The configuration file was deleted in favor of using environment variables.

Token generation functionality remove. Secret token now provided via CHRLY_SECRET env variable.

auth/jwt.go

@@ -1,25 +1,17 @@
 package auth
 
 import (
-	"encoding/base64"
-	"math"
-	"math/rand"
+	"errors"
 	"net/http"
-	"os"
 	"strings"
 	"time"
 
 	"github.com/SermoDigital/jose/crypto"
 	"github.com/SermoDigital/jose/jws"
-	"github.com/mitchellh/go-homedir"
-	"github.com/spf13/afero"
 )
 
-var fs = afero.NewOsFs()
-
 var hashAlg = crypto.SigningMethodHS256
 
-const appHomeDirName = ".minecraft-skinsystem"
 const scopesClaim = "scopes"
 
 type Scope string
@@ -29,20 +21,19 @@ var (
 )
 
 type JwtAuth struct {
-	signingKey []byte
+	Key []byte
 }
 
 func (t *JwtAuth) NewToken(scopes ...Scope) ([]byte, error) {
-	key, err := t.getSigningKey()
-	if err != nil {
-		return nil, err
+	if len(t.Key) == 0 {
+		return nil, errors.New("signing key not available")
 	}
 
 	claims := jws.Claims{}
 	claims.Set(scopesClaim, scopes)
 	claims.SetIssuedAt(time.Now())
 	encoder := jws.NewJWT(claims, hashAlg)
-	token, err := encoder.Serialize(key)
+	token, err := encoder.Serialize(t.Key)
 	if err != nil {
 		return nil, err
 	}
@@ -50,20 +41,11 @@ func (t *JwtAuth) NewToken(scopes ...Scope) ([]byte, error) {
 	return token, nil
 }
 
-func (t *JwtAuth) GenerateSigningKey() error {
-	if err := createAppHomeDir(); err != nil {
-		return err
-	}
-
-	key := generateRandomBytes(64)
-	if err := afero.WriteFile(fs, getKeyPath(), key, 0600); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func (t *JwtAuth) Check(req *http.Request) error {
+	if len(t.Key) == 0 {
+		return &Unauthorized{"Signing key not set"}
+	}
+
 	bearerToken := req.Header.Get("Authorization")
 	if bearerToken == "" {
 		return &Unauthorized{"Authentication header not presented"}
@@ -79,79 +61,14 @@ func (t *JwtAuth) Check(req *http.Request) error {
 		return &Unauthorized{"Cannot parse passed JWT token"}
 	}
 
-	signKey, err := t.getSigningKey()
+	err = token.Validate(t.Key, hashAlg)
 	if err != nil {
-		return err
-	}
-
-	err = token.Validate(signKey, hashAlg)
-	if err != nil {
-		return &Unauthorized{"JWT token have invalid signature. It corrupted or expired."}
+		return &Unauthorized{"JWT token have invalid signature. It may be corrupted or expired."}
 	}
 
 	return nil
 }
 
-func (t *JwtAuth) getSigningKey() ([]byte, error) {
-	if t.signingKey == nil {
-		path := getKeyPath()
-		if _, err := fs.Stat(path); err != nil {
-			if os.IsNotExist(err) {
-				return nil, &SigningKeyNotAvailable{}
-			}
-
-			return nil, err
-		}
-
-		key, err := afero.ReadFile(fs, path)
-		if err != nil {
-			return nil, err
-		}
-
-		t.signingKey = key
-	}
-
-	return t.signingKey, nil
-}
-
-func createAppHomeDir() error {
-	path := getAppHomeDirPath()
-	if _, err := fs.Stat(path); os.IsNotExist(err) {
-		err := fs.Mkdir(path, 0755) // rwx r-x r-x
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func getAppHomeDirPath() string {
-	path, err := homedir.Expand("~/" + appHomeDirName)
-	if err != nil {
-		panic(err)
-	}
-
-	return path
-}
-
-func getKeyPath() string {
-	return getAppHomeDirPath() + "/jwt-key"
-}
-
-func generateRandomBytes(n int) []byte {
-	// base64 will increase length in 1.37 times
-	// +1 is needed to ensure, that after base64 we will do not have any '===' characters
-	randLen := int(math.Ceil(float64(n) / 1.37)) + 1
-	randBytes := make([]byte, randLen)
-	rand.Read(randBytes)
-	// +5 is needed to have additional buffer for the next set of XX=== characters
-	resBytes := make([]byte, n + 5)
-	base64.URLEncoding.Encode(resBytes, randBytes)
-
-	return resBytes[:n]
-}
-
 type Unauthorized struct {
 	Reason string
 }
@@ -163,10 +80,3 @@ func (e *Unauthorized) Error() string {
 
 	return "Unauthorized"
 }
-
-type SigningKeyNotAvailable struct {
-}
-
-func (*SigningKeyNotAvailable) Error() string {
-	return "Signing key not available"
-}