pye/auth/jwt.go

package auth

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"log/slog"
	"net/http"
	"os"
	"time"

	"git.a71.su/Andrew71/pye/config"
	"git.a71.su/Andrew71/pye/storage"
	"github.com/golang-jwt/jwt/v5"
)

var key *rsa.PrivateKey

// LoadKey attempts to load a private RS256 key from file.
// If the file does not exist, it generates a new key (and saves it)
func MustLoadKey() {
	// If the key doesn't exist, create it
	if _, err := os.Stat(config.Cfg.KeyFile); errors.Is(err, os.ErrNotExist) {
		key, err = rsa.GenerateKey(rand.Reader, 4096)
		if err != nil {
			slog.Error("error generating key", "error", err)
			os.Exit(1)
		}

		// Save key to disk
		km := x509.MarshalPKCS1PrivateKey(key)
		block := pem.Block{Bytes: km, Type: "RSA PRIVATE KEY"}
		f, err := os.OpenFile(config.Cfg.KeyFile, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
		if err != nil {
			slog.Error("error opening/creating file", "error", err)
			os.Exit(1)
		}
		f.Write(pem.EncodeToMemory(&block))
		if err := f.Close(); err != nil {
			slog.Error("error closing file", "error", err)
			os.Exit(1)
		}
		slog.Debug("generated new key", "file", config.Cfg.KeyFile)
	} else {
		km, err := os.ReadFile(config.Cfg.KeyFile)
		if err != nil {
			slog.Error("error reading key", "error", err)
			os.Exit(1)
		}
		key, err = jwt.ParseRSAPrivateKeyFromPEM(km)
		if err != nil {
			slog.Error("error parsing key", "error", err)
			os.Exit(1)
		}
		slog.Debug("loaded private key", "file", config.Cfg.KeyFile)
	}
}

// ServePublicKey returns our public key as PEM block over HTTP
func ServePublicKey(w http.ResponseWriter, r *http.Request) {
	key_marshalled := x509.MarshalPKCS1PublicKey(&key.PublicKey)
	block := pem.Block{Bytes: key_marshalled, Type: "RSA PUBLIC KEY"}
	pem.Encode(w, &block)
}

// Create creates a JSON Web Token that expires after a week
func Create(user storage.User) (token string, err error) {
	t := jwt.NewWithClaims(jwt.SigningMethodRS256,
		jwt.MapClaims{
			"iss": "pye",
			"uid": user.Uuid,
			"sub": user.Email,
			"iat": time.Now().Unix(),
			"exp": time.Now().Add(time.Hour * 24 * 7).Unix(),
		})
	token, err = t.SignedString(key)
	if err != nil {
		slog.Error("error creating JWT", "error", err)
		return "", err
	}
	return
}

// Verify receives a JWT and PEM-encoded public key,
// then returns whether the token is valid
func Verify(token string, publicKey []byte) (*jwt.Token, error) {
	t, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
		key, err := jwt.ParseRSAPublicKeyFromPEM(publicKey)
		if err != nil {
			return nil, err
		}
		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
			return nil, err
		}
		return key, nil
	})
	return t, err
}

// VerifyLocal calls Verify with public key set to current local one
func VerifyLocal(token string) (*jwt.Token, error) {
	key_marshalled := x509.MarshalPKCS1PublicKey(&key.PublicKey)
	block := pem.Block{Bytes: key_marshalled, Type: "RSA PUBLIC KEY"}
	return Verify(token, pem.EncodeToMemory(&block))
}
Refactor everything 2024-10-12 21:45:00 +03:00			`package auth`
Add encryption experiments 2024-10-11 23:57:57 +03:00
			`import (`
			`"crypto/rand"`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`"crypto/rsa"`
Add encryption experiments 2024-10-11 23:57:57 +03:00			`"crypto/x509"`
Implement basic API 2024-10-12 09:55:58 +03:00			`"encoding/pem"`
			`"errors"`
Add encryption experiments 2024-10-11 23:57:57 +03:00			`"log/slog"`
Implement basic API 2024-10-12 09:55:58 +03:00			`"net/http"`
			`"os"`
Add working JWT tokens 2024-10-12 10:22:05 +03:00			`"time"`
Add encryption experiments 2024-10-11 23:57:57 +03:00
Refactor everything 2024-10-12 21:45:00 +03:00			`"git.a71.su/Andrew71/pye/config"`
			`"git.a71.su/Andrew71/pye/storage"`
Implement basic API 2024-10-12 09:55:58 +03:00			`"github.com/golang-jwt/jwt/v5"`
Add encryption experiments 2024-10-11 23:57:57 +03:00			`)`

