Merge pull request #59 from luizfonseca/feat/jwt-and-cookie-expiration

luizfonseca · web-flow · commit 870b20896a7b · 2025-04-09T02:37:50.000+02:00
feat: allow users to configure cookie/jwt expiration
diff --git a/README.md b/README.md
@@ -85,6 +85,9 @@ apiSecretKey: optional_secret_key_if_not_on_the_internal_network
 authPath: /_auth
 # optional jwt secret key, if not set, the plugin will generate a random key
 jwtSecretKey: optional_secret_key
+# optional jwt expiration in hours, defaults to 24 hours
+jwtExpirationInHours: 24
+
 # The log level, defaults to info
 # Available values: debug, info, warn, error
 logLevel: info
diff --git a/internal/pkg/jwt/jwt.go b/internal/pkg/jwt/jwt.go
@@ -2,6 +2,7 @@ package jwt
 
 import (
 	"fmt"
+	"time"
 
 	"github.com/golang-jwt/jwt/v4"
 )
@@ -12,11 +13,13 @@ type PayloadUser struct {
 	Teams []string `json:"teams"`
 }
 
-func GenerateJwtTokenString(id string, login string, teamIds []string, key string) (string, error) {
+func GenerateJwtTokenString(id string, login string, teamIds []string, key string, exp time.Time) (string, error) {
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"id":    id,
 		"login": login,
 		"teams": teamIds,
+		// buffer of time to expire token is 60 seconds from the set time
+		"exp": jwt.NewNumericDate(exp.Add(time.Second * 60)),
 	})
 	return token.SignedString([]byte(key))
 }
@@ -34,6 +37,11 @@ func ParseTokenString(tokenString, key string) (*PayloadUser, error) {
 	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
 		var teamFromClaims []interface{}
 
+		// Check for expiration time
+		// if claims.Valid() != nil {
+		// 	return nil, fmt.Errorf("token is expired")
+		// }
+
 		switch claims["teams"].(type) {
 		case []interface{}:
 			teamFromClaims = claims["teams"].([]interface{})
diff --git a/internal/pkg/jwt/jwt_test.go b/internal/pkg/jwt/jwt_test.go
@@ -2,6 +2,7 @@ package jwt
 
 import (
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -16,7 +17,16 @@ const (
 
 func TestGenerateJwtTokenString(t *testing.T) {
 	// execution
-	tokenString, err := GenerateJwtTokenString(id, login, testTeams, key)
+	tokenString, err := GenerateJwtTokenString(id, login, testTeams, key, time.Now())
+
+	// assertion
+	assert.NoError(t, err)
+	assert.NotEmpty(t, tokenString)
+}
+
+func TestGenerateJwtTokenString_Expiration(t *testing.T) {
+	// execution
+	tokenString, err := GenerateJwtTokenString(id, login, testTeams, key, time.Now().Add(time.Hour*24*7))
 
 	// assertion
 	assert.NoError(t, err)
@@ -25,7 +35,7 @@ func TestGenerateJwtTokenString(t *testing.T) {
 
 func TestParseTokenString(t *testing.T) {
 	// setup
-	tokenString, _ := GenerateJwtTokenString(id, login, testTeams, key)
+	tokenString, _ := GenerateJwtTokenString(id, login, testTeams, key, time.Now())
 
 	// execution
 	payload, err := ParseTokenString(tokenString, key)
@@ -37,9 +47,21 @@ func TestParseTokenString(t *testing.T) {
 	assert.Equal(t, testTeams, payload.Teams)
 }
 
+func TestParseTokenString_Expired(t *testing.T) {
+	// setup
+	tokenString, _ := GenerateJwtTokenString(id, login, testTeams, key, time.Now().Add(-time.Hour*24*7))
+
+	// execution
+	payload, err := ParseTokenString(tokenString, key)
+
+	// assertion
+	assert.Error(t, err)
+	assert.Nil(t, payload)
+}
+
 func TestParseTokenString_EmptyTeams(t *testing.T) {
 	// setup
-	tokenString, _ := GenerateJwtTokenString(id, login, []string{}, key)
+	tokenString, _ := GenerateJwtTokenString(id, login, []string{}, key, time.Now())
 
 	// execution
 	payload, err := ParseTokenString(tokenString, key)
@@ -53,7 +75,7 @@ func TestParseTokenString_EmptyTeams(t *testing.T) {
 
 func TestParseTokenString_NoTeams(t *testing.T) {
 	// setup
-	tokenString, _ := GenerateJwtTokenString(id, login, nil, key)
+	tokenString, _ := GenerateJwtTokenString(id, login, nil, key, time.Now())
 
 	// execution
 	payload, err := ParseTokenString(tokenString, key)
@@ -67,7 +89,7 @@ func TestParseTokenString_NoTeams(t *testing.T) {
 
 func TestParseTokenString_With2FAEnabled(t *testing.T) {
 	// setup
-	tokenString, _ := GenerateJwtTokenString(id, login, nil, key)
+	tokenString, _ := GenerateJwtTokenString(id, login, nil, key, time.Now())
 
