[jwt] implement token issuing

Author: capcom6

api/requests.http

@@ -197,7 +197,19 @@ POST {{baseUrl}}/3rdparty/v1/auth/token HTTP/1.1
 Authorization: Basic {{credentials}}
 Content-Type: application/json
 
-{}
+{
+    "scopes": [
+        "messages:read",
+        "messages:send",
+        "devices:read",
+        "devices:write",
+        "webhooks:read",
+        "webhooks:write",
+        "settings:read",
+        "settings:write",
+        "logs:read",
+    ]
+}
 
 ###
 POST {{baseUrl}}/3rdparty/v1/auth/token/revoke HTTP/1.1

configs/config.example.yml

@@ -38,15 +38,19 @@ cache: # cache config
   url: memory:// # cache url (memory:// or redis://) [CACHE__URL]
 pubsub: # pubsub config
   url: memory:// # pubsub url (memory:// or redis://) [PUBSUB__URL]
+jwt:
+  secret: # jwt secret [JWT__SECRET]
+  ttl: 24h # jwt ttl [JWT__TTL]
+  issuer: # jwt issuer [JWT__ISSUER]
 
 ## Worker Config ##
 
 tasks: # tasks config
   messages_hashing:
-    interval: 168h # task execution interval in hours [TASKS__MESSAGES_HASHING__INTERVAL]
+    interval: 168h # task execution interval [TASKS__MESSAGES_HASHING__INTERVAL]
   messages_cleanup:
-    interval: 24h # task execution interval in hours [TASKS__MESSAGES_CLEANUP__INTERVAL]
-    max_age: 720h # messages max age in hours [TASKS__MESSAGES_CLEANUP__MAX_AGE]
+    interval: 24h # task execution interval [TASKS__MESSAGES_CLEANUP__INTERVAL]
+    max_age: 720h # messages max age [TASKS__MESSAGES_CLEANUP__MAX_AGE]
   devices_cleanup:
-    interval: 24h # task execution interval in hours [TASKS__DEVICES_CLEANUP__INTERVAL]
-    max_age: 8760h # inactive devices max age in hours [TASKS__DEVICES_CLEANUP__MAX_AGE]
+    interval: 24h # task execution interval [TASKS__DEVICES_CLEANUP__INTERVAL]
+    max_age: 8760h # inactive devices max age [TASKS__DEVICES_CLEANUP__MAX_AGE]

internal/sms-gateway/handlers/thirdparty/auth.go

@@ -1,34 +1,72 @@
 package thirdparty
 
 import (
+	"time"
+
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/base"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/middlewares/userauth"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/jwt"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/models"
 	"github.com/go-playground/validator/v10"
 	"github.com/gofiber/fiber/v2"
 	"go.uber.org/zap"
 )
 
 type AuthHandler struct {
 	base.Handler
+
+	jwtSvc jwt.Service
 }
 
 func NewAuthHandler(
+	jwtSvc jwt.Service,
+
 	logger *zap.Logger,
 	validator *validator.Validate,
 ) *AuthHandler {
 	return &AuthHandler{
 		Handler: base.Handler{Logger: logger, Validator: validator},
+
+		jwtSvc: jwtSvc,
 	}
 }
 
 func (h *AuthHandler) Register(router fiber.Router) {
-	router.Post("/token", h.token)
-	router.Post("/token/revoke", h.tokenRevoke)
+	router.Post("/token", userauth.WithUser(h.postToken))
+	router.Delete("/token/:jti", userauth.WithUser(h.deleteToken))
 }
 
