GetUserEmailFromMFATempToken returns the user email from the MFA temp token.
(token string, secret string)
| 295 | |
| 296 | // GetUserEmailFromMFATempToken returns the user email from the MFA temp token. |
| 297 | func GetUserEmailFromMFATempToken(token string, secret string) (string, error) { |
| 298 | claims := &claimsMessage{} |
| 299 | _, err := jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) { |
| 300 | if t.Method.Alg() != jwt.SigningMethodHS256.Name { |
| 301 | return nil, connect.NewError(connect.CodeUnauthenticated, errs.Errorf("unexpected MFA temp token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)) |
| 302 | } |
| 303 | if kid, ok := t.Header["kid"].(string); ok { |
| 304 | if kid == "v1" { |
| 305 | return []byte(secret), nil |
| 306 | } |
| 307 | } |
| 308 | return nil, connect.NewError(connect.CodeUnauthenticated, errs.Errorf("unexpected MFA temp token kid=%v", t.Header["kid"])) |
| 309 | }) |
| 310 | if err != nil { |
| 311 | return "", connect.NewError(connect.CodeUnauthenticated, errs.New("failed to parse claim")) |
| 312 | } |
| 313 | if !audienceContains(claims.Audience, MFATempTokenAudience) { |
| 314 | return "", connect.NewError(connect.CodeUnauthenticated, errs.New("invalid MFA temp token, audience mismatch")) |
| 315 | } |
| 316 | return claims.Subject, nil |
| 317 | } |
| 318 | |
| 319 | // AuthenticateToken validates a JWT access token and returns the user and token expiry. |
| 320 | // This is a non-ConnectRPC version that returns regular errors instead of ConnectRPC errors. |
no test coverage detected