-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtoken.go
More file actions
123 lines (105 loc) · 2.84 KB
/
token.go
File metadata and controls
123 lines (105 loc) · 2.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package token
import (
"crypto/hmac"
"crypto/rand"
"crypto/sha512"
"crypto/subtle"
"encoding/base64"
"fmt"
"io"
"strconv"
"strings"
"time"
)
// TokenEmitter interface to be able to generate and validate tokens
type TokenEmitter interface {
Generate(id string) string
Valid(token string, d time.Duration) (valid bool, id string, issue time.Time)
}
// TokenHmacSha generate a tokes in the format
// <hash>.<rnd>.<id>.<ts>
// with hash = HMAC_SHA1 (secret, rnd + id + ts)
type TokenHmacSha struct {
secret string
}
func NewTokenHmacSha(secret string) TokenEmitter {
return &TokenHmacSha{
secret: secret,
}
}
func (tk *TokenHmacSha) Generate(id string) string {
rnd := string(generateRandom(32))
return tk.generateAtTime(tk.secret, rnd, id, time.Now())
}
// Valid returns true if token is a valid
// and the Id associated with the token and the issue time
func (tk *TokenHmacSha) Valid(token string, d time.Duration) (bool, string, time.Time) {
var rnd, id, ts string
// token
// <hash>.<rnd>.<id>.<ts>
// Extract token parts
split := strings.Split(token, ".")
if len(split) != 4 {
return false, "", time.Time{}
}
// Decode
// split[0] -> hash
// split[1] -> rnd
r, err := base64.URLEncoding.DecodeString(split[1])
if err != nil {
return false, "", time.Time{}
}
rnd = string(r)
// split[2] -> id
i, err := base64.URLEncoding.DecodeString(split[2])
if err != nil {
return false, "", time.Time{}
}
id = string(i)
// split[3] -> timestamp
t, err := base64.URLEncoding.DecodeString(split[3])
if err != nil {
return false, "", time.Time{}
}
ts = string(t)
nanos, err := strconv.ParseInt(ts, 10, 64)
if err != nil {
return false, "", time.Time{}
}
issueTime := time.Unix(0, nanos)
// check valid
expected := tk.generateAtTime(tk.secret, rnd, id, issueTime)
valid := subtle.ConstantTimeCompare([]byte(token), []byte(expected)) == 1
if !valid {
return valid, id, issueTime
}
// check expiration
now := time.Now()
if now.Sub(issueTime) > d {
return false, id, issueTime
}
return valid, id, issueTime
}
// generateAtTime at given time
// produces a token in the format
// <hash>.<rnd>.<id>.<ts>
// with hash = HMAC_SHA1 (rnd + id + ts)
func (tk *TokenHmacSha) generateAtTime(secret string, rnd string, id string, now time.Time) string {
s := tk.secret
nanos := strconv.FormatInt(now.UnixNano(), 10)
h := hmac.New(sha512.New512_256, []byte(s))
fmt.Fprintf(h, "%s.%s.%s", rnd, id, nanos)
hash := base64.URLEncoding.EncodeToString(h.Sum(nil))
rnd = base64.URLEncoding.EncodeToString([]byte(rnd))
id = base64.URLEncoding.EncodeToString([]byte(id))
ts := base64.URLEncoding.EncodeToString([]byte(nanos))
token := fmt.Sprintf("%s.%s.%s.%s", hash, rnd, id, ts)
return token
}
func generateRandom(strength int) []byte {
k := make([]byte, strength)
if _, err := io.ReadFull(rand.Reader, k); err != nil {
return nil
}
return k
}