forked from mirror/jwt
Merge pull request #137 from dgrijalva/dg/extractor
Add new interface Extractor for making token extraction pluggable
This commit is contained in:
commit
b4ac4e4998
|
@ -0,0 +1,7 @@
|
||||||
|
// Utility package for extracting JWT tokens from
|
||||||
|
// HTTP requests.
|
||||||
|
//
|
||||||
|
// The main function is ParseFromRequest and it's WithClaims variant.
|
||||||
|
// See examples for how to use the various Extractor implementations
|
||||||
|
// or roll your own.
|
||||||
|
package request
|
|
@ -0,0 +1,80 @@
|
||||||
|
package request
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Errors
|
||||||
|
var (
|
||||||
|
ErrNoTokenInRequest = errors.New("no token present in request")
|
||||||
|
)
|
||||||
|
|
||||||
|
// Interface for extracting a token from an HTTP request.
|
||||||
|
// The ExtractToken method should return a token string or an error.
|
||||||
|
// If no token is present, you must return ErrNoTokenInRequest.
|
||||||
|
type Extractor interface {
|
||||||
|
ExtractToken(*http.Request) (string, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Extractor for finding a token in a header. Looks at each specified
|
||||||
|
// header in order until there's a match
|
||||||
|
type HeaderExtractor []string
|
||||||
|
|
||||||
|
func (e HeaderExtractor) ExtractToken(req *http.Request) (string, error) {
|
||||||
|
// loop over header names and return the first one that contains data
|
||||||
|
for _, header := range e {
|
||||||
|
if ah := req.Header.Get(header); ah != "" {
|
||||||
|
return ah, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return "", ErrNoTokenInRequest
|
||||||
|
}
|
||||||
|
|
||||||
|
// Extract token from request arguments. This includes a POSTed form or
|
||||||
|
// GET URL arguments. Argument names are tried in order until there's a match.
|
||||||
|
type ArgumentExtractor []string
|
||||||
|
|
||||||
|
func (e ArgumentExtractor) ExtractToken(req *http.Request) (string, error) {
|
||||||
|
// Make sure form is parsed
|
||||||
|
req.ParseMultipartForm(10e6)
|
||||||
|
|
||||||
|
// loop over arg names and return the first one that contains data
|
||||||
|
for _, arg := range e {
|
||||||
|
if ah := req.Form.Get(arg); ah != "" {
|
||||||
|
return ah, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", ErrNoTokenInRequest
|
||||||
|
}
|
||||||
|
|
||||||
|
// Tries Extractors in order until one returns a token string or an error occurs
|
||||||
|
type MultiExtractor []Extractor
|
||||||
|
|
||||||
|
func (e MultiExtractor) ExtractToken(req *http.Request) (string, error) {
|
||||||
|
// loop over header names and return the first one that contains data
|
||||||
|
for _, extractor := range e {
|
||||||
|
if tok, err := extractor.ExtractToken(req); tok != "" {
|
||||||
|
return tok, nil
|
||||||
|
} else if err != ErrNoTokenInRequest {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return "", ErrNoTokenInRequest
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wrap an Extractor in this to post-process the value before it's handed off.
|
||||||
|
// See AuthorizationHeaderExtractor for an example
|
||||||
|
type PostExtractionFilter struct {
|
||||||
|
Extractor
|
||||||
|
Filter func(string) (string, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *PostExtractionFilter) ExtractToken(req *http.Request) (string, error) {
|
||||||
|
if tok, err := e.Extractor.ExtractToken(req); tok != "" {
|
||||||
|
return e.Filter(tok)
|
||||||
|
} else {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,32 @@
|
||||||
|
package request
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/url"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
exampleTokenA = "A"
|
||||||
|
)
|
||||||
|
|
||||||
|
func ExampleHeaderExtractor() {
|
||||||
|
req := makeExampleRequest("GET", "/", map[string]string{"Token": exampleTokenA}, nil)
|
||||||
|
tokenString, err := HeaderExtractor{"Token"}.ExtractToken(req)
|
||||||
|
if err == nil {
|
||||||
|
fmt.Println(tokenString)
|
||||||
|
} else {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
//Output: A
|
||||||
|
}
|
||||||
|
|
||||||
|
func ExampleArgumentExtractor() {
|
||||||
|
req := makeExampleRequest("GET", "/", nil, url.Values{"token": {extractorTestTokenA}})
|
||||||
|
tokenString, err := ArgumentExtractor{"token"}.ExtractToken(req)
|
||||||
|
if err == nil {
|
||||||
|
fmt.Println(tokenString)
|
||||||
|
} else {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
//Output: A
|
||||||
|
}
|
|
@ -0,0 +1,91 @@
|
||||||
|
package request
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