Add subcommand to find a user 2024-10-13 14:49:41 +03:00			`var key *rsa.PrivateKey`
Implement basic API 2024-10-12 09:55:58 +03:00
Adjust variable naming 2024-10-13 17:18:53 +03:00			`// LoadKey attempts to load a private RS256 key from file.`
Implement basic API 2024-10-12 09:55:58 +03:00			`// If the file does not exist, it generates a new key (and saves it)`
Refactor database to separate package 2024-10-12 20:41:30 +03:00			`func MustLoadKey() {`
Implement basic API 2024-10-12 09:55:58 +03:00			`// If the key doesn't exist, create it`
Refactor everything 2024-10-12 21:45:00 +03:00			`if _, err := os.Stat(config.Cfg.KeyFile); errors.Is(err, os.ErrNotExist) {`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`key, err = rsa.GenerateKey(rand.Reader, 4096)`
Implement basic API 2024-10-12 09:55:58 +03:00			`if err != nil {`
			`slog.Error("error generating key", "error", err)`
			`os.Exit(1)`
			`}`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00
			`// Save key to disk`
			`km := x509.MarshalPKCS1PrivateKey(key)`
			`block := pem.Block{Bytes: km, Type: "RSA PRIVATE KEY"}`
Refactor everything 2024-10-12 21:45:00 +03:00			`f, err := os.OpenFile(config.Cfg.KeyFile, os.O_CREATE\|os.O_WRONLY\|os.O_TRUNC, 0644)`
Implement basic API 2024-10-12 09:55:58 +03:00			`if err != nil {`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`slog.Error("error opening/creating file", "error", err)`
			`os.Exit(1)`
			`}`
			`f.Write(pem.EncodeToMemory(&block))`
			`if err := f.Close(); err != nil {`
			`slog.Error("error closing file", "error", err)`
Implement basic API 2024-10-12 09:55:58 +03:00			`os.Exit(1)`
			`}`
Improve initial loading 2024-10-13 16:38:13 +03:00			`slog.Debug("generated new key", "file", config.Cfg.KeyFile)`
Implement basic API 2024-10-12 09:55:58 +03:00			`} else {`
Refactor everything 2024-10-12 21:45:00 +03:00			`km, err := os.ReadFile(config.Cfg.KeyFile)`
Implement basic API 2024-10-12 09:55:58 +03:00			`if err != nil {`
			`slog.Error("error reading key", "error", err)`
			`os.Exit(1)`
			`}`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`key, err = jwt.ParseRSAPrivateKeyFromPEM(km)`
Implement basic API 2024-10-12 09:55:58 +03:00			`if err != nil {`
			`slog.Error("error parsing key", "error", err)`
			`os.Exit(1)`
			`}`
Improve initial loading 2024-10-13 16:38:13 +03:00			`slog.Debug("loaded private key", "file", config.Cfg.KeyFile)`
Implement basic API 2024-10-12 09:55:58 +03:00			`}`
			`}`

Adjust variable naming 2024-10-13 17:18:53 +03:00			`// ServePublicKey returns our public key as PEM block over HTTP`
			`func ServePublicKey(w http.ResponseWriter, r *http.Request) {`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`key_marshalled := x509.MarshalPKCS1PublicKey(&key.PublicKey)`
			`block := pem.Block{Bytes: key_marshalled, Type: "RSA PUBLIC KEY"}`
Implement basic API 2024-10-12 09:55:58 +03:00			`pem.Encode(w, &block)`
Add encryption experiments 2024-10-11 23:57:57 +03:00			`}`

Adjust variable naming 2024-10-13 17:18:53 +03:00			`// Create creates a JSON Web Token that expires after a week`
			`func Create(user storage.User) (token string, err error) {`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`t := jwt.NewWithClaims(jwt.SigningMethodRS256,`
Implement basic API 2024-10-12 09:55:58 +03:00			`jwt.MapClaims{`
			`"iss": "pye",`
Refactor everything 2024-10-12 21:45:00 +03:00			`"uid": user.Uuid,`
			`"sub": user.Email,`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`"iat": time.Now().Unix(),`
			`"exp": time.Now().Add(time.Hour * 24 * 7).Unix(),`
Implement basic API 2024-10-12 09:55:58 +03:00			`})`
Adjust variable naming 2024-10-13 17:18:53 +03:00			`token, err = t.SignedString(key)`
Implement basic API 2024-10-12 09:55:58 +03:00			`if err != nil {`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`slog.Error("error creating JWT", "error", err)`
Implement basic API 2024-10-12 09:55:58 +03:00			`return "", err`
			`}`
Adjust variable naming 2024-10-13 17:18:53 +03:00			`return`
Implement basic API 2024-10-12 09:55:58 +03:00			`}`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00
Adjust variable naming 2024-10-13 17:18:53 +03:00			`// Verify receives a JWT and PEM-encoded public key,`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`// then returns whether the token is valid`
Adjust variable naming 2024-10-13 17:18:53 +03:00			`func Verify(token string, publicKey []byte) (*jwt.Token, error) {`
Refactor everything 2024-10-12 21:45:00 +03:00			`t, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`key, err := jwt.ParseRSAPublicKeyFromPEM(publicKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {`
			`return nil, err`
			`}`
			`return key, nil`
			`})`
Refactor everything 2024-10-12 21:45:00 +03:00			`return t, err`
Move to RSA and add verification 2024-10-12 16:59:47 +03:00			`}`
Move to Cobra for CLI 2024-10-13 16:16:19 +03:00
Adjust variable naming 2024-10-13 17:18:53 +03:00			`// VerifyLocal calls Verify with public key set to current local one`
			`func VerifyLocal(token string) (*jwt.Token, error) {`
Move to Cobra for CLI 2024-10-13 16:16:19 +03:00			`key_marshalled := x509.MarshalPKCS1PublicKey(&key.PublicKey)`
			`block := pem.Block{Bytes: key_marshalled, Type: "RSA PUBLIC KEY"}`
Adjust variable naming 2024-10-13 17:18:53 +03:00			`return Verify(token, pem.EncodeToMemory(&block))`
Improve initial loading 2024-10-13 16:38:13 +03:00			`}`