99 lines
3.1 KiB
Go
99 lines
3.1 KiB
Go
package jwt
|
|
|
|
import (
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
// Token is the common interface implemented by both AccessToken and RefreshToken.
|
|
// It provides methods to access token claims and manage token revocation.
|
|
type Token interface {
|
|
// GetJTI returns the unique token identifier (JTI claim)
|
|
GetJTI() uuid.UUID
|
|
|
|
// GetEXP returns the expiration timestamp (EXP claim)
|
|
GetEXP() int64
|
|
|
|
// GetSUB returns the subject/user ID (SUB claim)
|
|
GetSUB() int
|
|
|
|
// GetScope returns the token scope ("access" or "refresh")
|
|
GetScope() string
|
|
|
|
// Revoke adds this token to the blacklist, preventing future use.
|
|
// Must be called within a database transaction context.
|
|
// Accepts any transaction type that implements DBTransaction interface.
|
|
Revoke(DBTransaction) error
|
|
|
|
// CheckNotRevoked verifies that this token has not been blacklisted.
|
|
// Returns true if the token is valid, false if revoked.
|
|
// Must be called within a database transaction context.
|
|
// Accepts any transaction type that implements DBTransaction interface.
|
|
CheckNotRevoked(DBTransaction) (bool, error)
|
|
}
|
|
|
|
// AccessToken represents a JWT access token with all its claims.
|
|
// Access tokens are short-lived and used for authenticating API requests.
|
|
// They can be marked as "fresh" for sensitive operations like password changes.
|
|
type AccessToken struct {
|
|
ISS string // Issuer, generally TrustedHost
|
|
IAT int64 // Time issued at
|
|
EXP int64 // Time expiring at
|
|
TTL string // Time-to-live: "session" or "exp". Used with 'remember me'
|
|
SUB int // Subject (user) ID
|
|
JTI uuid.UUID // UUID-4 used for identifying blacklisted tokens
|
|
Fresh int64 // Time freshness expiring at
|
|
Scope string // Should be "access"
|
|
gen *TokenGenerator
|
|
}
|
|
|
|
// RefreshToken represents a JWT refresh token with all its claims.
|
|
// Refresh tokens are longer-lived and used to obtain new access tokens
|
|
// without requiring the user to re-authenticate.
|
|
type RefreshToken struct {
|
|
ISS string // Issuer, generally TrustedHost
|
|
IAT int64 // Time issued at
|
|
EXP int64 // Time expiring at
|
|
TTL string // Time-to-live: "session" or "exp". Used with 'remember me'
|
|
SUB int // Subject (user) ID
|
|
JTI uuid.UUID // UUID-4 used for identifying blacklisted tokens
|
|
Scope string // Should be "refresh"
|
|
gen *TokenGenerator
|
|
}
|
|
|
|
func (a AccessToken) GetJTI() uuid.UUID {
|
|
return a.JTI
|
|
}
|
|
func (r RefreshToken) GetJTI() uuid.UUID {
|
|
return r.JTI
|
|
}
|
|
func (a AccessToken) GetEXP() int64 {
|
|
return a.EXP
|
|
}
|
|
func (r RefreshToken) GetEXP() int64 {
|
|
return r.EXP
|
|
}
|
|
func (a AccessToken) GetSUB() int {
|
|
return a.SUB
|
|
}
|
|
func (r RefreshToken) GetSUB() int {
|
|
return r.SUB
|
|
}
|
|
func (a AccessToken) GetScope() string {
|
|
return a.Scope
|
|
}
|
|
func (r RefreshToken) GetScope() string {
|
|
return r.Scope
|
|
}
|
|
func (a AccessToken) Revoke(tx DBTransaction) error {
|
|
return a.gen.revoke(tx, a)
|
|
}
|
|
func (r RefreshToken) Revoke(tx DBTransaction) error {
|
|
return r.gen.revoke(tx, r)
|
|
}
|
|
func (a AccessToken) CheckNotRevoked(tx DBTransaction) (bool, error) {
|
|
return a.gen.checkNotRevoked(tx, a)
|
|
}
|
|
func (r RefreshToken) CheckNotRevoked(tx DBTransaction) (bool, error) {
|
|
return r.gen.checkNotRevoked(tx, r)
|
|
}
|