *ValidationError) Error() string {`
			`if e.err == "" {`
			`return "Token is invalid"`
			`}`
			`return e.err`
			`}`

			`// No errors`
documentation fix 2014-03-08 02:46:27 +04:00			`func (e *ValidationError) valid() bool {`
switched error details to bitfield 2014-03-09 23:24:51 +04:00			`if e.Errors > 0 {`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`return false`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`
updated parsing errors to provide more feedback 2014-03-08 02:43:11 +04:00			`return true`
starting to work on it 2012-04-18 03:49:21 +04:00			`}`
base64 decoding fixins 2012-04-18 23:18:31 +04:00
documentation 2012-07-07 03:12:33 +04:00			`// Try to find the token in an http.Request.`
try to get the access_token from the request params as well as the header 2012-07-07 23:38:18 +04:00			`// This method will call ParseMultipartForm if there's no token in the header.`
			`// Currently, it looks in the Authorization header as well as`
			`// looking for an 'access_token' request parameter in req.Form.`
made Keyfunc a fixed type so it could be documented more easily 2012-07-07 03:16:34 +04:00			`func ParseFromRequest(req http.Request, keyFunc Keyfunc) (token Token, err error) {`
base64 decoding fixins 2012-04-18 23:18:31 +04:00
parse token from http requests 2012-04-18 23:35:16 +04:00			`// Look for an Authorization header`
			`if ah := req.Header.Get("Authorization"); ah != "" {`
			`// Should be a bearer token`
			`if len(ah) > 6 && strings.ToUpper(ah[0:6]) == "BEARER" {`
			`return Parse(ah[7:], keyFunc)`
			`}`
			`}`
gofmt 2012-04-18 23:59:37 +04:00
try to get the access_token from the request params as well as the header 2012-07-07 23:38:18 +04:00			`// Look for "access_token" parameter`
megabytes 2012-07-07 23:40:24 +04:00			`req.ParseMultipartForm(10e6)`
try to get the access_token from the request params as well as the header 2012-07-07 23:38:18 +04:00			`if tokStr := req.Form.Get("access_token"); tokStr != "" {`
			`return Parse(tokStr, keyFunc)`
			`}`

parse token from http requests 2012-04-18 23:35:16 +04:00			`return nil, errors.New("No token present in request.")`
gofmt 2012-04-18 23:59:37 +04:00
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`}`

documentation 2012-07-07 03:12:33 +04:00			`// Encode JWT specific base64url encoding with padding stripped`
gofmt 2012-07-07 04:02:20 +04:00			`func EncodeSegment(seg []byte) string {`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`return strings.TrimRight(base64.URLEncoding.EncodeToString(seg), "=")`
			`}`

documentation 2012-07-07 03:12:33 +04:00			`// Decode JWT specific base64url encoding with padding stripped`
gofmt 2012-04-18 23:59:37 +04:00			`func DecodeSegment(seg string) ([]byte, error) {`
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`// len % 4`
			`switch len(seg) % 4 {`
gofmt 2012-04-18 23:59:37 +04:00			`case 2:`
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`seg = seg + "=="`
gofmt 2012-04-18 23:59:37 +04:00			`case 3:`
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`seg = seg + "==="`
			`}`
gofmt 2012-04-18 23:59:37 +04:00
base64 decoding fixins 2012-04-18 23:18:31 +04:00			`return base64.URLEncoding.DecodeString(seg)`
gofmt 2012-04-18 23:59:37 +04:00			`}`