MCPcopy Index your code
hub / github.com/koding/kite / AuthenticateFromToken

Method AuthenticateFromToken

request.go:225–272  ·  view source on GitHub ↗

AuthenticateFromToken is the default Authenticator for Kite.

(r *Request)

Source from the content-addressed store, hash-verified

223
224// AuthenticateFromToken is the default Authenticator for Kite.
225func (k *Kite) AuthenticateFromToken(r *Request) error {
226 k.verifyOnce.Do(k.verifyInit)
227
228 token, err := jwt.ParseWithClaims(r.Auth.Key, &kitekey.KiteClaims{}, r.LocalKite.RSAKey)
229
230 if e, ok := err.(*jwt.ValidationError); ok {
231 // Translate public key mismatch errors to token-is-expired one.
232 // This is to signal remote client the key pairs have been
233 // updated on kontrol and it should invalidate all tokens.
234 if (e.Errors & jwt.ValidationErrorSignatureInvalid) != 0 {
235 return errors.New("token is expired")
236 }
237 }
238
239 if err != nil {
240 return err
241 }
242
243 if !token.Valid {
244 return errors.New("Invalid signature in token")
245 }
246
247 claims, ok := token.Claims.(*kitekey.KiteClaims)
248 if !ok {
249 return errors.New("token does not have valid claims")
250 }
251
252 if claims.Audience == "" {
253 return errors.New("token has no audience")
254 }
255
256 if claims.Subject == "" {
257 return errors.New("token has no username")
258 }
259
260 // check if we have an audience and it matches our own signature
261 if err := k.verifyAudienceFunc(k.Kite(), claims.Audience); err != nil {
262 return err
263 }
264
265 // We don't check for exp and nbf claims here because jwt-go package
266 // already checks them.
267
268 // replace the requester username so we reflect the validated
269 r.Username = claims.Subject
270
271 return nil
272}
273
274// AuthenticateFromKiteKey authenticates user from kite key.
275func (k *Kite) AuthenticateFromKiteKey(r *Request) error {

Callers

nothing calls this directly

Calls 2

KiteMethod · 0.95
DoMethod · 0.80

Tested by

no test coverage detected