var extractorTestTokenA = "A"
|
||||||
|
var extractorTestTokenB = "B"
|
||||||
|
|
||||||
|
var extractorTestData = []struct {
|
||||||
|
name string
|
||||||
|
extractor Extractor
|
||||||
|
headers map[string]string
|
||||||
|
query url.Values
|
||||||
|
token string
|
||||||
|
err error
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "simple header",
|
||||||
|
extractor: HeaderExtractor{"Foo"},
|
||||||
|
headers: map[string]string{"Foo": extractorTestTokenA},
|
||||||
|
query: nil,
|
||||||
|
token: extractorTestTokenA,
|
||||||
|
err: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "simple argument",
|
||||||
|
extractor: ArgumentExtractor{"token"},
|
||||||
|
headers: map[string]string{},
|
||||||
|
query: url.Values{"token": {extractorTestTokenA}},
|
||||||
|
token: extractorTestTokenA,
|
||||||
|
err: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "multiple extractors",
|
||||||
|
extractor: MultiExtractor{
|
||||||
|
HeaderExtractor{"Foo"},
|
||||||
|
ArgumentExtractor{"token"},
|
||||||
|
},
|
||||||
|
headers: map[string]string{"Foo": extractorTestTokenA},
|
||||||
|
query: url.Values{"token": {extractorTestTokenB}},
|
||||||
|
token: extractorTestTokenA,
|
||||||
|
err: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "simple miss",
|
||||||
|
extractor: HeaderExtractor{"This-Header-Is-Not-Set"},
|
||||||
|
headers: map[string]string{"Foo": extractorTestTokenA},
|
||||||
|
query: nil,
|
||||||
|
token: "",
|
||||||
|
err: ErrNoTokenInRequest,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "filter",
|
||||||
|
extractor: AuthorizationHeaderExtractor,
|
||||||
|
headers: map[string]string{"Authorization": "Bearer " + extractorTestTokenA},
|
||||||
|
query: nil,
|
||||||
|
token: extractorTestTokenA,
|
||||||
|
err: nil,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestExtractor(t *testing.T) {
|
||||||
|
// Bearer token request
|
||||||
|
for _, data := range extractorTestData {
|
||||||
|
// Make request from test struct
|
||||||
|
r := makeExampleRequest("GET", "/", data.headers, data.query)
|
||||||
|
|
||||||
|
// Test extractor
|
||||||
|
token, err := data.extractor.ExtractToken(r)
|
||||||
|
if token != data.token {
|
||||||
|
t.Errorf("[%v] Expected token '%v'. Got '%v'", data.name, data.token, token)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err != data.err {
|
||||||
|
t.Errorf("[%v] Expected error '%v'. Got '%v'", data.name, data.err, err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func makeExampleRequest(method, path string, headers map[string]string, urlArgs url.Values) *http.Request {
|
||||||
|
r, _ := http.NewRequest(method, fmt.Sprintf("%v?%v", path, urlArgs.Encode()), nil)
|
||||||
|
for k, v := range headers {
|
||||||
|
r.Header.Set(k, v)
|
||||||
|
}
|
||||||
|
return r
|
||||||
|
}
|
|
@ -0,0 +1,28 @@
|
||||||
|
package request
|
||||||
|
|
||||||
|
import (
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Strips 'Bearer ' prefix from bearer token string
|
||||||
|
func stripBearerPrefixFromTokenString(tok string) (string, error) {
|
||||||
|
// Should be a bearer token
|
||||||
|
if len(tok) > 6 && strings.ToUpper(tok[0:7]) == "BEARER " {
|
||||||
|
return tok[7:], nil
|
||||||
|
}
|
||||||
|
return tok, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Extract bearer token from Authorization header
|
||||||
|
// Uses PostExtractionFilter to strip "Bearer " prefix from header
|
||||||
|
var AuthorizationHeaderExtractor = &PostExtractionFilter{
|
||||||
|
HeaderExtractor{"Authorization"},
|
||||||
|
stripBearerPrefixFromTokenString,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Extractor for OAuth2 access tokens. Looks in 'Authorization'
|
||||||
|
// header then 'access_token' argument for a token.
|
||||||
|
var OAuth2Extractor = &MultiExtractor{
|
||||||
|
AuthorizationHeaderExtractor,
|
||||||
|
ArgumentExtractor{"access_token"},
|
||||||
|
}
|
|
@ -1,39 +1,24 @@
|
||||||
package request
|
package request
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
|
||||||
"github.com/dgrijalva/jwt-go"
|
"github.com/dgrijalva/jwt-go"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Errors
|
// Extract and parse a JWT token from an HTTP request.
|
||||||
var (
|
// This behaves the same as Parse, but accepts a request and an extractor
|
||||||
ErrNoTokenInRequest = errors.New("no token present in request")
|
// instead of a token string. The Extractor interface allows you to define
|
||||||
)
|
// the logic for extracting a token. Several useful implementations are provided.
