-
Notifications
You must be signed in to change notification settings - Fork 0
/
verify.go
91 lines (75 loc) · 1.59 KB
/
verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package securelogin
import (
"crypto/hmac"
"crypto/sha512"
"errors"
"net/url"
"golang.org/x/crypto/ed25519"
)
// Verify encoded token.
//
// This is just a convenient function which unmarshals a token and then calls
// Verify on it with given options.
func Verify(token []byte, opts ...Option) (Token, error) {
t, err := Unmarshal(token)
if err != nil {
return t, err
}
return t, t.Verify(opts...)
}
func verifyHMAC(message, signature, secret []byte) bool {
mac := hmac.New(sha512.New, secret)
mac.Write(message)
return hmac.Equal(signature, mac.Sum(nil)[:32])
}
func verifySignature(message, signature, pubkey []byte) bool {
if len(pubkey) != ed25519.PublicKeySize {
return false
}
return ed25519.Verify(pubkey, message, signature)
}
func verifyScope(cfg Config, scope url.Values) error {
if cfg.change {
_, hasTo := scope["to"]
if !(len(scope) == 2 && hasTo && has(scope, "mode", "change")) {
return errors.New("not mode=change token")
}
} else if !scopesMatch(scope, cfg.scope) {
return errors.New("invalid scope")
}
return nil
}
func has(store url.Values, key, value string) bool {
values, ok := store[key]
if !ok {
return false
}
for _, v := range values {
if v == value {
return true
}
}
return false
}
func scopesMatch(a, b url.Values) bool {
if len(a) != len(b) {
return false
}
for key, value := range a {
if !slicesMatch(value, b[key]) {
return false
}
}
return true
}
func slicesMatch(a, b []string) bool {
if len(a) != len(b) {
return false
}
for i, value := range a {
if value != b[i] {
return false
}
}
return true
}