mukimovd/tercul-backend
1
0
Fork 0
mirror of https://github.com/SamyRai/tercul-backend.git synced 2025-12-27 00:31:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4957117cb6
tercul-backend/auth/jwt.go
Damir Mukimov 4957117cb6 Initial commit: Tercul Go project with comprehensive architecture 
- Core Go application with GraphQL API using gqlgen
- Comprehensive data models for literary works, authors, translations
- Repository pattern with caching layer
- Authentication and authorization system
- Linguistics analysis capabilities with multiple adapters
- Vector search integration with Weaviate
- Docker containerization support
- Python data migration and analysis scripts
- Clean architecture with proper separation of concerns
- Production-ready configuration and middleware
- Proper .gitignore excluding vendor/, database files, and build artifacts
2025-08-13 07:42:32 +02:00

142 lines
3.4 KiB
Go
Raw Blame History

package auth
import (
"errors"
"fmt"
"strings"
"time"
"github.com/golang-jwt/jwt/v5"
"tercul/config"
"tercul/models"
)
var (
ErrInvalidToken = errors.New("invalid token")
ErrExpiredToken = errors.New("token expired")
ErrInvalidSignature = errors.New("invalid token signature")
ErrMissingToken = errors.New("missing token")
ErrInsufficientRole = errors.New("insufficient role")
)
// Claims represents the JWT claims
type Claims struct {
UserID uint `json:"user_id"`
Username string `json:"username"`
Email string `json:"email"`
Role string `json:"role"`
jwt.RegisteredClaims
}
// JWTManager handles JWT token operations
type JWTManager struct {
secretKey []byte
issuer string
duration time.Duration
}
// NewJWTManager creates a new JWT manager
func NewJWTManager() *JWTManager {
secretKey := config.Cfg.JWTSecret
if secretKey == "" {
secretKey = "default-secret-key-change-in-production"
}
duration := config.Cfg.JWTExpiration
if duration == 0 {
duration = 24 * time.Hour // Default to 24 hours
}
return &JWTManager{
secretKey: []byte(secretKey),
issuer: "tercul-api",
duration: duration,
}
}
// GenerateToken generates a new JWT token for a user
func (j *JWTManager) GenerateToken(user *models.User) (string, error) {
now := time.Now()
claims := &Claims{
UserID: user.ID,
Username: user.Username,
Email: user.Email,
Role: string(user.Role),
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(now.Add(j.duration)),
IssuedAt: jwt.NewNumericDate(now),
NotBefore: jwt.NewNumericDate(now),
Issuer: j.issuer,
Subject: fmt.Sprintf("%d", user.ID),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(j.secretKey)
}
// ValidateToken validates and parses a JWT token
func (j *JWTManager) ValidateToken(tokenString string) (*Claims, error) {
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return j.secretKey, nil
})
if err != nil {
if errors.Is(err, jwt.ErrTokenExpired) {
return nil, ErrExpiredToken
}
return nil, ErrInvalidToken
}
claims, ok := token.Claims.(*Claims)
if !ok || !token.Valid {
return nil, ErrInvalidToken
}
return claims, nil
}
// ExtractTokenFromHeader extracts token from Authorization header
func (j *JWTManager) ExtractTokenFromHeader(authHeader string) (string, error) {
if authHeader == "" {
return "", ErrMissingToken
}
parts := strings.Split(authHeader, " ")
if len(parts) != 2 || parts[0] != "Bearer" {
return "", ErrInvalidToken
}
return parts[1], nil
}
// HasRole checks if the user has the required role
func (j *JWTManager) HasRole(userRole, requiredRole string) bool {
roleHierarchy := map[string]int{
"reader": 1,
"contributor": 2,
"moderator": 3,
"admin": 4,
}
userLevel, userExists := roleHierarchy[userRole]
requiredLevel, requiredExists := roleHierarchy[requiredRole]
if !userExists || !requiredExists {
return false
}
return userLevel >= requiredLevel
}
// RequireRole validates that the user has the required role
func (j *JWTManager) RequireRole(userRole, requiredRole string) error {
if !j.HasRole(userRole, requiredRole) {
return ErrInsufficientRole
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink