mirror of
https://github.com/netbirdio/netbird.git
synced 2026-03-31 06:24:18 -04:00
78 lines
2.0 KiB
Go
78 lines
2.0 KiB
Go
// Package auth contains exported proxy auth values.
|
|
// These are used to ensure coherent usage across management and proxy implementations.
|
|
package auth
|
|
|
|
import (
|
|
"crypto/ed25519"
|
|
"crypto/tls"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
type Method string
|
|
|
|
const (
|
|
MethodPassword Method = "password"
|
|
MethodPIN Method = "pin"
|
|
MethodOIDC Method = "oidc"
|
|
MethodHeader Method = "header"
|
|
)
|
|
|
|
func (m Method) String() string {
|
|
return string(m)
|
|
}
|
|
|
|
const (
|
|
SessionCookieName = "nb_session"
|
|
DefaultSessionExpiry = 24 * time.Hour
|
|
SessionJWTIssuer = "netbird-management"
|
|
)
|
|
|
|
// ResolveProto determines the protocol scheme based on the forwarded proto
|
|
// configuration. When set to "http" or "https" the value is used directly.
|
|
// Otherwise TLS state is used: if conn is non-nil "https" is returned, else "http".
|
|
func ResolveProto(forwardedProto string, conn *tls.ConnectionState) string {
|
|
switch forwardedProto {
|
|
case "http", "https":
|
|
return forwardedProto
|
|
default:
|
|
if conn != nil {
|
|
return "https"
|
|
}
|
|
return "http"
|
|
}
|
|
}
|
|
|
|
// ValidateSessionJWT validates a session JWT and returns the user ID and method.
|
|
func ValidateSessionJWT(tokenString, domain string, publicKey ed25519.PublicKey) (userID, method string, err error) {
|
|
if publicKey == nil {
|
|
return "", "", fmt.Errorf("no public key configured for domain")
|
|
}
|
|
|
|
token, err := jwt.Parse(tokenString, func(t *jwt.Token) (interface{}, error) {
|
|
if _, ok := t.Method.(*jwt.SigningMethodEd25519); !ok {
|
|
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
|
}
|
|
return publicKey, nil
|
|
}, jwt.WithAudience(domain), jwt.WithIssuer(SessionJWTIssuer))
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("parse token: %w", err)
|
|
}
|
|
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
if !ok || !token.Valid {
|
|
return "", "", fmt.Errorf("invalid token claims")
|
|
}
|
|
|
|
sub, _ := claims.GetSubject()
|
|
if sub == "" {
|
|
return "", "", fmt.Errorf("missing subject claim")
|
|
}
|
|
|
|
methodClaim, _ := claims["method"].(string)
|
|
|
|
return sub, methodClaim, nil
|
|
}
|