-func (h *AuthHandler) token(c *fiber.Ctx) error {
-	return fiber.ErrNotImplemented
+type tokenRequest struct {
+	TTL    time.Duration `json:"ttl,omitempty"`
+	Scopes []string      `json:"scopes" validate:"required,min=1,dive,required"`
+}
+
+type tokenResponse struct {
+	ID          string    `json:"id"`
+	TokenType   string    `json:"token_type"`
+	AccessToken string    `json:"access_token"`
+	ExpiresAt   time.Time `json:"expires_at"`
+}
+
+func (h *AuthHandler) postToken(user models.User, c *fiber.Ctx) error {
+	req := new(tokenRequest)
+	if err := h.BodyParserValidator(c, req); err != nil {
+		return err
+	}
+
+	token, err := h.jwtSvc.GenerateToken(user.ID, req.Scopes, req.TTL)
+	if err != nil {
+		return err
+	}
+
+	return c.Status(fiber.StatusCreated).JSON(tokenResponse{
+		ID:          token.ID,
+		TokenType:   "Bearer",
+		AccessToken: token.AccessToken,
+		ExpiresAt:   token.ExpiresAt,
+	})
 }
 
-func (h *AuthHandler) tokenRevoke(c *fiber.Ctx) error {
+func (h *AuthHandler) deleteToken(user models.User, c *fiber.Ctx) error {
 	return fiber.ErrNotImplemented
 }

internal/sms-gateway/jwt/disabled.go

@@ -13,8 +13,8 @@ func newDisabled() Service {
 }
 
 // GenerateToken implements Service.
-func (d *disabled) GenerateToken(userID string, scopes []string, ttl time.Duration) (string, error) {
-	return "", ErrDisabled
+func (d *disabled) GenerateToken(userID string, scopes []string, ttl time.Duration) (*TokenInfo, error) {
+	return nil, ErrDisabled
 }
 
 // ParseToken implements Service.

internal/sms-gateway/jwt/jwt.go

@@ -1,10 +1,27 @@
 package jwt
 
-import "github.com/golang-jwt/jwt/v5"
+import (
+	"context"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type Service interface {
+	GenerateToken(userID string, scopes []string, ttl time.Duration) (*TokenInfo, error)
+	ParseToken(ctx context.Context, token string) (*Claims, error)
+	RevokeToken(ctx context.Context, jti string) error
+}
 
 type Claims struct {
 	jwt.RegisteredClaims
 
 	UserID string   `json:"user_id"`
 	Scopes []string `json:"scopes"`
 }
+
+type TokenInfo struct {
+	ID          string
+	AccessToken string
+	ExpiresAt   time.Time
+}

internal/sms-gateway/jwt/service.go

@@ -11,12 +11,6 @@ import (
 
 const jtiLength = 21
 
-type Service interface {
-	GenerateToken(userID string, scopes []string, ttl time.Duration) (string, error)
-	ParseToken(ctx context.Context, token string) (*Claims, error)
-	RevokeToken(ctx context.Context, jti string) error
-}
-
 type service struct {
 	config Config
 
@@ -48,17 +42,17 @@ func New(config Config, revoked *RevokedStorage) (Service, error) {
 	}, nil
 }
 
-func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duration) (string, error) {
+func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duration) (*TokenInfo, error) {
 	if userID == "" {
-		return "", fmt.Errorf("%w: user id is required", ErrInvalidConfig)
+		return nil, fmt.Errorf("%w: user id is required", ErrInvalidConfig)
 	}
 
 	if len(scopes) == 0 {
-		return "", fmt.Errorf("%w: scopes are required", ErrInvalidConfig)
+		return nil, fmt.Errorf("%w: scopes are required", ErrInvalidConfig)
 	}
 
 	if ttl < 0 {
-		return "", fmt.Errorf("%w: ttl must be non-negative", ErrInvalidConfig)
+		return nil, fmt.Errorf("%w: ttl must be non-negative", ErrInvalidConfig)
 	}
 
 	if ttl == 0 {
@@ -81,10 +75,10 @@ func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duratio
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	signedToken, err := token.SignedString([]byte(s.config.Secret))
 	if err != nil {
-		return "", fmt.Errorf("failed to sign token: %w", err)
+		return nil, fmt.Errorf("failed to sign token: %w", err)
 	}
 
-	return signedToken, nil
+	return &TokenInfo{ID: claims.ID, AccessToken: signedToken, ExpiresAt: claims.ExpiresAt.Time}, nil
 }
 
 func (s *service) ParseToken(ctx context.Context, token string) (*Claims, error) {