nicoeri/filebrowser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
627b733440
filebrowser/auth/jwt.go
Travis Johnson 627b733440 fix errors.Is
2023-09-14 20:05:40 -04:00

68 lines
1.6 KiB
Go
Raw Blame History

package auth
import (
"context"
"errors"
"net/http"
"os"
"sync"
"github.com/coreos/go-oidc/v3/oidc"
fberrors "github.com/filebrowser/filebrowser/v2/errors"
"github.com/filebrowser/filebrowser/v2/settings"
"github.com/filebrowser/filebrowser/v2/users"
)
// MethodJWTAuth is used to identify JWTAuth auth.
const MethodJWTAuth settings.AuthMethod = "jwt-header"
// JWTAuth is a JWTAuth implementation of an auther.
type JWTAuth struct {
CertsURL string `json:"certsurl"`
Aud string `json:"aud"`
Iss string `json:"iss"`
Claim string `json:"claim"`
Header string `json:"header"`
remoteKeySet *oidc.RemoteKeySet
init sync.Once
}
// Auth authenticates the user via a JWT token in an HTTP header.
func (a *JWTAuth) Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) {
a.init.Do(func() {
a.remoteKeySet = oidc.NewRemoteKeySet(context.Background(), a.CertsURL)
})
accessJWT := r.Header.Get(a.Header)
if accessJWT == "" {
return nil, os.ErrPermission
}
// The Application Audience (AUD) tag for your application
config := &oidc.Config{
ClientID: a.Aud,
}
verifier := oidc.NewVerifier(a.Iss, a.remoteKeySet, config)
token, err := verifier.Verify(r.Context(), accessJWT)
if err != nil {
return nil, os.ErrPermission
}
payload := map[string]string{}
token.Claims(&payload)
user, err := usr.Get(srv.Root, payload[a.UsernameClaim])
if errors.Is(err, fberrors.ErrNotExist) {
return nil, os.ErrPermission
}
return user, err
}
// LoginPage tells that proxy auth doesn't require a login page.
func (a JWTAuth) LoginPage() bool {
return false
}
Reference in New Issue View Git Blame Copy Permalink