| 368 | } |
| 369 | |
| 370 | func (k *Kite) verify(token *jwt.Token) (interface{}, error) { |
| 371 | k.verifyOnce.Do(k.verifyInit) |
| 372 | |
| 373 | key := token.Claims.(*kitekey.KiteClaims).KontrolKey |
| 374 | if key == "" { |
| 375 | return nil, errors.New("no kontrol key found") |
| 376 | } |
| 377 | |
| 378 | rsaKey, err := jwt.ParseRSAPublicKeyFromPEM([]byte(key)) |
| 379 | if err != nil { |
| 380 | return nil, err |
| 381 | } |
| 382 | |
| 383 | switch { |
| 384 | case k.verifyCache != nil: |
| 385 | v, err := k.verifyCache.Get(key) |
| 386 | if err != nil { |
| 387 | break |
| 388 | } |
| 389 | |
| 390 | if !v.(bool) { |
| 391 | return nil, errors.New("invalid kontrol key found") |
| 392 | } |
| 393 | |
| 394 | return rsaKey, nil |
| 395 | } |
| 396 | |
| 397 | if err := k.verifyFunc(key); err != nil { |
| 398 | if err == ErrKeyNotTrusted { |
| 399 | k.verifyCache.Set(key, false) |
| 400 | } |
| 401 | |
| 402 | // signal old token to somewhere else (GetKiteKey and alike) |
| 403 | |
| 404 | return nil, err |
| 405 | } |
| 406 | |
| 407 | k.verifyCache.Set(key, true) |
| 408 | |
| 409 | return rsaKey, nil |
| 410 | } |
| 411 | |
| 412 | func (k *Kite) verifyAudience(kite *protocol.Kite, audience string) error { |
| 413 | switch audience { |