Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support multiple extract token key #4328

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: support multiple extract token key #4328

wants to merge 4 commits into from

Conversation

ch3nnn
Copy link
Contributor

@ch3nnn ch3nnn commented Aug 23, 2024
edited
Loading

Implement support for multiple custom token keys and simplify the JWT authentication configuration. WithTokenLookups function enables setting token keys, improving the authentication process by accommodating various token header extraction strategies. by accommodating various token header extraction strategies.

example:

jwt-api.api

syntax = "v1"


type Request {
	Name string `path:"name,options=you|me"`
}

type Response {
	Message string `json:"message"`
}

type FormExampleReq {
	Name string `form:"name,options=you|me"`
}

@server(
	jwt: Auth
	jwtTransition: Trans
)
service A-api {
	@handler GreetHandler
	get /greet/from/:name(Request) returns (Response)

	@handler FormExample
	post /form/example (FormExampleReq) returns (Response)
}

a-api.yaml

Name: A-api
Host: 0.0.0.0
Port: 8888

Auth:
  AccessSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  AccessExpire: 604800
  TokenLookup:
    - "header:Token"
    - "query:Token"
    - "form:Token"



Trans:
  Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  PrevSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  TokenLookup:
    - "header:Token"
    - "query:Token"
    - "form:Token"

TokenLookup extract a jwt from custom request header or post form or get url arguments.

@codecov Codecov
Copy link

codecov bot commented Aug 23, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 95.55556% with 2 lines in your changes missing coverage. Please review.

Project coverage is 95.01%. Comparing base (8690859) to head (3e19023).
Report is 153 commits behind head on master.

Files with missing lines Patch % Lines
rest/token/tokenparser.go 90.90% 1 Missing and 1 partial ⚠️
Additional details and impacted files
Files with missing lines Coverage Δ
rest/engine.go 100.00% <100.00%> (ø)
rest/handler/authhandler.go 87.75% <100.00%> (+2.84%) ⬆️
rest/server.go 97.43% <100.00%> (+0.90%) ⬆️
rest/token/tokenparser.go 92.40% <90.90%> (+0.62%) ⬆️

... and 253 files with indirect coverage changes

@kevwan
Copy link
Contributor

kevwan commented Aug 27, 2024

Would you please give some examples on how to use different token keys? For example, how to request the API with curl.

@ch3nnn
Copy link
Contributor Author

ch3nnn commented Aug 27, 2024
edited
Loading

According to the a-api.yaml configuration file, the Auth.TokenLookup field is optional.

TokenLookup are attempted in sequence until a match is found; if no match occurs, the default Bearer auth request header is used.

example:

  • url arguments

    curl --request GET \
  --url 'http://127.0.0.1:8888/greet/from/me?Token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8' \
  --header 'content-type: application/json'

  • post form

    curl --request POST \
  --url http://localhost:8888/form/example \
  --header 'content-type: multipart/form-data' \
  --form Token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8 \
  --form name=me

  • custom request header

    curl --request GET \
  --url http://127.0.0.1:8888/greet/from/me \
  --header 'content-type: application/json' \
  --header 'Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8'

If the setting TokenLookup is not provided, the default Bearer authorization request header will be used.

curl --request GET \
  --url http://127.0.0.1:8888/greet/from/me \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8' \
  --header 'content-type: application/json'

@ch3nnn @kevwan
feat: support multiple extract token key
96712d5 
Implement support for multiple custom token keys and simplify the JWT authentication configuration.
`WithTokenKeys` function enables setting token keys, improving the authentication process by accommodating various token header extraction strategies. by accommodating various token header extraction strategies.
@ch3nnn @kevwan
test: add test
a3f44cf
@kevwan
Copy link
Contributor

kevwan commented Aug 27, 2024

Bearer is the standard schema, is there any official spec that talks about Bearer replacement?

@ch3nnn
feat(auth): support configurable token extraction lookups
5fad085 
Extracting JWT from different request sources (headers, query params, form data) is now
configurable via `TokenLookup`.
@ch3nnn
fix(rest): correct jwt tokenLookups syntax in engine_test
3e19023
@ch3nnn
Copy link
Contributor Author

ch3nnn commented Aug 29, 2024

I look up https://golang-jwt.github.io/jwt/#jwt-and-oauth-20 have mention a point

A JWT token is simply a signed JSON object. It can be used anywhere such a thing is useful.

This feature is also supported in other frameworks/libraries.

@kevwan kevwan self-assigned this Aug 29, 2024
@kevwan kevwan self-requested a review August 29, 2024 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevwan kevwan Awaiting requested review from kevwan

At least 1 approving review is required to merge this pull request.

Assignees

@kevwan kevwan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ch3nnn @kevwan