AuthenticateFromToken is the default Authenticator for Kite.
(r *Request)
| 223 | |
| 224 | // AuthenticateFromToken is the default Authenticator for Kite. |
| 225 | func (k *Kite) AuthenticateFromToken(r *Request) error { |
| 226 | k.verifyOnce.Do(k.verifyInit) |
| 227 | |
| 228 | token, err := jwt.ParseWithClaims(r.Auth.Key, &kitekey.KiteClaims{}, r.LocalKite.RSAKey) |
| 229 | |
| 230 | if e, ok := err.(*jwt.ValidationError); ok { |
| 231 | // Translate public key mismatch errors to token-is-expired one. |
| 232 | // This is to signal remote client the key pairs have been |
| 233 | // updated on kontrol and it should invalidate all tokens. |
| 234 | if (e.Errors & jwt.ValidationErrorSignatureInvalid) != 0 { |
| 235 | return errors.New("token is expired") |
| 236 | } |
| 237 | } |
| 238 | |
| 239 | if err != nil { |
| 240 | return err |
| 241 | } |
| 242 | |
| 243 | if !token.Valid { |
| 244 | return errors.New("Invalid signature in token") |
| 245 | } |
| 246 | |
| 247 | claims, ok := token.Claims.(*kitekey.KiteClaims) |
| 248 | if !ok { |
| 249 | return errors.New("token does not have valid claims") |
| 250 | } |
| 251 | |
| 252 | if claims.Audience == "" { |
| 253 | return errors.New("token has no audience") |
| 254 | } |
| 255 | |
| 256 | if claims.Subject == "" { |
| 257 | return errors.New("token has no username") |
| 258 | } |
| 259 | |
| 260 | // check if we have an audience and it matches our own signature |
| 261 | if err := k.verifyAudienceFunc(k.Kite(), claims.Audience); err != nil { |
| 262 | return err |
| 263 | } |
| 264 | |
| 265 | // We don't check for exp and nbf claims here because jwt-go package |
| 266 | // already checks them. |
| 267 | |
| 268 | // replace the requester username so we reflect the validated |
| 269 | r.Username = claims.Subject |
| 270 | |
| 271 | return nil |
| 272 | } |
| 273 | |
| 274 | // AuthenticateFromKiteKey authenticates user from kite key. |
| 275 | func (k *Kite) AuthenticateFromKiteKey(r *Request) error { |