fix: auth0 setting is not used by JWT verification middleware

rot1024 · rot1024 · commit 232e75e814af · 2022-03-16T17:57:00.000+09:00
diff --git a/internal/app/config.go b/internal/app/config.go
@@ -123,6 +123,34 @@ func (c Config) Print() string {
 	return s
 }
 
+func (c Config) Auths() []AuthConfig {
+	if ac := c.Auth0.AuthConfig(); ac != nil {
+		return append(c.Auth, *ac)
+	}
+	return c.Auth
+}
+
+func (c Auth0Config) AuthConfig() *AuthConfig {
+	domain := c.Domain
+	if c.Domain == "" {
+		return nil
+	}
+	if !strings.HasPrefix(domain, "https://") && !strings.HasPrefix(domain, "http://") {
+		domain = "https://" + domain
+	}
+	if !strings.HasSuffix(domain, "/") {
+		domain = domain + "/"
+	}
+	aud := []string{}
+	if c.Audience != "" {
+		aud = append(aud, c.Audience)
+	}
+	return &AuthConfig{
+		ISS: domain,
+		AUD: aud,
+	}
+}
+
 type AuthConfig struct {
 	ISS string
 	AUD []string
@@ -141,17 +169,6 @@ func (ipd *AuthConfigs) Decode(value string) error {
 		return fmt.Errorf("invalid identity providers json: %w", err)
 	}
 
-	for i := range providers {
-		if providers[i].TTL == nil {
-			providers[i].TTL = new(int)
-			*providers[i].TTL = 5
-		}
-		if providers[i].ALG == nil {
-			providers[i].ALG = new(string)
-			*providers[i].ALG = "RS256"
-		}
-	}
-
 	*ipd = providers
 	return nil
 }
diff --git a/internal/app/config_test.go b/internal/app/config_test.go
@@ -0,0 +1,21 @@
+package app
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAuth0Config_AuthConfig(t *testing.T) {
+	assert.Equal(t, &AuthConfig{
+		ISS: "https://hoge.auth0.com/",
+		AUD: []string{"xxx"},
+	}, Auth0Config{
+		Domain:   "hoge.auth0.com",
+		Audience: "xxx",
+	}.AuthConfig())
+	assert.Nil(t, Auth0Config{
+		Domain:   "",
+		Audience: "xxx",
+	}.AuthConfig())
+}
diff --git a/internal/app/jwt.go b/internal/app/jwt.go
@@ -19,22 +19,32 @@ const (
 	debugUserHeader            = "X-Reearth-Debug-User"
 	contextAuth0Sub contextKey = "auth0Sub"
 	contextUser     contextKey = "reearth_user"
+	defaultJWTTTL              = 5 * time.Minute
 )
 
 type MultiValidator []*validator.Validator
 
 func NewMultiValidator(providers []AuthConfig) (MultiValidator, error) {
 	validators := make([]*validator.Validator, 0, len(providers))
 	for _, p := range providers {
-
 		issuerURL, err := url.Parse(p.ISS)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse the issuer url: %w", err)
 		}
 
-		provider := jwks.NewCachingProvider(issuerURL, time.Duration(*p.TTL)*time.Minute)
+		var ttl time.Duration
+		if p.TTL != nil {
+			ttl = time.Duration(*p.TTL) * time.Minute
+		} else {
+			ttl = defaultJWTTTL
+		}
+		provider := jwks.NewCachingProvider(issuerURL, ttl)
 
-		algorithm := validator.SignatureAlgorithm(*p.ALG)
+		alg := "RS256"
+		if p.ALG != nil && *p.ALG != "" {
+			alg = *p.ALG
+		}
+		algorithm := validator.SignatureAlgorithm(alg)
 
 		v, err := validator.New(
 			provider.KeyFunc,
@@ -64,8 +74,7 @@ func (mv MultiValidator) ValidateToken(ctx context.Context, tokenString string)
 
 // Validate the access token and inject the user clams into ctx
 func jwtEchoMiddleware(cfg *ServerConfig) echo.MiddlewareFunc {
-
-	jwtValidator, err := NewMultiValidator(cfg.Config.Auth)
+	jwtValidator, err := NewMultiValidator(cfg.Config.Auths())
 	if err != nil {
 		log.Fatalf("failed to set up the validator: %v", err)
 	}
@@ -84,7 +93,6 @@ func parseJwtMiddleware() echo.MiddlewareFunc {
 
 			rawClaims := ctx.Value(jwtmiddleware.ContextKey{})
 			if claims, ok := rawClaims.(*validator.ValidatedClaims); ok {
-
 				// attach sub and access token to context
 				ctx = context.WithValue(ctx, contextAuth0Sub, claims.RegisteredClaims.Subject)
 			}
