-
-
Notifications
You must be signed in to change notification settings - Fork 34
/
validators.go
102 lines (91 loc) · 2.78 KB
/
validators.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package jwt
import (
"time"
"github.com/gbrlsnchs/jwt/v3/internal"
)
var (
// ErrAudValidation is the error for an invalid "aud" claim.
ErrAudValidation = internal.NewError("jwt: aud claim is invalid")
// ErrExpValidation is the error for an invalid "exp" claim.
ErrExpValidation = internal.NewError("jwt: exp claim is invalid")
// ErrIatValidation is the error for an invalid "iat" claim.
ErrIatValidation = internal.NewError("jwt: iat claim is invalid")
// ErrIssValidation is the error for an invalid "iss" claim.
ErrIssValidation = internal.NewError("jwt: iss claim is invalid")
// ErrJtiValidation is the error for an invalid "jti" claim.
ErrJtiValidation = internal.NewError("jwt: jti claim is invalid")
// ErrNbfValidation is the error for an invalid "nbf" claim.
ErrNbfValidation = internal.NewError("jwt: nbf claim is invalid")
// ErrSubValidation is the error for an invalid "sub" claim.
ErrSubValidation = internal.NewError("jwt: sub claim is invalid")
)
// Validator is a function that validates a Payload pointer.
type Validator func(*Payload) error
// AudienceValidator validates the "aud" claim.
// It checks if at least one of the audiences in the JWT's payload is listed in aud.
func AudienceValidator(aud Audience) Validator {
return func(pl *Payload) error {
for _, serverAud := range aud {
for _, clientAud := range pl.Audience {
if clientAud == serverAud {
return nil
}
}
}
return ErrAudValidation
}
}
// ExpirationTimeValidator validates the "exp" claim.
func ExpirationTimeValidator(now time.Time) Validator {
return func(pl *Payload) error {
if pl.ExpirationTime == nil || NumericDate(now).After(pl.ExpirationTime.Time) {
return ErrExpValidation
}
return nil
}
}
// IssuedAtValidator validates the "iat" claim.
func IssuedAtValidator(now time.Time) Validator {
return func(pl *Payload) error {
if pl.IssuedAt != nil && NumericDate(now).Before(pl.IssuedAt.Time) {
return ErrIatValidation
}
return nil
}
}
// IssuerValidator validates the "iss" claim.
func IssuerValidator(iss string) Validator {
return func(pl *Payload) error {
if pl.Issuer != iss {
return ErrIssValidation
}
return nil
}
}
// IDValidator validates the "jti" claim.
func IDValidator(jti string) Validator {
return func(pl *Payload) error {
if pl.JWTID != jti {
return ErrJtiValidation
}
return nil
}
}
// NotBeforeValidator validates the "nbf" claim.
func NotBeforeValidator(now time.Time) Validator {
return func(pl *Payload) error {
if pl.NotBefore != nil && NumericDate(now).Before(pl.NotBefore.Time) {
return ErrNbfValidation
}
return nil
}
}
// SubjectValidator validates the "sub" claim.
func SubjectValidator(sub string) Validator {
return func(pl *Payload) error {
if pl.Subject != sub {
return ErrSubValidation
}
return nil
}
}