| 192 | } |
| 193 | |
| 194 | func (a *Access) Validate(ctx context.Context, jwt string) error { |
| 195 | token, err := a.verifier.Verify(ctx, jwt) |
| 196 | |
| 197 | if err != nil { |
| 198 | return errors.Wrapf(err, "token is invalid: %s", jwt) |
| 199 | } |
| 200 | |
| 201 | // Perform extra sanity checks, just to be safe. |
| 202 | |
| 203 | if token == nil { |
| 204 | return fmt.Errorf("token is nil: %s", jwt) |
| 205 | } |
| 206 | |
| 207 | if !strings.HasSuffix(token.Issuer, accessDomain) { |
| 208 | return fmt.Errorf("token has non-cloudflare issuer of %s: %s", token.Issuer, jwt) |
| 209 | } |
| 210 | |
| 211 | return nil |
| 212 | } |
| 213 | |
| 214 | func (a *Access) ValidateRequest(ctx context.Context, r *http.Request) error { |
| 215 | return a.Validate(ctx, r.Header.Get(accessJwtHeader)) |