jwt custom authentication

Author: zhufuyi

internal/handler/userExample_test.go

@@ -329,8 +329,7 @@ func Test_userExampleHandler_ListByIDs(t *testing.T) {
 	}
 
 	// zero id error test
-	err = gohttp.Post(result, h.GetRequestURL("ListByIDs"), nil)
-	assert.NoError(t, err)
+	_ = gohttp.Post(result, h.GetRequestURL("ListByIDs"), nil)
 
 	// get error test
 	err = gohttp.Post(result, h.GetRequestURL("ListByIDs"), &types.ListUserExamplesByIDsRequest{IDs: []uint64{111}})

internal/routers/routers.go

@@ -51,7 +51,7 @@ func NewRouter() *gin.Engine {
 	jwt.Init(
 	//jwt.WithExpire(time.Hour*24),
 	//jwt.WithSigningKey("123456"),
-	//jwt.WithSigningMethod(jwt.SigningMethodHS384),
+	//jwt.WithSigningMethod(jwt.HS384),
 	)
 
 	// metrics middleware

internal/routers/routers_pbExample.go

@@ -51,7 +51,7 @@ func NewRouter_pbExample() *gin.Engine { //nolint
 	jwt.Init(
 	//jwt.WithExpire(time.Hour*24),
 	//jwt.WithSigningKey("123456"),
-	//jwt.WithSigningMethod(jwt.SigningMethodHS384),
+	//jwt.WithSigningMethod(jwt.HS384),
 	)
 
 	// metrics middleware

internal/routers/userExample.go

@@ -13,6 +13,7 @@ func init() {
 }
 
 func userExampleRouter(group *gin.RouterGroup, h handler.UserExampleHandler) {
+	//group.Use(middleware.Auth()) // all of the following routes use jwt authentication
 	group.POST("/userExample", h.Create)
 	group.DELETE("/userExample/:id", h.DeleteByID)
 	group.POST("/userExample/delete/ids", h.DeleteByIDs)

pkg/gin/middleware/README.md

@@ -70,9 +70,78 @@ Adaptive flow limitation based on hardware resources.
 
 ### jwt authorization middleware
 
+#### common authorization
+
+```go
+import "github.com/zhufuyi/sponge/pkg/jwt"
+
+func main() {
+    r := gin.Default()
+
+    r.POST("/user/login", Login)
+    r.GET("/user/:id", middleware.Auth(), h.GetByID)
+	// r.GET("/user/:id", middleware.Auth(middleware.WithVerify(verify)), userFun) // with verify
+
+    r.Run(serverAddr)
+}
+
+func verify(claims *jwt.Claims) error {
+    if claims.UID != "123" || claims.Role != "admin" {
+        return errors.New("verify failed")
+    }
+    return nil
+}
+
+func Login(c *gin.Context) {
+	// login success
+
+	// generate token
+	token, err := jwt.GenerateToken("123", "admin")
+    // handle err
+}
+```
+<br>
+
+#### custom authorization
+
 ```go
+import "github.com/zhufuyi/sponge/pkg/jwt"
+
+func main() {
     r := gin.Default()
-    r.GET("/user/:id", middleware.JWT(), userFun)
+
+	r.POST("/user/login", Login)
+	r.GET("/user/:id", middleware.AuthCustom(verifyCustom), userFun)
+
+    r.Run(serverAddr)
+}
+
+func verifyCustom(claims *jwt.CustomClaims) error {
+	err := errors.New("verify failed")
+
+	id, exist := claims.Get("id")
+	if !exist {
+		return err
+	}
+	foo, exist := claims.Get("foo")
+	if !exist {
+		return err
+	}
+	if int(id.(float64)) != fields["id"].(int) || foo.(string) != fields["foo"].(string) {
+		return err
+	}
+
+	return nil
+}
+
+func Login(c *gin.Context) {
+    // login success
+
+	// generate token
+	fields := jwt.KV{"id": 123, "foo": "bar"}
+	token, err := jwt.GenerateCustomToken(fields)
+    // handle err
+}
 ```
 <br>
 

pkg/gin/middleware/auth.go

@@ -15,57 +15,125 @@ const (
 	HeaderAuthorizationKey = "Authorization"
 )
 
