Pierre/sogoms
1
0
Fork 0
Code Pull Requests Actions Packages Projects Releases Activity
Files
7e27f87d6f467f167d3c1c01013647c3c2ed7bbe
sogoms/internal/auth/jwt.go
Pierre 7e27f87d6f Initial commit - SOGOMS v1.0.0 
- sogoctl: supervisor avec health checks et restart auto
- sogoway: gateway HTTP, auth JWT, routing par hostname
- sogoms-db: microservice MariaDB avec pool par application
- Protocol IPC Unix socket JSON length-prefixed
- Config YAML multi-application (prokov)
- Deploy script pour container Alpine gw3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-15 19:09:00 +01:00

137 lines
3.2 KiB
Go
Raw Blame History

// Package auth gère l'authentification JWT et les mots de passe.
package auth
import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"strings"
"time"
)
var (
ErrInvalidToken = errors.New("invalid token")
ErrExpiredToken = errors.New("token expired")
)
// Claims représente les claims du JWT.
type Claims struct {
Sub int64 `json:"sub"` // User ID
Email string `json:"email"` // Email
Name string `json:"name"` // Nom
App string `json:"app"` // Application ID
Exp int64 `json:"exp"` // Expiration (Unix timestamp)
Iat int64 `json:"iat"` // Issued at
}
// JWT gère la génération et validation des tokens.
type JWT struct {
secret []byte
expiration time.Duration
}
// NewJWT crée un nouveau gestionnaire JWT.
func NewJWT(secret string, expiration time.Duration) *JWT {
return &JWT{
secret: []byte(secret),
expiration: expiration,
}
}
// Generate génère un nouveau token JWT.
func (j *JWT) Generate(userID int64, email, name, appID string) (string, error) {
now := time.Now()
claims := Claims{
Sub: userID,
Email: email,
Name: name,
App: appID,
Iat: now.Unix(),
Exp: now.Add(j.expiration).Unix(),
}
return j.encode(claims)
}
// Validate valide un token et retourne les claims.
func (j *JWT) Validate(token string) (*Claims, error) {
parts := strings.Split(token, ".")
if len(parts) != 3 {
return nil, ErrInvalidToken
}
// Vérifier la signature
signatureInput := parts[0] + "." + parts[1]
expectedSig := j.sign(signatureInput)
if parts[2] != expectedSig {
return nil, ErrInvalidToken
}
// Décoder les claims
claimsJSON, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, ErrInvalidToken
}
var claims Claims
if err := json.Unmarshal(claimsJSON, &claims); err != nil {
return nil, ErrInvalidToken
}
// Vérifier l'expiration
if time.Now().Unix() > claims.Exp {
return nil, ErrExpiredToken
}
return &claims, nil
}
// encode encode les claims en JWT.
func (j *JWT) encode(claims Claims) (string, error) {
// Header
header := map[string]string{
"alg": "HS256",
"typ": "JWT",
}
headerJSON, _ := json.Marshal(header)
headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
// Payload
claimsJSON, err := json.Marshal(claims)
if err != nil {
return "", err
}
claimsB64 := base64.RawURLEncoding.EncodeToString(claimsJSON)
// Signature
signatureInput := headerB64 + "." + claimsB64
signature := j.sign(signatureInput)
return signatureInput + "." + signature, nil
}
// sign signe les données avec HMAC-SHA256.
func (j *JWT) sign(data string) string {
h := hmac.New(sha256.New, j.secret)
h.Write([]byte(data))
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
}
// ExtractToken extrait le token du header Authorization.
func ExtractToken(authHeader string) (string, error) {
if authHeader == "" {
return "", fmt.Errorf("missing authorization header")
}
parts := strings.SplitN(authHeader, " ", 2)
if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
return "", fmt.Errorf("invalid authorization header format")
}
return parts[1], nil
}
View Git Blame Copy Permalink