labstack / echo-jwt Goto Github PK
View Code? Open in Web Editor NEWJWT middleware for Echo framework
License: MIT License
JWT middleware for Echo framework
License: MIT License
I copy/pasted CreateExtractors
logic from Echo core library here because it was made public in v4.10.0
but this library supports Echo versions v4.7.0+
.
Lets wait some time (maybe until 2023 summer) and to reduce code duplication delete CreateExtractors
logic in this library and use echo.CreateExtractors
instead.
p.s. do not delete public method - make them use core. unforntunately I made them public
Should change middleware jwt's SuccessHandler:
type JWTSuccessHandler func(c echo.Context)
-> type JWTSuccessHandler func(c echo.Context) error
It should be a minor change that will not affect most uses and API.
Reason: After obtaining the token, additional condition checks can be performed and the handler chain can be prevented from continuing to execute, instead of requiring an additional middleware.
Greetings!
According to go.dev, every go.mod
dependency must respect semantic versioning, because many go tools rely on it.
A lib maintainer can NOT ignore the rule just because he wishes to.
I strongly suggest to make echo-jwt
follow all common Golang agreements.
Otherwise, I would recommend everyone to avoid this lib and use their own or 3rd-party JWT middleware.
Edit the sample below so that NewClaimsFunc returns a value object.
https://echo.labstack.com/docs/cookbook/jwt
NewClaimsFunc: func(c echo.Context) jwt.Claims {
return jwtCustomClaims{}
},
The following error occurs.
token is malformed: could not JSON decode claim: json: cannot unmarshal object into Go value of type jwt.Claims
I think it would be a good idea to add a check to see if Claims is a pointer.
Below is an example of a json package.
https://cs.opensource.google/go/go/+/refs/tags/go1.22.2:src/encoding/json/decode.go;l=172-175
I also think it would be effective to add this to the NewClaimsFunc
documentation.
jwt/v5 is out: https://github.com/golang-jwt/jwt/releases/tag/v5.0.0
Is there plan to move this middleware to golang-jwt/jwt/v5 ?
Starting from golang-jwt v5 upgrade this middleware library stopped working.
This is my scenario:
// here the instance of echo-jwt midleware
jwtHeaderMiddleware := echojwt.WithConfig(echojwt.Config{
Skipper: func(c echo.Context) bool {
if c.Request().Header.Get("x-token") == "" {
return true
}
return false
},
ContextKey: "token",
SigningKey: []byte(conf.Auth.Key),
TokenLookup: "header:x-token",
ErrorHandler: func(c echo.Context, err error) error {
log.Println("jwt query decode error", err.Error())
return rest.SendError(c, http.StatusUnauthorized, errs.ErrInvalidSession)
},
NewClaimsFunc: func(c echo.Context) jwt.Claims {
return new(jwt.RegisteredClaims)
},
})
// here the extraction of the token from the echo context
func extractClaim(c echo.Context) *jwt.RegisteredClaims {
i := c.Get("token")
if i == nil {
// THIS IS ALWAYS NULL!
log.Println("token key is null")
return nil
}
token := i.(*jwt.Token)
if token == nil {
log.Println("cannot cast token key to jwt.Token")
return nil
}
...
}
// middleware to extract the token
func extractTokenMiddleware (next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
claims := extractClaim(c)
if claims == nil {
return next(c)
}
userId := claims.Subject
if userId == "" {
return next(c)
}
user, err := db.Users.Get(userId)
if err != nil {
return rest.SendError(c, http.StatusInternalServerError, errs.ErrGeneric)
}
c.Set("userData", user)
return next(c)
}
}
...
service := echo.New()
...
apiGroup := service.Group("/api", jwtHeaderMiddleware, extractTokenMiddleware )
...
The problems seems to be the missing of synchronization between the middleware functions.
I was expecting that extractTokenMiddleware is called after jwtHeaderMiddleware but, in your library, the call of
c.Set(config.ContextKey, token)
is done after the extractTokenMiddleware (so far is what i've seen from debugging).
At my company, we have our own authorization server which signs tokens using private/public RSA keys. We therefore would like to use tracing when having to fetch public keys for validating tokens on one of our ressource servers.
Therefore, it would be great to get pass the context into the KeyFunc, as this would allow us to use tracing.
Right now, we are just using ParseTokenFunc which gets the context, and then we do our key lookup with tracing.
I can make a PR if you would like this change to be implemented :)
I think we can remove this line:
Line 98 in 2fe4a09
The net/http/header.go
already convert this for us:
// Values returns all values associated with the given key.
// It is case insensitive; textproto.CanonicalMIMEHeaderKey is
// used to canonicalize the provided key. To use non-canonical
// keys, access the map directly.
// The returned slice is not a copy.
func (h Header) Values(key string) []string {
return textproto.MIMEHeader(h).Values(key)
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.