netbird/client/internal/auth/util.go

package auth

import (
	"crypto/rand"
	"encoding/base64"
	"encoding/hex"
	"encoding/json"
	"fmt"
	"io"
	"strings"
)

func randomBytesInHex(count int) (string, error) {
	buf := make([]byte, count)
	_, err := io.ReadFull(rand.Reader, buf)
	if err != nil {
		return "", fmt.Errorf("could not generate %d random bytes: %v", count, err)
	}

	return hex.EncodeToString(buf), nil
}

// isValidAccessToken is a simple validation of the access token
func isValidAccessToken(token string, audience string) error {
	if token == "" {
		return fmt.Errorf("token received is empty")
	}

	encodedClaims := strings.Split(token, ".")[1]
	claimsString, err := base64.RawURLEncoding.DecodeString(encodedClaims)
	if err != nil {
		return err
	}

	claims := Claims{}
	err = json.Unmarshal(claimsString, &claims)
	if err != nil {
		return err
	}

	if claims.Audience == nil {
		return fmt.Errorf("required token field audience is absent")
	}

	// Audience claim of JWT can be a string or an array of strings
	switch aud := claims.Audience.(type) {
	case string:
		if aud == audience {
			return nil
		}
	case []interface{}:
		for _, audItem := range aud {
			if audStr, ok := audItem.(string); ok && audStr == audience {
				return nil
			}
		}
	}

	return fmt.Errorf("invalid JWT token audience field")
}
Add PKCE authorization flow (#1012) Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL. To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers. 2023-07-27 11:31:07 +02:00			`package auth`

			`import (`
			`"crypto/rand"`
			`"encoding/base64"`
			`"encoding/hex"`
			`"encoding/json"`
			`"fmt"`
			`"io"`
			`"strings"`
			`)`

			`func randomBytesInHex(count int) (string, error) {`
			`buf := make([]byte, count)`
			`_, err := io.ReadFull(rand.Reader, buf)`
			`if err != nil {`
			`return "", fmt.Errorf("could not generate %d random bytes: %v", count, err)`
			`}`

			`return hex.EncodeToString(buf), nil`
			`}`

			`// isValidAccessToken is a simple validation of the access token`
			`func isValidAccessToken(token string, audience string) error {`
			`if token == "" {`
			`return fmt.Errorf("token received is empty")`
			`}`

			`encodedClaims := strings.Split(token, ".")[1]`
			`claimsString, err := base64.RawURLEncoding.DecodeString(encodedClaims)`
			`if err != nil {`
			`return err`
			`}`

			`claims := Claims{}`
			`err = json.Unmarshal(claimsString, &claims)`
			`if err != nil {`
			`return err`
			`}`

			`if claims.Audience == nil {`
			`return fmt.Errorf("required token field audience is absent")`
			`}`

			`// Audience claim of JWT can be a string or an array of strings`
Reimplement isValidAccessToken without reflect (#1183) The use of reflection should generally be minimized in Go code because it can make the code less readable, less type-safe, and potentially slower. In this particular case we can simply rely on type switch. 2023-09-28 23:51:47 +02:00			`switch aud := claims.Audience.(type) {`
			`case string:`
			`if aud == audience {`
Add PKCE authorization flow (#1012) Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL. To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers. 2023-07-27 11:31:07 +02:00			`return nil`
			`}`
Reimplement isValidAccessToken without reflect (#1183) The use of reflection should generally be minimized in Go code because it can make the code less readable, less type-safe, and potentially slower. In this particular case we can simply rely on type switch. 2023-09-28 23:51:47 +02:00			`case []interface{}:`
			`for _, audItem := range aud {`
			`if audStr, ok := audItem.(string); ok && audStr == audience {`
Add PKCE authorization flow (#1012) Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL. To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers. 2023-07-27 11:31:07 +02:00			`return nil`
			`}`
			`}`
			`}`

			`return fmt.Errorf("invalid JWT token audience field")`
			`}`