improve verify token

handler/handler.go

@@ -89,19 +89,22 @@ func (h *Handler) Proxy(wg *sync.WaitGroup) func(w http.ResponseWriter, r *http.
 
 		logger := h.logger.With(
 			zap.Uint64("seq", h.sq.Next()),
-			zap.String("user-email", r.Header.Get("X-Goog-Authenticated-User-Email")),
 			zap.String("x-forwarded-for", r.Header.Get("X-Forwarded-For")),
 			zap.String("remote-addr", r.RemoteAddr),
 			zap.String("destination", proxyDest),
 		)
 
 		if h.pk.Enabled() {
-			_, err := h.pk.Verify(r.Header.Get("Authorization"))
+			sub, err := h.pk.Verify(r.Header.Get("Authorization"))
 			if err != nil {
-				logger.Warn("No authorize", zap.Error(err))
+				logger.Warn("Failed to authorize", zap.Error(err))
 				http.Error(w, err.Error(), http.StatusUnauthorized)
 				return
 			}
+			logger = logger.With(zap.String("user-email", sub))
+
+		} else {
+			logger = logger.With(zap.String("user-email", r.Header.Get("X-Goog-Authenticated-User-Email")))
 		}
 
 		upstream, ok := h.mp.Get(proxyDest)

publickey/publickey.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"strings"
+	"time"
 
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/pkg/errors"
@@ -15,10 +16,11 @@ import (
 type Publickey struct {
 	publicKeyFile string
 	verifyKey     *rsa.PublicKey
+	freshnessTime time.Duration
 }
 
 // New publickey reader/checker
-func New(publicKeyFile string, logger *zap.Logger) (*Publickey, error) {
+func New(publicKeyFile string, freshnessTime time.Duration, logger *zap.Logger) (*Publickey, error) {
 	var verifyKey *rsa.PublicKey
 	if publicKeyFile != "" {
 		verifyBytes, err := ioutil.ReadFile(publicKeyFile)
@@ -33,6 +35,7 @@ func New(publicKeyFile string, logger *zap.Logger) (*Publickey, error) {
 	return &Publickey{
 		publicKeyFile: publicKeyFile,
 		verifyKey:     verifyKey,
+		freshnessTime: freshnessTime,
 	}, nil
 }
 
@@ -42,9 +45,9 @@ func (pk Publickey) Enabled() bool {
 }
 
 // Verify verify auth header
-func (pk Publickey) Verify(t string) (bool, error) {
+func (pk Publickey) Verify(t string) (string, error) {
 	if t == "" {
-		return false, fmt.Errorf("no tokenString")
+		return "", fmt.Errorf("no tokenString")
 	}
 	t = strings.TrimPrefix(t, "Bearer ")
 	claims := &jwt.StandardClaims{}
@@ -57,8 +60,17 @@ func (pk Publickey) Verify(t string) (bool, error) {
 	})
 
 	if err != nil {
-		return false, fmt.Errorf("Token is invalid: %v", err)
+		return "", fmt.Errorf("Token is invalid: %v", err)
 	}
 
-	return true, nil
+	now := time.Now()
+	iat := now.Add(-pk.freshnessTime)
+	if claims.ExpiresAt == 0 || claims.ExpiresAt < now.Unix() {
+		return "", fmt.Errorf("Token is expired")
+	}
+	if claims.IssuedAt == 0 || claims.IssuedAt < iat.Unix() {
+		return "", fmt.Errorf("Token is too old")
+	}
+
+	return claims.Subject, nil
 }

wsgate-server.go

@@ -31,7 +31,8 @@ var (
 	writeTimeout     = flag.Duration("write_timeout", 10*time.Second, "Write timeout.")
 	shutdownTimeout  = flag.Duration("shutdown_timeout", 86400*time.Second, "timeout to wait for all connections to be closed")
 	mapFile          = flag.String("map", "", "path and proxy host mapping file")
-	publicKeyFile    = flag.String("public-key", "", "public key for signing auth header")
+	publicKeyFile    = flag.String("public-key", "", "public key for verifying JWT auth header")
+	jwtFreshness     = flag.Duration("jwt-freshness", 3600*time.Second, "time in seconds to allow generated jwt tokens")
 	dumpTCP          = flag.Uint("dump-tcp", 0, "Dump TCP. 0 = disable, 1 = src to dest, 2 = both")
 )
 
@@ -58,7 +59,7 @@ func main() {
 		logger.Fatal("Failed init mapping", zap.Error(err))
 	}
 
-	pk, err := publickey.New(*publicKeyFile, logger)
+	pk, err := publickey.New(*publicKeyFile, *jwtFreshness, logger)
 	if err != nil {
 		logger.Fatal("Failed init publickey", zap.Error(err))
 	}