initial version

Author: zarkones

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 ZARKONES
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,2 @@
+# INTRODUCTION
+This is library for authorization and access control via public-key cryptography.

error-handler.go

@@ -0,0 +1,3 @@
+package access
+
+var ErrorHandler = func(userID string, err error) {}

go.mod

@@ -0,0 +1,5 @@
+module access
+
+go 1.24.5
+
+require github.com/golang-jwt/jwt/v5 v5.3.0

go.sum

@@ -0,0 +1,2 @@
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=

helpers.go

@@ -0,0 +1,70 @@
+package access
+
+import (
+	"crypto/rsa"
+	"net/http"
+)
+
+func AuthenticateAndAuthorize(
+	w http.ResponseWriter,
+	r *http.Request,
+	permissionKey PermissionKey,
+	metadata *string,
+	getPublicKeyByUserID func(userID string) (*rsa.PublicKey, error),
+	getPermissionsByUserID func(userID string) ([]Permission, error),
+) (username string, permissions []Permission, reject bool) {
+	username, permissions, reject = Authenticate(w, r, getPublicKeyByUserID, getPermissionsByUserID)
+	if reject {
+		return username, permissions, reject
+	}
+
+	if permissionKey != PERMISSION_NOT_SPECIFIED {
+		if reject := Authorize(permissionKey, metadata, permissions); reject {
+			http.Error(w, "", http.StatusUnauthorized)
+			return "", nil, true
+		}
+	}
+
+	return username, permissions, false
+}
+
+func Authenticate(
+	w http.ResponseWriter,
+	r *http.Request,
+	getPublicKeyByUserID func(userID string) (*rsa.PublicKey, error),
+	getPermissionsByUserID func(userID string) ([]Permission, error),
+) (userID string, permissions []Permission, reject bool) {
+
+	token := r.Header.Get("Authorization")
+
+	userID, err := VerifyToken(token, getPublicKeyByUserID)
+	if err != nil {
+		ErrorHandler(userID, err)
+		http.Error(w, "", http.StatusUnauthorized)
+		return "", nil, true
+	}
+
+	permissions, err = getPermissionsByUserID(userID)
+	if err != nil {
+		ErrorHandler(userID, err)
+		http.Error(w, "", http.StatusUnauthorized)
+		return "", nil, true
+	}
+
+	return userID, permissions, false
+}
+
+func Authorize(permissionKey PermissionKey, metadata *string, permissions []Permission) (reject bool) {
+	for _, permission := range permissions {
+		if permission.Key != permissionKey {
+			continue
+		}
+		if metadata != nil && *metadata != permission.Metadata {
+			continue
+		}
+
+		return false
+	}
+
+	return true
+}

token.go

@@ -0,0 +1,85 @@
+package access
+
+import (
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+var (
+	ErrMissingAuthHeader     = errors.New("missing Authorization header")
+	ErrInvalidJWTSegments    = errors.New("invalid size of jwt segments")
+	ErrNilInsecurePayload    = errors.New("insecure parsed token payload appears as nil")
+	ErrInvalidInsecureUserID = errors.New("insecure parsed token user id is invalid")
+	ErrInvalidSigningAlg     = errors.New("invalid signing algorithm")
+	ErrInvalidSig            = errors.New("invalid token's signature")
+	ErrInvalidClaims         = errors.New("claims casting did not go well")
+	ErrInvalidPubKeyPtr      = errors.New("invalid pointer to public key")
+	ErrInvalidUserID         = errors.New("user id is invalid")
+)
+
+func VerifyToken(rawToken string, getPublicKeyByUserID func(userID string) (*rsa.PublicKey, error)) (userID string, err error) {
+	if rawToken == "" {
+		return "", ErrMissingAuthHeader
+	}
+	if getPublicKeyByUserID == nil {
+		return "", ErrInvalidPubKeyPtr
+	}
+
+	segments := strings.Split(rawToken, ".")
+	if len(segments) != 3 {
+		return "", ErrInvalidJWTSegments
+	}
+
+	insecurePayloadJsonStr, err := base64.RawStdEncoding.DecodeString(segments[1])
+	if err != nil {
+		return "", err
+	}
+
+	var insecurePayload map[string]any
+
+	if err := json.Unmarshal(insecurePayloadJsonStr, &insecurePayload); err != nil {
+		return "", err
+	}
+
+	if insecurePayload == nil {
+		return "", ErrNilInsecurePayload
+	}
+
+	insecureUserID := fmt.Sprint(insecurePayload["u"])
+	if len(insecureUserID) == 0 || len(insecureUserID) > 32 {
+		return "", ErrInvalidInsecureUserID
+	}
+
+	token, err := jwt.Parse(rawToken, func(t *jwt.Token) (any, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok {
+			return nil, ErrInvalidSigningAlg
+		}
+
+		return getPublicKeyByUserID(insecureUserID)
+	})
+	if err != nil {
+		return "", err
+	}
+
+	if !token.Valid {
+		return "", ErrInvalidSig
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return "", ErrInvalidClaims
+	}
+
+	verifiedUserID := fmt.Sprint(claims["id"])
+	if len(verifiedUserID) == 0 {
+		return "", ErrInvalidUserID
+	}
+
+	return verifiedUserID, nil
+}

types.go

@@ -0,0 +1,14 @@
+package access
+
+type PermissionKey int
+
+const (
+	PERMISSION_NOT_SPECIFIED = PermissionKey(iota)
+)
+
+type Permission struct {
+	Key       PermissionKey
+	UserID    string
+	Metadata  string
+	CreatedAt int64
+}