brainattica / golang-jwt-authentication-api-sample Goto Github PK

In your jwt_backend.go you could retrieve the RSA public key part from the private key, because due to logic and the official GoDocs of rsa.PrivateKey the PublicKey is contained in the PrivateKey. This helps to avoid a lot of action.

Just a suggestion, because I use a similar backend in my current project:

// GetPublicKey returns the rsa public key from the private key
func GetPublicKey(privateKey *rsa.PrivateKey) *rsa.PublicKey {
    return &privateKey.PublicKey
}

Sorry I'm too lazy right now to create a pull request, nonetheless thanks for this project (and the regarding blog post), it helped a lot! 👍 🙇

Hello,

If you are getting on logout Completed 500 Internal Server Error
add redis authentication

Would you please add a license file so that I can use the code. Thanks a lot.

Hello Author.
I cloned to $GOPATH/src and run go get and changed "code.google.com/p/go-uuid/uuid" to "github.com/pborman/uuid" but now ocurred errors

core/authentication/jwt_backend.go:44: invalid operation: token.Claims["exp"] (type jwt.Claims does not support indexing)
core/authentication/jwt_backend.go:45: invalid operation: token.Claims["iat"] (type jwt.Claims does not support indexing)
core/authentication/jwt_backend.go:46: invalid operation: token.Claims["sub"] (type jwt.Claims does not support indexing)
core/authentication/jwt_backend.go:80: invalid operation: token.Claims["exp"] (type jwt.Claims does not support indexing)
core/authentication/middlewares.go:12: undefined: jwt.ParseFromRequest

Many thanks.

In case people want to copy and reuse the sources, please add a LICENSE file to be legally safe.

Changed the paths to relative in settings/pre, prod, testing.json so it finds the keys without vagrant.

where is this package?

Hello.

From migration jwt 2 to 3, we cannot indexing Claims anymore.

check it in and

From jwt 3 version, we can use

// old version of jwt
// token.Claims["a"] := someWhat

// new version of jwt
	token.Claims = jwt.MapClaims{
		"a": someWhat,
	}

If you'd like to, I will migrate jwt 2 to 3 with improve methods.

Thanks.

How a build a right privat & public key-file with linux? :)

i use ssh-keygen -b 4096 -t rsa

Vulnerability that allows a user to generate a valid token is possible due to some behaviour between certain algorithms, if all are accepted it would allow a user to generate valid tokens with only the public key for RSA. You might not keep the same stringent set of security around your public key.

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

After an authenticated user has logged out, a malicious user can continue accessing his account if the malicious user gets his jwt token. To do so, instead of passing the jwt token in the HTTP header, the malicious user can just pass the token as a query argument "access_token".

request.OAuth2Extractor would retrieve jwt token from either HTTP header or "access_token" argument therefore a previously logged out token will be still validated. authBackend.IsInBlacklist() wouldn't block the access because req.Header.Get("Authorization") doesn't have the token.

func RequireTokenAuthentication(rw http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
authBackend := InitJWTAuthenticationBackend()

** token, err := request.ParseFromRequest(req, request.OAuth2Extractor, func(token *jwt.Token) (interface{}, error) { **
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} else {
return authBackend.PublicKey, nil
}
})

** if err == nil && token.Valid && !authBackend.**IsInBlacklist(req.Header.Get("Authorization")) { **
next(rw, req)
} else {
rw.WriteHeader(http.StatusUnauthorized)
}
}