 	// execution
 	payload, err := ParseTokenString(tokenString, key)
@@ -93,7 +115,7 @@ func TestParseTokenString_InvalidToken(t *testing.T) {
 
 func TestParseTokenString_InvalidKey(t *testing.T) {
 	// setup
-	tokenString, _ := GenerateJwtTokenString(id, login, testTeams, key)
+	tokenString, _ := GenerateJwtTokenString(id, login, testTeams, key, time.Now())
 	invalidKey := "invalidkey"
 
 	// execution
diff --git a/middleware_plugin.go b/middleware_plugin.go
@@ -22,16 +22,18 @@ import (
 
 const (
 	DefaultConfigAuthPath = "/_auth"
+	OneDayInHours         = 24
 )
 
 // Config the middleware configuration.
 type Config struct {
-	ApiBaseUrl   string          `json:"api_base_url,omitempty"`
-	ApiSecretKey string          `json:"api_secret_key,omitempty"`
-	AuthPath     string          `json:"auth_path,omitempty"`
-	JwtSecretKey string          `json:"jwt_secret_key,omitempty"`
-	LogLevel     string          `json:"log_level,omitempty"`
-	Whitelist    ConfigWhitelist `json:"whitelist,omitempty"`
+	ApiBaseUrl           string          `json:"api_base_url,omitempty"`
+	ApiSecretKey         string          `json:"api_secret_key,omitempty"`
+	AuthPath             string          `json:"auth_path,omitempty"`
+	JwtSecretKey         string          `json:"jwt_secret_key,omitempty"`
+	JwtExpirationInHours int64           `json:"jwt_expiration_in_hours,omitempty"`
+	LogLevel             string          `json:"log_level,omitempty"`
+	Whitelist            ConfigWhitelist `json:"whitelist,omitempty"`
 }
 
 // ConfigWhitelist the middleware configuration whitelist.
@@ -47,13 +49,14 @@ type ConfigWhitelist struct {
 	Teams []string `json:"teams,omitempty"`
 }
 
-// CreateConfig creates the default middleware configuration.
+// CreateConfig creates the default middleware configuration. Required by Traefik.
 func CreateConfig() *Config {
 	return &Config{
-		ApiBaseUrl:   "",
-		ApiSecretKey: "",
-		AuthPath:     DefaultConfigAuthPath,
-		JwtSecretKey: getRandomString32(),
+		ApiBaseUrl:           "",
+		ApiSecretKey:         "",
+		AuthPath:             DefaultConfigAuthPath,
+		JwtSecretKey:         getRandomString32(),
+		JwtExpirationInHours: OneDayInHours,
 		Whitelist: ConfigWhitelist{
 			Ids:                   []string{},
 			Logins:                []string{},
@@ -73,6 +76,7 @@ type TraefikGithubOauthMiddleware struct {
 	apiSecretKey         string
 	authPath             string
 	jwtSecretKey         string
+	jwtExpirationInHours int64
 	whitelistIdSet       *strset.Set
 	whitelistLoginSet    *strset.Set
 	whitelistTeamSet     *strset.Set
@@ -83,7 +87,7 @@ type TraefikGithubOauthMiddleware struct {
 
 var _ http.Handler = (*TraefikGithubOauthMiddleware)(nil)
 
-// New creates a new TraefikGithubOauthMiddleware.
+// New creates a new TraefikGithubOauthMiddleware. Required by Traefik.
 func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
 	logger := log.New(os.Stdout, "service=traefik-github-oauth-middleware level=debug msg=", 0)
 	// endregion Setup logger
@@ -104,6 +108,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		apiSecretKey:         config.ApiSecretKey,
 		authPath:             authPath,
 		jwtSecretKey:         config.JwtSecretKey,
+		jwtExpirationInHours: config.JwtExpirationInHours,
 		whitelistIdSet:       strset.New(config.Whitelist.Ids...),
 		whitelistLoginSet:    strset.New(config.Whitelist.Logins...),
 		whitelistTeamSet:     strset.New(config.Whitelist.Teams...),
@@ -132,6 +137,7 @@ func (middleware *TraefikGithubOauthMiddleware) handleRequest(rw http.ResponseWr
 	if err != nil {
 		if req.Method == http.MethodGet {
 			middleware.redirectToOAuthPage(rw, req)
+			return
 		}
 		middleware.logger.Printf("Failed to get user from cookie: %s", err.Error())
 		http.Error(rw, "", http.StatusUnauthorized)
@@ -171,12 +177,15 @@ func (p TraefikGithubOauthMiddleware) handleAuthRequest(rw http.ResponseWriter,
 		return
 	}
 
+	exp := time.Now().Add(time.Duration(p.jwtExpirationInHours) * time.Hour)
+
 	// Generate JWTs
 	tokenString, err := jwt.GenerateJwtTokenString(
 		result.GitHubUserID,
 		result.GitHubUserLogin,
 		result.GithubTeamIDs,
 		p.jwtSecretKey,
+		exp,
 	)
 	if err != nil {
 		p.logger.Printf("Failed to generate JWT: %s", err.Error())
@@ -187,6 +196,7 @@ func (p TraefikGithubOauthMiddleware) handleAuthRequest(rw http.ResponseWriter,
 		Name:     constant.COOKIE_NAME_JWT,
 		Value:    tokenString,
 		HttpOnly: true,
+		Expires:  exp,
 	})
 	http.Redirect(rw, req, result.RedirectURI, http.StatusFound)
 }
