feat: add simple token refresh

Author: hunjixin

auth/auth_middleware.go

@@ -3,9 +3,12 @@ package auth
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/http"
 	"strings"
 
+	"github.com/golang-jwt/jwt/v5"
+
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/getkin/kin-openapi/routers"
 	"github.com/getkin/kin-openapi/routers/legacy"
@@ -148,18 +151,26 @@ func checkSecurityRequirements(r *http.Request,
 
 func userByToken(ctx context.Context, secretStore crypt.SecretStore, userRepo models.IUserRepo, tokenString string) (*models.User, error) {
 	claims, err := VerifyToken(secretStore.SharedSecret(), tokenString)
-	// make sure no audience is set for login token
-	if err != nil || !claims.VerifyAudience(LoginAudience, false) {
+	if err != nil {
 		return nil, ErrAuthenticatingRequest
 	}
+	// make sure no audience is set for login token
+	validator := jwt.NewValidator(jwt.WithAudience(LoginAudience))
 
-	username := claims.Subject
+	if err = validator.Validate(claims); err != nil {
+		return nil, fmt.Errorf("invalid token: %s %w", err, ErrAuthenticatingRequest)
+	}
+
+	username, err := claims.GetSubject()
+	if err != nil {
+		return nil, err
+	}
 	userData, err := userRepo.Get(ctx, models.NewGetUserParams().SetName(username))
 	if err != nil {
 		log.With(
-			"token_id", claims.Id,
+			"token", tokenString,
 			"username", username,
-			"subject", claims.Subject,
+			"subject", username,
 		).Debugf("could not find user id by credentials %v", err)
 		return nil, ErrAuthenticatingRequest
 	}

auth/jwt_login.go

@@ -3,7 +3,7 @@ package auth
 import (
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 )
 
@@ -22,6 +22,7 @@ func GenerateJWTLogin(secret []byte, userID string, issuedAt, expiresAt time.Tim
 		"iat": issuedAt.Unix(),
 		"exp": expiresAt.Unix(),
 	}
+
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	return token.SignedString(secret)
 }

auth/token.go

@@ -4,15 +4,15 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 var (
 	ErrUnexpectedSigningMethod = errors.New("unexpected signing method")
 )
 
-func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error) {
-	claims := &jwt.StandardClaims{}
+func VerifyToken(secret []byte, tokenString string) (jwt.Claims, error) {
+	claims := &jwt.MapClaims{}
 	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("%w: %s", ErrUnexpectedSigningMethod, token.Header["alg"])
@@ -22,5 +22,6 @@ func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)
 	if err != nil || !token.Valid {
 		return nil, ErrInvalidToken
 	}
+
 	return claims, nil
 }

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-openapi/swag v0.22.4
 	github.com/go-test/deep v1.1.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.4.0
 	github.com/gorilla/sessions v1.2.2
@@ -103,7 +103,6 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-sql-driver/mysql v1.7.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect

go.sum

@@ -191,10 +191,8 @@ github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
-github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=