| 41 | } |
| 42 | |
| 43 | func ParseToken(token string) (*managementTokenClaims, error) { |
| 44 | jwt, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.ES256}) |
| 45 | if err != nil { |
| 46 | return nil, fmt.Errorf("malformed jwt: %v", err) |
| 47 | } |
| 48 | |
| 49 | var claims managementTokenClaims |
| 50 | // This is actually safe because we verify the token in the edge before it reaches cloudflared |
| 51 | err = jwt.UnsafeClaimsWithoutVerification(&claims) |
| 52 | if err != nil { |
| 53 | return nil, fmt.Errorf("malformed jwt: %v", err) |
| 54 | } |
| 55 | if !claims.verify() { |
| 56 | return nil, fmt.Errorf("invalid management token format provided") |
| 57 | } |
| 58 | return &claims, nil |
| 59 | } |
| 60 | |
| 61 | func (m *managementTokenClaims) IsFed() bool { |
| 62 | return m.Issuer == tunnelstoreFEDIssuer |