-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.go
More file actions
97 lines (81 loc) · 2.57 KB
/
auth.go
File metadata and controls
97 lines (81 loc) · 2.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package main
import (
"crypto/ed25519"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"strings"
"time"
)
type Auth struct{}
func NewAuth() *Auth {
return &Auth{}
}
// Claims represents JWT payload for Bind sessions.
type Claims struct {
RoomID string `json:"room_id"`
PeerID string `json:"peer_id"`
Role string `json:"role"` // "host" or "guest"
Name string `json:"name"`
CreatedAt int64 `json:"iat"`
ExpiresAt int64 `json:"exp"`
}
// jwtHeader is the fixed header for Ed25519-signed JWTs.
var jwtHeaderB64 = base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"EdDSA","typ":"JWT"}`))
// ValidateJWT verifies a JWT signed with Ed25519 against the provided public key.
func (a *Auth) ValidateJWT(tokenStr string, pubKey []byte) (*Claims, error) {
parts := strings.Split(tokenStr, ".")
if len(parts) != 3 {
return nil, errors.New("malformed JWT")
}
// Verify header
if parts[0] != jwtHeaderB64 {
return nil, errors.New("unsupported JWT algorithm")
}
// Verify signature
signingInput := parts[0] + "." + parts[1]
sig, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil {
return nil, fmt.Errorf("invalid signature encoding: %w", err)
}
if len(pubKey) != ed25519.PublicKeySize {
return nil, errors.New("invalid public key size")
}
if !ed25519.Verify(ed25519.PublicKey(pubKey), []byte(signingInput), sig) {
return nil, errors.New("invalid signature")
}
// Decode claims
claimsJSON, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, fmt.Errorf("invalid claims encoding: %w", err)
}
var claims Claims
if err := json.Unmarshal(claimsJSON, &claims); err != nil {
return nil, fmt.Errorf("invalid claims JSON: %w", err)
}
// Check expiry
if claims.ExpiresAt > 0 && time.Now().Unix() > claims.ExpiresAt {
return nil, errors.New("token expired")
}
// Validate required fields
if claims.RoomID == "" {
return nil, errors.New("missing room_id")
}
if claims.PeerID == "" {
return nil, errors.New("missing peer_id")
}
if claims.Role != "host" && claims.Role != "guest" {
return nil, errors.New("invalid role")
}
return &claims, nil
}
// SignJWT creates a JWT signed with Ed25519 (used by clients, not relay).
// Included here for testing convenience.
func SignJWT(claims *Claims, privateKey ed25519.PrivateKey) string {
claimsJSON, _ := json.Marshal(claims)
payloadB64 := base64.RawURLEncoding.EncodeToString(claimsJSON)
signingInput := jwtHeaderB64 + "." + payloadB64
sig := ed25519.Sign(privateKey, []byte(signingInput))
return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
}