|
||||||
|
func ParseFromRequest(req *http.Request, extractor Extractor, keyFunc jwt.Keyfunc) (token *jwt.Token, err error) {
|
||||||
// Try to find the token in an http.Request.
|
return ParseFromRequestWithClaims(req, extractor, jwt.MapClaims{}, keyFunc)
|
||||||
// This method will call ParseMultipartForm if there's no token in the header.
|
|
||||||
// Currently, it looks in the Authorization header as well as
|
|
||||||
// looking for an 'access_token' request parameter in req.Form.
|
|
||||||
func ParseFromRequest(req *http.Request, keyFunc jwt.Keyfunc) (token *jwt.Token, err error) {
|
|
||||||
return ParseFromRequestWithClaims(req, jwt.MapClaims{}, keyFunc)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func ParseFromRequestWithClaims(req *http.Request, claims jwt.Claims, keyFunc jwt.Keyfunc) (token *jwt.Token, err error) {
|
// ParseFromRequest but with custom Claims type
|
||||||
// Look for an Authorization header
|
func ParseFromRequestWithClaims(req *http.Request, extractor Extractor, claims jwt.Claims, keyFunc jwt.Keyfunc) (token *jwt.Token, err error) {
|
||||||
if ah := req.Header.Get("Authorization"); ah != "" {
|
// Extract token from request
|
||||||
// Should be a bearer token
|
if tokStr, err := extractor.ExtractToken(req); err == nil {
|
||||||
if len(ah) > 6 && strings.ToUpper(ah[0:7]) == "BEARER " {
|
|
||||||
return jwt.ParseWithClaims(ah[7:], claims, keyFunc)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Look for "access_token" parameter
|
|
||||||
req.ParseMultipartForm(10e6)
|
|
||||||
if tokStr := req.Form.Get("access_token"); tokStr != "" {
|
|
||||||
return jwt.ParseWithClaims(tokStr, claims, keyFunc)
|
return jwt.ParseWithClaims(tokStr, claims, keyFunc)
|
||||||
|
} else {
|
||||||
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil, ErrNoTokenInRequest
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,13 +14,23 @@ import (
|
||||||
var requestTestData = []struct {
|
var requestTestData = []struct {
|
||||||
name string
|
name string
|
||||||
claims jwt.MapClaims
|
claims jwt.MapClaims
|
||||||
|
extractor Extractor
|
||||||
headers map[string]string
|
headers map[string]string
|
||||||
query url.Values
|
query url.Values
|
||||||
valid bool
|
valid bool
|
||||||
}{
|
}{
|
||||||
|
{
|
||||||
|
"authorization bearer token",
|
||||||
|
jwt.MapClaims{"foo": "bar"},
|
||||||
|
AuthorizationHeaderExtractor,
|
||||||
|
map[string]string{"Authorization": "Bearer %v"},
|
||||||
|
url.Values{},
|
||||||
|
true,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"oauth bearer token - header",
|
"oauth bearer token - header",
|
||||||
jwt.MapClaims{"foo": "bar"},
|
jwt.MapClaims{"foo": "bar"},
|
||||||
|
OAuth2Extractor,
|
||||||
map[string]string{"Authorization": "Bearer %v"},
|
map[string]string{"Authorization": "Bearer %v"},
|
||||||
url.Values{},
|
url.Values{},
|
||||||
true,
|
true,
|
||||||
|
@ -28,10 +38,19 @@ var requestTestData = []struct {
|
||||||
{
|
{
|
||||||
"oauth bearer token - url",
|
"oauth bearer token - url",
|
||||||
jwt.MapClaims{"foo": "bar"},
|
jwt.MapClaims{"foo": "bar"},
|
||||||
|
OAuth2Extractor,
|
||||||
map[string]string{},
|
map[string]string{},
|
||||||
url.Values{"access_token": {"%v"}},
|
url.Values{"access_token": {"%v"}},
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"url token",
|
||||||
|
jwt.MapClaims{"foo": "bar"},
|
||||||
|
ArgumentExtractor{"token"},
|
||||||
|
map[string]string{},
|
||||||
|
url.Values{"token": {"%v"}},
|
||||||
|
true,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestParseRequest(t *testing.T) {
|
func TestParseRequest(t *testing.T) {
|
||||||
|
@ -65,7 +84,7 @@ func TestParseRequest(t *testing.T) {
|
||||||
r.Header.Set(k, tokenString)
|
r.Header.Set(k, tokenString)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
token, err := ParseFromRequestWithClaims(r, jwt.MapClaims{}, keyfunc)
|
token, err := ParseFromRequestWithClaims(r, data.extractor, jwt.MapClaims{}, keyfunc)
|
||||||
|
|
||||||
if token == nil {
|
if token == nil {
|
||||||
t.Errorf("[%v] Token was not found: %v", data.name, err)
|
t.Errorf("[%v] Token was not found: %v", data.name, err)
|
||||||
|
|
Loading…
Reference in New Issue