golang-jwt-authentication-api-sample's People
Forkers
chrisbenson ylong jmheidly harboe sthapaun dfmonaco khanrizwan sapuglha johnprog owulveryck zannet imjerrybao thuongdinh-agilityio ricardolonga andradeandrey opavader guillaumebesse gavin0702 jimmy99 mrpintcom michaelkacher asherzhou allenyang0308 rmorrismoto whidbey icreatejb malisetti robjsliwa springbach bluven compasses dring1 cooleo csk6124 appsmate gfnord benguild araneta nilvxingren nevrosix odise hendrikroth iammac360 muc ajaylohni sharmaansh21 sebastienblanc dghilardi sidewinder rudbast r0r1 helloworldperu gjrtimmer tom-libing gingerhot drasko joewaa alexandrehebertvincent luk4z7 vingao gwrgi yamamushi petronetto gdunghi linearregression satng hielfx opsnull xemoe vinej alxerg sfkshan earasoft puredu gregoryduquesnoy yiqing95 kevywilly leandroandrade netqyq mufti1 rriverak kulcsartibor karthikzeemart taimoor99 logicwonder mildlyautistic shashwatsapkota rahulsoibam forging2012 hiteshtara nikonmcfly hzy5018 oduolaakeem karthickapps east2dd guoyu07 leesander1 proxyserver2023 akhamatmk nethminirominagolang-jwt-authentication-api-sample's Issues
Get public key from private key
In your jwt_backend.go
you could retrieve the RSA public key part from the private key, because due to logic and the official GoDocs of rsa.PrivateKey
the PublicKey
is contained in the PrivateKey
. This helps to avoid a lot of action.
Just a suggestion, because I use a similar backend in my current project:
// GetPublicKey returns the rsa public key from the private key
func GetPublicKey(privateKey *rsa.PrivateKey) *rsa.PublicKey {
return &privateKey.PublicKey
}
Sorry I'm too lazy right now to create a pull request, nonetheless thanks for this project (and the regarding blog post), it helped a lot! ๐ ๐
logout route
Hello,
If you are getting on logout Completed 500 Internal Server Error
add redis authentication
Please add a LICENCE file
Would you please add a license file so that I can use the code. Thanks a lot.
How can i run it?
Hello Author.
I cloned to $GOPATH/src and run go get and changed "code.google.com/p/go-uuid/uuid" to "github.com/pborman/uuid" but now ocurred errors
core/authentication/jwt_backend.go:44: invalid operation: token.Claims["exp"] (type jwt.Claims does not support indexing)
core/authentication/jwt_backend.go:45: invalid operation: token.Claims["iat"] (type jwt.Claims does not support indexing)
core/authentication/jwt_backend.go:46: invalid operation: token.Claims["sub"] (type jwt.Claims does not support indexing)
core/authentication/jwt_backend.go:80: invalid operation: token.Claims["exp"] (type jwt.Claims does not support indexing)
core/authentication/middlewares.go:12: undefined: jwt.ParseFromRequest
Many thanks.
Please add a LICENSE file
In case people want to copy and reuse the sources, please add a LICENSE file to be legally safe.
paths
Changed the paths to relative in settings/pre, prod, testing.json so it finds the keys without vagrant.
api.jwt.auth/routers
where is this package?
invalid operation: token.Claims["a"] (type jwt.Claims does not support indexing)
Hello.
From migration jwt 2 to 3, we cannot indexing Claims anymore.
From jwt 3 version, we can use
// old version of jwt
// token.Claims["a"] := someWhat
// new version of jwt
token.Claims = jwt.MapClaims{
"a": someWhat,
}
If you'd like to, I will migrate jwt 2 to 3 with improve methods.
Thanks.
RSA File Format disagreement
How a build a right privat & public key-file with linux? :)
i use ssh-keygen -b 4096 -t rsa
Validate token algorithm in Parse/Verify functions.
Vulnerability that allows a user to generate a valid token is possible due to some behaviour between certain algorithms, if all are accepted it would allow a user to generate valid tokens with only the public key for RSA. You might not keep the same stringent set of security around your public key.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
a bug in middlewares.go allows unauthorized access
After an authenticated user has logged out, a malicious user can continue accessing his account if the malicious user gets his jwt token. To do so, instead of passing the jwt token in the HTTP header, the malicious user can just pass the token as a query argument "access_token".
request.OAuth2Extractor would retrieve jwt token from either HTTP header or "access_token" argument therefore a previously logged out token will be still validated. authBackend.IsInBlacklist() wouldn't block the access because req.Header.Get("Authorization") doesn't have the token.
func RequireTokenAuthentication(rw http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
authBackend := InitJWTAuthenticationBackend()
** token, err := request.ParseFromRequest(req, request.OAuth2Extractor, func(token *jwt.Token) (interface{}, error) { **
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} else {
return authBackend.PublicKey, nil
}
})
** if err == nil && token.Valid && !authBackend.**IsInBlacklist(req.Header.Get("Authorization")) { **
next(rw, req)
} else {
rw.WriteHeader(http.StatusUnauthorized)
}
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.