Fork to maintain patches against the official gitea for https://code.ceondo.com https://github.com/go-gitea/gitea

claims.go 3.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135
  1. package jwt
  2. import (
  3. "crypto/subtle"
  4. "fmt"
  5. "time"
  6. )
  7. // For a type to be a Claims object, it must just have a Valid method that determines
  8. // if the token is invalid for any supported reason
  9. type Claims interface {
  10. Valid() error
  11. }
  12. // Structured version of Claims Section, as referenced at
  13. // https://tools.ietf.org/html/rfc7519#section-4.1
  14. // See examples for how to use this with your own claim types
  15. type StandardClaims struct {
  16. Audience string `json:"aud,omitempty"`
  17. ExpiresAt int64 `json:"exp,omitempty"`
  18. Id string `json:"jti,omitempty"`
  19. IssuedAt int64 `json:"iat,omitempty"`
  20. Issuer string `json:"iss,omitempty"`
  21. NotBefore int64 `json:"nbf,omitempty"`
  22. Subject string `json:"sub,omitempty"`
  23. }
  24. // Validates time based claims "exp, iat, nbf".
  25. // There is no accounting for clock skew.
  26. // As well, if any of the above claims are not in the token, it will still
  27. // be considered a valid claim.
  28. func (c StandardClaims) Valid() error {
  29. vErr := new(ValidationError)
  30. now := TimeFunc().Unix()
  31. // The claims below are optional, by default, so if they are set to the
  32. // default value in Go, let's not fail the verification for them.
  33. if c.VerifyExpiresAt(now, false) == false {
  34. delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
  35. vErr.Inner = fmt.Errorf("token is expired by %v", delta)
  36. vErr.Errors |= ValidationErrorExpired
  37. }
  38. if c.VerifyIssuedAt(now, false) == false {
  39. vErr.Inner = fmt.Errorf("Token used before issued")
  40. vErr.Errors |= ValidationErrorIssuedAt
  41. }
  42. if c.VerifyNotBefore(now, false) == false {
  43. vErr.Inner = fmt.Errorf("token is not valid yet")
  44. vErr.Errors |= ValidationErrorNotValidYet
  45. }
  46. if vErr.valid() {
  47. return nil
  48. }
  49. return vErr
  50. }
  51. // Compares the aud claim against cmp.
  52. // If required is false, this method will return true if the value matches or is unset
  53. func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool {
  54. return verifyAud(c.Audience, cmp, req)
  55. }
  56. // Compares the exp claim against cmp.
  57. // If required is false, this method will return true if the value matches or is unset
  58. func (c *StandardClaims) VerifyExpiresAt(cmp int64, req bool) bool {
  59. return verifyExp(c.ExpiresAt, cmp, req)
  60. }
  61. // Compares the iat claim against cmp.
  62. // If required is false, this method will return true if the value matches or is unset
  63. func (c *StandardClaims) VerifyIssuedAt(cmp int64, req bool) bool {
  64. return verifyIat(c.IssuedAt, cmp, req)
  65. }
  66. // Compares the iss claim against cmp.
  67. // If required is false, this method will return true if the value matches or is unset
  68. func (c *StandardClaims) VerifyIssuer(cmp string, req bool) bool {
  69. return verifyIss(c.Issuer, cmp, req)
  70. }
  71. // Compares the nbf claim against cmp.
  72. // If required is false, this method will return true if the value matches or is unset
  73. func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool {
  74. return verifyNbf(c.NotBefore, cmp, req)
  75. }
  76. // ----- helpers
  77. func verifyAud(aud string, cmp string, required bool) bool {
  78. if aud == "" {
  79. return !required
  80. }
  81. if subtle.ConstantTimeCompare([]byte(aud), []byte(cmp)) != 0 {
  82. return true
  83. } else {
  84. return false
  85. }
  86. }
  87. func verifyExp(exp int64, now int64, required bool) bool {
  88. if exp == 0 {
  89. return !required
  90. }
  91. return now <= exp
  92. }
  93. func verifyIat(iat int64, now int64, required bool) bool {
  94. if iat == 0 {
  95. return !required
  96. }
  97. return now >= iat
  98. }
  99. func verifyIss(iss string, cmp string, required bool) bool {
  100. if iss == "" {
  101. return !required
  102. }
  103. if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 {
  104. return true
  105. } else {
  106. return false
  107. }
  108. }
  109. func verifyNbf(nbf int64, now int64, required bool) bool {
  110. if nbf == 0 {
  111. return !required
  112. }
  113. return now >= nbf
  114. }