Table of Contents
https://ToniNichev@github.com/ToniNichev/tutorials-golang-authanticate-with-jwt.git
Generating JWT for testing
Setting up the project
we are going to use Gin Web framework to create simple HTTP server that we could query against, passing JWT in the header and then using secret or public key to validate the signature.
package main
import (
"github.com/gin-gonic/gin"
)
func AuthMiddleware() gin.HandlerFunc {
// In a real-world application, you would perform proper authentication here.
// For the sake of this example, we'll just check if an API key is present.
return func(c *gin.Context) {
apiKey := c.GetHeader("X-Auth-Token")
if apiKey == "" {
c.AbortWithStatusJSON(401, gin.H{"error": "Unauthorized"})
return
}
c.Next()
}
}
func main() {
// Create a new Gin router
router := gin.Default()
// Public routes (no authentication required)
public := router.Group("/public")
{
public.GET("/info", func(c *gin.Context) {
c.String(200, "Public information")
})
public.GET("/products", func(c *gin.Context) {
c.String(200, "Public product list")
})
}
// Private routes (require authentication)
private := router.Group("/private")
private.Use(AuthMiddleware())
{
private.GET("/data", func(c *gin.Context) {
c.String(200, "Private data accessible after authentication")
})
private.POST("/create", func(c *gin.Context) {
c.String(200, "Create a new resource")
})
}
router.POST("query", AuthMiddleware(), validateSession, returnData)
// Run the server on port 8080
router.Run(":8080")
}
We added validateSession middleware that will decode the token and verify the signature.
Creating JWT services to decode and validate signature
We are using jwt GoLang library to decode the token, and validate the signature.
There are two ways to encode JWT: using symmetric encryption (meaning that the same secret is used to sign and validate the signature. This is done in retreiveTokenWithSymmetrikKey and retreiveTokenWithAsymmetrikKey is used to validate signature using the public key from the private/public key pair used to sign the token.
package main
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
)
type User struct {
name string
email string
}
var user User
type requestBody struct {
OperationName *string `json:"operationName"`
Query *string `json:"query"`
Variables interface{} `json:"variables"`
}
func validateSession(c *gin.Context) {
user.name = ""
user.email = ""
if c.Request.Body != nil {
bodyBytes, _ := ioutil.ReadAll(c.Request.Body)
c.Request.Body.Close()
c.Request.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
body := requestBody{}
if err := json.Unmarshal(bodyBytes, &body); err != nil {
return
}
// extract the token from the headers
tokenStr := c.Request.Header.Get("X-Auth-Token")
product := body.Variables.(map[string]interface{})["product"]
var payload string
var err error
if product == "web" {
payload, err = retreiveTokenWithSymmetrikKey(c, tokenStr)
} else {
payload, err = retreiveTokenWithAsymmetrikKey(c, tokenStr)
}
if err != nil {
c.AbortWithStatusJSON(401, gin.H{"error": "Session token signature can't be confirmed!"})
}
if payload == "" {
c.AbortWithStatusJSON(401, gin.H{"error": "Invalid token"})
return
}
c.Next()
}
}
func retreiveTokenWithSymmetrikKey(c *gin.Context, tokenStr string) (string, error) {
fmt.Println("retreive Token With Symmetric Key ...")
tknStr := c.Request.Header.Get("X-Auth-Token")
secretKey := "itsasecret123"
token, err := jwt.Parse(tknStr, func(token *jwt.Token) (interface{}, error) {
return []byte(secretKey), nil
})
if err != nil {
c.AbortWithStatusJSON(401, gin.H{"error": "Session token signature can't be confirmed!"})
return "", errors.New("session token signature can't be confirmed!")
} else {
claims := token.Claims.(jwt.MapClaims)
fmt.Println("======================================")
fmt.Println(claims)
fmt.Println(claims["author"])
fmt.Println(claims["data"])
fmt.Println("======================================")
user.name = claims["author"].(string)
}
return "token valid", nil
}
func retreiveTokenWithAsymmetrikKey(c *gin.Context, tokenStr string) (string, error) {
fmt.Println("retreive Token With Asymmetric Key ...")
publicKeyPath := "key/public_key.pem"
keyData, err := ioutil.ReadFile(publicKeyPath)
if err != nil {
c.AbortWithStatusJSON(401, gin.H{"error": "Error reading public key"})
return "", errors.New("error reading public key")
}
var parsedToken *jwt.Token
// parse token
state, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
// ensure signing method is correct
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
c.AbortWithStatusJSON(401, gin.H{"error": "Session token signature can't be confirmed!"})
return nil, errors.New("unknown signing method")
}
parsedToken = token
// verify
key, err := jwt.ParseRSAPublicKeyFromPEM([]byte(keyData))
if err != nil {
return nil, errors.New("parsing key failed")
}
return key, nil
})
claims := state.Claims.(jwt.MapClaims)
fmt.Println("======================================")
fmt.Println("Header [alg]:", parsedToken.Header["alg"])
fmt.Println("Header [expiresIn]:", parsedToken.Header["expiresIn"])
fmt.Println("Claims [author]:", claims["author"])
fmt.Println("Claims [data]:", claims["data"])
fmt.Println("======================================")
user.name = claims["author"].(string)
if !state.Valid {
return "", errors.New("verification failed")
}
if err != nil {
return "", errors.New("unknown signing error")
}
return "token valid", nil
}
func returnData(c *gin.Context) {
fmt.Println("Returning data ...")
c.String(200, user.name)
}
Making requests with JWT
We are going to use Postman to make a new POST request passing the JWT
Generate JWT
Open the second project: Sign, Verify and decode JWT
Make sure that you comment and uncomment the right type of token that you want to use: asymmetric vs symmetric.
Run the project yarn start end copy the long string printed right after SIGNED JWT.
Create new postman POST request
Open Postman and create new POST request. In the url put http://localhost:8080/query this is where our Gin Web server running.
Add X-Auth-Token JWT
Open header section, and add X-Auth-Token key with the value the JWT copied from Sign, Verify and decode JWT
Add query parameters and variables.
We are going to pass dummy parameters just for testing except for product
We are going to use product parameter to distinguish between symmetric and asymmetric tokens.
Let’s assume that our app will except symmetric tokens for web and asymmetric for app so make sure that you will pass the right JWT.
Navigate to the GraphQL section of the request, and add the query and the variables.
query
query GetCustomerReccomendations($customerId: String!, $organization: organization!, $product: String!) {
getCustomer(customerId: $customerId) {
customerId
zipCode
}
}
}
variables
{
"customerId": "2b59f049-04d1-43d5-ac87-8ac62069d932",
"organization": "nbcnews",
"product": "app"
}
Make the request and check the response
If everything works good, you will see the user name printed in the response.