133 lines
3.3 KiB
Go
133 lines
3.3 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
"github.com/labstack/echo/v4/middleware"
|
|
)
|
|
|
|
var jwtSecret = []byte("your-secret-key-change-in-production")
|
|
|
|
// JWT Token Funktionen (bleiben gleich)
|
|
func createToken(userID int, username string, isAdmin bool) (string, error) {
|
|
claims := Claims{
|
|
UserID: userID,
|
|
Username: username,
|
|
IsAdmin: isAdmin,
|
|
}
|
|
|
|
header := base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"HS256","typ":"JWT"}`))
|
|
|
|
// Füge Expiration hinzu
|
|
claimsWithExp := map[string]interface{}{
|
|
"user_id": claims.UserID,
|
|
"username": claims.Username,
|
|
"is_admin": claims.IsAdmin,
|
|
"exp": time.Now().Add(24 * time.Hour).Unix(),
|
|
}
|
|
|
|
payload, _ := json.Marshal(claimsWithExp)
|
|
payloadEncoded := base64.RawURLEncoding.EncodeToString(payload)
|
|
|
|
message := header + "." + payloadEncoded
|
|
|
|
h := hmac.New(sha256.New, jwtSecret)
|
|
h.Write([]byte(message))
|
|
signature := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
|
|
|
return message + "." + signature, nil
|
|
}
|
|
|
|
func verifyToken(tokenString string) (*Claims, error) {
|
|
parts := strings.Split(tokenString, ".")
|
|
if len(parts) != 3 {
|
|
return nil, fmt.Errorf("invalid token format")
|
|
}
|
|
|
|
message := parts[0] + "." + parts[1]
|
|
h := hmac.New(sha256.New, jwtSecret)
|
|
h.Write([]byte(message))
|
|
expectedSignature := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
|
|
|
if parts[2] != expectedSignature {
|
|
return nil, fmt.Errorf("invalid signature")
|
|
}
|
|
|
|
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var claimsMap map[string]interface{}
|
|
if err := json.Unmarshal(payload, &claimsMap); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Check expiration
|
|
if exp, ok := claimsMap["exp"].(float64); ok {
|
|
if time.Now().Unix() > int64(exp) {
|
|
return nil, fmt.Errorf("token expired")
|
|
}
|
|
}
|
|
|
|
claims := &Claims{
|
|
UserID: int(claimsMap["user_id"].(float64)),
|
|
Username: claimsMap["username"].(string),
|
|
IsAdmin: claimsMap["is_admin"].(bool),
|
|
}
|
|
|
|
return claims, nil
|
|
}
|
|
|
|
// Echo JWT Middleware
|
|
func JWTMiddleware() echo.MiddlewareFunc {
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
authHeader := c.Request().Header.Get("Authorization")
|
|
if authHeader == "" {
|
|
return echo.NewHTTPError(http.StatusUnauthorized, "missing authorization header")
|
|
}
|
|
|
|
tokenString := strings.TrimPrefix(authHeader, "Bearer ")
|
|
claims, err := verifyToken(tokenString)
|
|
if err != nil {
|
|
return echo.NewHTTPError(http.StatusUnauthorized, "invalid token")
|
|
}
|
|
|
|
// Store claims in context
|
|
c.Set("user_id", claims.UserID)
|
|
c.Set("username", claims.Username)
|
|
c.Set("is_admin", claims.IsAdmin)
|
|
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Admin Middleware
|
|
func AdminMiddleware() echo.MiddlewareFunc {
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
isAdmin, ok := c.Get("is_admin").(bool)
|
|
if !ok || !isAdmin {
|
|
return echo.NewHTTPError(http.StatusForbidden, "admin access required")
|
|
}
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Custom Logger Middleware (optional - Echo hat bereits einen)
|
|
func CustomLogger() echo.MiddlewareFunc {
|
|
return middleware.LoggerWithConfig(middleware.LoggerConfig{
|
|
Format: "${time_rfc3339} | ${status} | ${latency_human} | ${method} ${uri}\n",
|
|
})
|
|
}
|