First basic pass at JWT auth.
Mostly just a fork of https://github.com/ficusio/openresty, with a few twists:
* We've narrowed down some of the configuration options, and we're passing more
headers (essentially exposing all the data in the JWT as headers).
* We no longer automatically return a 401 unauthorized if the JWT verification
fails; we just don't assign it the headers. The consuming service can decide
whether or not they want to accept the request.
* We automatically fail the verification of a JWT if the token has expired in
the last minute (or shouldn't be used for the next minute). If the token has
expired, we return a 401 that our clients can catch and use a refresh token
automatically from. If the token can't be used for another minute, we quietly
just refuse to add auth headers to the request.
2 local str_util = require "resty.string"
3 local ffi = require "ffi"
4 local ffi_new = ffi.new
5 local ffi_str = ffi.string
8 local setmetatable = setmetatable
12 local _M = { _VERSION = '0.01' }
14 local mt = { __index = _M }
18 typedef struct engine_st ENGINE;
19 typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
20 typedef struct env_md_ctx_st EVP_MD_CTX;
21 typedef struct env_md_st EVP_MD;
30 int (*update)(EVP_MD_CTX *ctx,const void *data,size_t count);
39 int (*init)(EVP_MD_CTX *ctx);
40 int (*update)(EVP_MD_CTX *ctx,const void *data,size_t count);
41 int (*final)(EVP_MD_CTX *ctx,unsigned char *md);
42 int (*copy)(EVP_MD_CTX *to,const EVP_MD_CTX *from);
43 int (*cleanup)(EVP_MD_CTX *ctx);
45 int (*sign)(int type, const unsigned char *m, unsigned int m_length, unsigned char *sigret, unsigned int *siglen, void *key);
46 int (*verify)(int type, const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, void *key);
47 int required_pkey_type[5];
50 int (*md_ctrl)(EVP_MD_CTX *ctx, int cmd, int p1, void *p2);
53 typedef struct hmac_ctx_st
59 unsigned int key_length;
60 unsigned char key[128];
63 void HMAC_CTX_init(HMAC_CTX *ctx);
64 void HMAC_CTX_cleanup(HMAC_CTX *ctx);
66 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,const EVP_MD *md, ENGINE *impl);
67 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
68 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
70 const EVP_MD *EVP_md5(void);
71 const EVP_MD *EVP_sha1(void);
72 const EVP_MD *EVP_sha256(void);
73 const EVP_MD *EVP_sha512(void);
76 local buf = ffi_new("unsigned char[64]")
77 local res_len = ffi_new("unsigned int[1]")
78 local ctx_ptr_type = ffi.typeof("HMAC_CTX[1]")
82 SHA256 = C.EVP_sha256(),
83 SHA512 = C.EVP_sha512()
90 function _M.new(self, key, hash_algo)
91 local ctx = ffi_new(ctx_ptr_type)
95 local _hash_algo = hash_algo or hashes.md5
97 if C.HMAC_Init_ex(ctx, key, #key, _hash_algo, nil) == 0 then
101 ffi_gc(ctx, C.HMAC_CTX_cleanup)
103 return setmetatable({ _ctx = ctx }, mt)
107 function _M.update(self, s)
108 return C.HMAC_Update(self._ctx, s, #s) == 1
112 function _M.final(self, s, hex_output)
115 if C.HMAC_Update(self._ctx, s, #s) == 0 then
120 if C.HMAC_Final(self._ctx, buf, res_len) == 1 then
121 if hex_output == true then
122 return str_util.to_hex(ffi_str(buf, res_len[0]))
124 return ffi_str(buf, res_len[0])
131 function _M.reset(self)
132 return C.HMAC_Init_ex(self._ctx, nil, 0, nil, nil) == 1