+type jwtOptions struct {
+	isSwitchHTTPCode bool
+	verify           VerifyFn // verify function, only use in Auth
+}
+
+// JwtOption set the jwt options.
+type JwtOption func(*jwtOptions)
+
+func (o *jwtOptions) apply(opts ...JwtOption) {
+	for _, opt := range opts {
+		opt(o)
+	}
+}
+
+func defaultJwtOptions() *jwtOptions {
+	return &jwtOptions{
+		isSwitchHTTPCode: false,
+		verify:           nil,
+	}
+}
+
+// WithSwitchHTTPCode switch to http code
+func WithSwitchHTTPCode() JwtOption {
+	return func(o *jwtOptions) {
+		o.isSwitchHTTPCode = true
+	}
+}
+
+// WithVerify set verify function
+func WithVerify(verify VerifyFn) JwtOption {
+	return func(o *jwtOptions) {
+		o.verify = verify
+	}
+}
+
+func responseUnauthorized(c *gin.Context, isSwitchHTTPCode bool) {
+	if isSwitchHTTPCode {
+		response.Out(c, errcode.Unauthorized)
+	} else {
+		response.Error(c, errcode.Unauthorized)
+	}
+}
+
+// -------------------------------------------------------------------------------------------
+
+// VerifyFn verify function
+type VerifyFn func(claims *jwt.Claims) error
+
 // Auth authorization
-func Auth() gin.HandlerFunc {
+func Auth(opts ...JwtOption) gin.HandlerFunc {
+	o := defaultJwtOptions()
+	o.apply(opts...)
+
 	return func(c *gin.Context) {
 		authorization := c.GetHeader(HeaderAuthorizationKey)
-		if len(authorization) < 20 {
-			logger.Warn("authorization is illegal", logger.String(HeaderAuthorizationKey, authorization))
-			response.Error(c, errcode.Unauthorized)
+		if len(authorization) < 150 {
+			logger.Warn("authorization is illegal")
+			responseUnauthorized(c, o.isSwitchHTTPCode)
 			c.Abort()
 			return
 		}
-		token := authorization[7:] // remove Bearer prefix
-		claims, err := jwt.VerifyToken(token)
+
+		claims, err := jwt.ParseToken(authorization[7:]) // token=authorization[7:], remove Bearer prefix
 		if err != nil {
-			logger.Warn("VerifyToken error", logger.Err(err))
-			response.Error(c, errcode.Unauthorized)
+			logger.Warn("ParseToken error", logger.Err(err))
+			responseUnauthorized(c, o.isSwitchHTTPCode)
 			c.Abort()
 			return
 		}
-		c.Set("uid", claims.UID)
+
+		if o.verify != nil {
+			if err = o.verify(claims); err != nil {
+				logger.Warn("verify error", logger.Err(err), logger.String("uid", claims.UID), logger.String("role", claims.Role))
+				responseUnauthorized(c, o.isSwitchHTTPCode)
+				c.Abort()
+				return
+			}
+		} else {
+			c.Set("uid", claims.UID)
+			c.Set("role", claims.Role)
+		}
 
 		c.Next()
 	}
 }
 
-// AuthAdmin admin authentication
-func AuthAdmin() gin.HandlerFunc {
+// -------------------------------------------------------------------------------------------
+
+// VerifyCustomFn verify custom function
+type VerifyCustomFn func(claims *jwt.CustomClaims) error
+
+// AuthCustom custom authentication
+func AuthCustom(verify VerifyCustomFn, opts ...JwtOption) gin.HandlerFunc {
+	o := defaultJwtOptions()
+	o.apply(opts...)
+
 	return func(c *gin.Context) {
 		authorization := c.GetHeader(HeaderAuthorizationKey)
-		if len(authorization) < 20 {
-			logger.Warn("authorization is illegal", logger.String(HeaderAuthorizationKey, authorization))
-			response.Error(c, errcode.Unauthorized)
+		if len(authorization) < 150 {
+			logger.Warn("authorization is illegal")
+			responseUnauthorized(c, o.isSwitchHTTPCode)
 			c.Abort()
 			return
 		}
-		token := authorization[7:] // remove Bearer prefix
-		claims, err := jwt.VerifyToken(token)
+
+		claims, err := jwt.ParseCustomToken(authorization[7:]) // token=authorization[7:], remove Bearer prefix
 		if err != nil {
-			logger.Warn("VerifyToken error", logger.Err(err))
-			response.Error(c, errcode.Unauthorized)
+			logger.Warn("ParseToken error", logger.Err(err))
+			responseUnauthorized(c, o.isSwitchHTTPCode)
 			c.Abort()
 			return
 		}
 
-		// determine if it is an administrator
-		if claims.Role != "admin" {
-			logger.Warn("prohibition of access", logger.String("uid", claims.UID), logger.String("role", claims.Role))
-			response.Error(c, errcode.Forbidden)
+		if err = verify(claims); err != nil {
+			logger.Warn("verify error", logger.Err(err), logger.Any("fields", claims.Fields))
+			responseUnauthorized(c, o.isSwitchHTTPCode)
 			c.Abort()
 			return
 		}
-		c.Set("uid", claims.UID)
 
 		c.Next()
 	}