feat: admin routes + better auth routing

2025-05-30 18:17:12 +02:00
parent db2cb36f54
commit 51b7e6b3f9
10 changed files with 133 additions and 59 deletions
--- a/internal/util/jwt.go
+++ b/internal/util/jwt.go
@ -0,0 +1,83 @@
+package util
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+
+	"gitea.local/admin/hspguard/internal/types"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func ParseBase64PrivateKey(b64 string) (*rsa.PrivateKey, error) {
+	decoded, err := base64.StdEncoding.DecodeString(b64)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64 key: %v", err)
+	}
+
+	key, err := x509.ParsePKCS8PrivateKey(decoded)
+	return key.(*rsa.PrivateKey), err
+}
+
+func ParseBase64PublicKey(b64 string) (*rsa.PublicKey, error) {
+	decoded, err := base64.StdEncoding.DecodeString(b64)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64 key: %v", err)
+	}
+
+	pubInterface, err := x509.ParsePKIXPublicKey(decoded)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse public key: %v", err)
+	}
+
+	pubKey, ok := pubInterface.(*rsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("not an RSA public key")
+	}
+
+	return pubKey, nil
+}
+
+func SignJwtToken(claims jwt.Claims, key string) (string, error) {
+	privateKey, err := ParseBase64PrivateKey(key)
+	if err != nil {
+		return "", err
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+
+	token.Header["kid"] = "my-rsa-key-1"
+
+	s, err := token.SignedString(privateKey)
+	if err != nil {
+		return "", err
+	}
+
+	return s, nil
+}
+
+func VerifyToken(token string, key string) (*jwt.Token, *types.UserClaims, error) {
+	publicKey, err := ParseBase64PublicKey(key)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	claims := &types.UserClaims{}
+	parsed, err := jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return publicKey, nil
+	})
+
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid token: %w", err)
+	}
+
+	if !parsed.Valid {
+		return nil, nil, fmt.Errorf("token is not valid")
+	}
+
+	return parsed, claims, nil
+}