added jwt token auth middleware

[Shivakishore14]

Added Basic JWT authentication middleware, resolves #399

[robbyoconnor]

Following.

[markbates]

Overall this looks great! My only real comments are we should accept an options struct that allows for setting the secret and the signing method, since not everyone uses HMAC. the default for those should be an env, like you have, and HMAC.

Other than that, this looks great!

[markbates]

Take an options struct that allows for setting the secret key and the signing method.

[markbates]

lower case secretKey

[arschles]

I really, really want this but I'm late to the party (obviously). I'm currently writing my own middleware to do JWT auth. Please let me know if I can help contribute here to get this across the line

[markbates]

@Shivakishore14 do you think you can make the requested changes in the next few days? If not, perhaps @arschles could make them. I'd love to get this in the next release.

[arschles]

I can take a crack over the weekend or Monday. Let me know :)

[Shivakishore14]

@arschles thanks for the offer, @markbates i am almost done with the code. I will be finishing up by tomorrow.
@arschles If you feel i missed something you can always contribute, again thanks for the offer :)

[markbates]

Excellent! Lots of people are excited about this one.

[robbyoconnor]

Do git pull --rebase and squash to one commit -- makes the PR easier to follow.

[robbyoconnor]

@Shivakishore14 also update docs 😉

[arschles]

@Shivakishore14 for sure. I'll look at this over the weekend. If there's more to do I'll do it in a follow-up. I don't want to hold up this PR

[Shivakishore14]

@markbates can you review the code.

[markbates]

This all seems a bit much, and doesn't allow for users to add their own way of getting a key, such as from a database, or other store.

What do you think of doing something like this:

type Options struct {
	SignMethod jwt.SigningMethod
	GetKey     func(jwt.SigningMethod) (interface{}, error)
}

func GetHMACKey(jwt.SigningMethod) (interface{}, error) {
	key, err := envy.MustGet("JWT_SECRET")
	return []byte(key), err
}

func Middleware(options Options) buffalo.MiddlewareFunc {
	// set sign method to HMAC if not provided
	if options.SignMethod == nil {
		options.SignMethod = jwt.SigningMethodHS256
	}

	if options.GetKey == nil {
		options.GetKey = GetHMACKey
	}

	// ....
}

Then we can add a few "default" implementation functions, like the GetHMACKey example. Then people can easily plugin one of the default methods, and if none of them work for their situation, it's easy enough for the to add their own implementations.

Thoughts?

[Shivakishore14]

Wow that is neat, i will change the implementation.
instead of setting default GetKey to GetHMACKey , can we do something like.

if options.GetKey == nil {
	options.GetKey = selectGetKeyFunc(options.SignMethod)
}

so we get the GetKey method that is appropriate to the sign method.
and GetKey never uses the signing method so, it can be GetKey func() (interface{}, error)

[markbates]

I'm assuming all the files in the data folder are used for testing, correct? If so, perhaps we should rename that folder to something like test_certs or something so that people don't get confused and want to use them in production, which would be bad.

[Shivakishore14]

sure will do.

[Shivakishore14]

@markbates I have added the requested changes.

[markbates]

This needs to take jwt.SigningMethod for those who want to build their own function, they might need that information.

[Shivakishore14]

@markbates added this.

[robbyoconnor]

@Shivakishore14 do git pull --rebase and squash your changes.

[markbates]

Great work on this! Thank you so much!

[robbyoconnor]

@Shivakishore14 You really need to update the docs ;)

[Shivakishore14]

@robbyoconnor Where do you want the docs to be on gobuffalo.io or the source code ?

[robbyoconnor]

Here. I made a ticket to track this: #1056