[jwt] pass issuer from config and revoked TTL

Author: capcom6

internal/config/config.go

@@ -91,6 +91,7 @@ type PubSub struct {
 type JWT struct {
 	Secret string   `yaml:"secret" envconfig:"JWT__SECRET"`
 	TTL    Duration `yaml:"ttl" envconfig:"JWT__TTL"`
+	Issuer string   `yaml:"issuer" envconfig:"JWT__ISSUER"`
 }
 
 var defaultConfig = Config{
@@ -128,6 +129,7 @@ var defaultConfig = Config{
 		URL: "memory://",
 	},
 	JWT: JWT{
-		TTL: Duration(time.Hour * 24 * 365), // 1 year
+		TTL:    Duration(time.Hour * 24),
+		Issuer: "sms-gate.app",
 	},
 }

internal/config/module.go

@@ -129,6 +129,7 @@ var Module = fx.Module(
 		return jwt.Config{
 			Secret: cfg.JWT.Secret,
 			TTL:    time.Duration(cfg.JWT.TTL),
+			Issuer: cfg.JWT.Issuer,
 		}
 	}),
 )

internal/sms-gateway/jwt/config.go

@@ -8,6 +8,7 @@ import (
 type Config struct {
 	Secret string
 	TTL    time.Duration
+	Issuer string
 }
 
 func (c Config) Validate() error {
@@ -16,7 +17,7 @@ func (c Config) Validate() error {
 	}
 
 	if c.TTL == 0 {
-		return fmt.Errorf("%w: ttl is required", ErrInvalidConfig)
+		return fmt.Errorf("%w: ttl must be positive", ErrInvalidConfig)
 	}
 
 	return nil

internal/sms-gateway/jwt/errors.go

@@ -4,6 +4,7 @@ import "errors"
 
 var (
 	ErrDisabled                = errors.New("jwt disabled")
+	ErrInitFailed              = errors.New("failed to initialize jwt")
 	ErrInvalidConfig           = errors.New("invalid config")
 	ErrTokenRevoked            = errors.New("token revoked")
 	ErrUnexpectedSigningMethod = errors.New("unexpected signing method")

internal/sms-gateway/jwt/revoked.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"time"
 
 	"github.com/android-sms-gateway/server/pkg/cache"
 )
@@ -30,6 +31,6 @@ func (r *revokedStorage) IsRevoked(ctx context.Context, token string) (bool, err
 	return true, nil
 }
 
-func (r *revokedStorage) Revoke(ctx context.Context, token string) error {
-	return r.storage.Set(ctx, token, nil)
+func (r *revokedStorage) Revoke(ctx context.Context, token string, ttl time.Duration) error {
+	return r.storage.Set(ctx, token, nil, cache.WithTTL(ttl))
 }

internal/sms-gateway/jwt/service.go

@@ -30,6 +30,10 @@ func New(config Config, revoked *revokedStorage) (Service, error) {
 		return nil, err
 	}
 
+	if revoked == nil {
+		return nil, fmt.Errorf("%w: revoked storage is required", ErrInitFailed)
+	}
+
 	idFactory, err := nanoid.Standard(jtiLength)
 	if err != nil {
 		return nil, fmt.Errorf("can't create id factory: %w", err)
@@ -45,6 +49,10 @@ func New(config Config, revoked *revokedStorage) (Service, error) {
 }
 
 func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duration) (string, error) {
+	if ttl < 0 {
+		return "", fmt.Errorf("%w: ttl must be non-negative", ErrInvalidConfig)
+	}
+
 	if ttl == 0 {
 		ttl = s.config.TTL
 	}
@@ -53,7 +61,7 @@ func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duratio
 	claims := &Claims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			ID:        s.idFactory(),
-			Issuer:    "sms-gate.app",
+			Issuer:    s.config.Issuer,
 			Subject:   userID,
 			IssuedAt:  jwt.NewNumericDate(now),
 			ExpiresAt: jwt.NewNumericDate(now.Add(min(ttl, s.config.TTL))),
@@ -73,7 +81,7 @@ func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duratio
 
 func (s *service) ParseToken(ctx context.Context, token string) (*Claims, error) {
 	parsedToken, err := jwt.ParseWithClaims(token, new(Claims), func(t *jwt.Token) (any, error) {
-		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+		if t.Method != jwt.SigningMethodHS256 {
 			return nil, fmt.Errorf("%w: %v", ErrUnexpectedSigningMethod, t.Header["alg"])
 		}
 		return []byte(s.config.Secret), nil
@@ -99,5 +107,5 @@ func (s *service) ParseToken(ctx context.Context, token string) (*Claims, error)
 }
 
 func (s *service) RevokeToken(ctx context.Context, jti string) error {
-	return s.revoked.Revoke(ctx, jti)
+	return s.revoked.Revoke(ctx, jti, s.config.TTL)
 }