MCPcopy Index your code
hub / github.com/bytebase/bytebase / GetUserEmailFromMFATempToken

Function GetUserEmailFromMFATempToken

backend/api/auth/auth.go:297–317  ·  view source on GitHub ↗

GetUserEmailFromMFATempToken returns the user email from the MFA temp token.

(token string, secret string)

Source from the content-addressed store, hash-verified

295
296// GetUserEmailFromMFATempToken returns the user email from the MFA temp token.
297func GetUserEmailFromMFATempToken(token string, secret string) (string, error) {
298 claims := &claimsMessage{}
299 _, err := jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {
300 if t.Method.Alg() != jwt.SigningMethodHS256.Name {
301 return nil, connect.NewError(connect.CodeUnauthenticated, errs.Errorf("unexpected MFA temp token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256))
302 }
303 if kid, ok := t.Header["kid"].(string); ok {
304 if kid == "v1" {
305 return []byte(secret), nil
306 }
307 }
308 return nil, connect.NewError(connect.CodeUnauthenticated, errs.Errorf("unexpected MFA temp token kid=%v", t.Header["kid"]))
309 })
310 if err != nil {
311 return "", connect.NewError(connect.CodeUnauthenticated, errs.New("failed to parse claim"))
312 }
313 if !audienceContains(claims.Audience, MFATempTokenAudience) {
314 return "", connect.NewError(connect.CodeUnauthenticated, errs.New("invalid MFA temp token, audience mismatch"))
315 }
316 return claims.Subject, nil
317}
318
319// AuthenticateToken validates a JWT access token and returns the user and token expiry.
320// This is a non-ConnectRPC version that returns regular errors instead of ConnectRPC errors.

Callers 3

createAuditLogMethod · 0.92
completeMFALoginMethod · 0.92
SwitchWorkspaceMethod · 0.92

Calls 2

ErrorfMethod · 0.80
audienceContainsFunction · 0.70

Tested by

no test coverage detected