feat: support multiple extract token key

[ch3nnn]

Implement support for multiple custom token keys and simplify the JWT authentication configuration. WithTokenLookups function enables setting token keys, improving the authentication process by accommodating various token header extraction strategies. by accommodating various token header extraction strategies.

example:

jwt-api.api

syntax = "v1"


type Request {
	Name string `path:"name,options=you|me"`
}

type Response {
	Message string `json:"message"`
}

type FormExampleReq {
	Name string `form:"name,options=you|me"`
}

@server(
	jwt: Auth
	jwtTransition: Trans
)
service A-api {
	@handler GreetHandler
	get /greet/from/:name(Request) returns (Response)

	@handler FormExample
	post /form/example (FormExampleReq) returns (Response)
}

a-api.yaml

Name: A-api
Host: 0.0.0.0
Port: 8888

Auth:
  AccessSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  AccessExpire: 604800
  TokenLookup:
    - "header:Token"
    - "query:Token"
    - "form:Token"
    - "cookie:Token"
    - "param:Token"



Trans:
  Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  PrevSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  TokenLookup:
    - "header:Token"
    - "query:Token"
    - "form:Token"
    - "cookie:Token"
    - "param:Token"

TokenLookup extract a jwt from custom request header or post form or get url arguments.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[kevwan]

Would you please give some examples on how to use different token keys? For example, how to request the API with curl.

[ch3nnn]

According to the a-api.yaml configuration file, the Auth.TokenLookup field is optional.

TokenLookup are attempted in sequence until a match is found; if no match occurs, the default Bearer auth request header is used.

example:

• url arguments

  curl --request GET \
    --url 'http://127.0.0.1:8888/greet/from/me?Token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8' \
    --header 'content-type: application/json'

• post form

  curl --request POST \
    --url http://localhost:8888/form/example \
    --header 'content-type: multipart/form-data' \
    --form Token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8 \
    --form name=me

• custom request header

  curl --request GET \
    --url http://127.0.0.1:8888/greet/from/me \
    --header 'content-type: application/json' \
    --header 'Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8'

If the setting TokenLookup is not provided, the default Bearer authorization request header will be used.

curl --request GET \
  --url http://127.0.0.1:8888/greet/from/me \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjQ3NjUwMjR9.OvLg2ook9yVdBseQYkMO5wmdokYNGuaDMSa1dNkSeo8' \
  --header 'content-type: application/json'

[kevwan]

Bearer is the standard schema, is there any official spec that talks about Bearer replacement?

[ch3nnn]

I look up https://golang-jwt.github.io/jwt/#jwt-and-oauth-20 have mention a point

A JWT token is simply a signed JSON object. It can be used anywhere such a thing is useful.

This feature is also supported in other frameworks/libraries.

• golang-jwt/jwt https://github.com/golang-jwt/jwt/blob/main/request/extractor_example_test.go
• cloudwego/hertz https://www.cloudwego.io/docs/hertz/tutorials/third-party/middleware/jwt/#tokenlookup
• labstack/echo-jwt https://github.com/labstack/echo-jwt/blob/main/jwt.go#L92
• gofiber/fiber https://github.com/gofiber/contrib/blob/main/jwt/config.go#L61

[greper]

Why haven't they merged yet?
I want to download the file, but I need to verify the authorization. It's impossible to add it to the header. So, I can only use the query parameter, something like window.open('download?token=xxxxx')