1*e7b1675dSTing-Kang Chang// Copyright 2022 Google LLC 2*e7b1675dSTing-Kang Chang// 3*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang// 7*e7b1675dSTing-Kang Chang// http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang// 9*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS, 11*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang// limitations under the License. 14*e7b1675dSTing-Kang Chang// 15*e7b1675dSTing-Kang Chang//////////////////////////////////////////////////////////////////////////////// 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang Changpackage jwt 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Changimport ( 20*e7b1675dSTing-Kang Chang "fmt" 21*e7b1675dSTing-Kang Chang "time" 22*e7b1675dSTing-Kang Chang) 23*e7b1675dSTing-Kang Chang 24*e7b1675dSTing-Kang Chang// VerifiedJWT is a verified JWT token. 25*e7b1675dSTing-Kang Changtype VerifiedJWT struct { 26*e7b1675dSTing-Kang Chang token *RawJWT 27*e7b1675dSTing-Kang Chang} 28*e7b1675dSTing-Kang Chang 29*e7b1675dSTing-Kang Chang// newVerifiedJWT generates a new VerifiedJWT 30*e7b1675dSTing-Kang Changfunc newVerifiedJWT(rawJWT *RawJWT) (*VerifiedJWT, error) { 31*e7b1675dSTing-Kang Chang if rawJWT == nil { 32*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("rawJWT can't be nil") 33*e7b1675dSTing-Kang Chang } 34*e7b1675dSTing-Kang Chang return &VerifiedJWT{ 35*e7b1675dSTing-Kang Chang token: rawJWT, 36*e7b1675dSTing-Kang Chang }, nil 37*e7b1675dSTing-Kang Chang} 38*e7b1675dSTing-Kang Chang 39*e7b1675dSTing-Kang Chang// JSONPayload marshals a VerifiedJWT payload to JSON. 40*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) JSONPayload() ([]byte, error) { 41*e7b1675dSTing-Kang Chang return v.token.JSONPayload() 42*e7b1675dSTing-Kang Chang} 43*e7b1675dSTing-Kang Chang 44*e7b1675dSTing-Kang Chang// HasTypeHeader return whether a RawJWT contains a type header. 45*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasTypeHeader() bool { 46*e7b1675dSTing-Kang Chang return v.token.HasTypeHeader() 47*e7b1675dSTing-Kang Chang} 48*e7b1675dSTing-Kang Chang 49*e7b1675dSTing-Kang Chang// TypeHeader returns the JWT type header. 50*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) TypeHeader() (string, error) { 51*e7b1675dSTing-Kang Chang return v.token.TypeHeader() 52*e7b1675dSTing-Kang Chang} 53*e7b1675dSTing-Kang Chang 54*e7b1675dSTing-Kang Chang// HasAudiences checks whether a JWT contains the audience claim ('aud'). 55*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasAudiences() bool { 56*e7b1675dSTing-Kang Chang return v.token.HasAudiences() 57*e7b1675dSTing-Kang Chang} 58*e7b1675dSTing-Kang Chang 59*e7b1675dSTing-Kang Chang// Audiences returns a list of audiences from the 'aud' claim. 60*e7b1675dSTing-Kang Chang// If the 'aud' claim is a single string, it is converted into a list with a single entry. 61*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) Audiences() ([]string, error) { 62*e7b1675dSTing-Kang Chang return v.token.Audiences() 63*e7b1675dSTing-Kang Chang} 64*e7b1675dSTing-Kang Chang 65*e7b1675dSTing-Kang Chang// HasSubject checks whether a JWT contains an issuer claim ('sub'). 66*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasSubject() bool { 67*e7b1675dSTing-Kang Chang return v.token.HasSubject() 68*e7b1675dSTing-Kang Chang} 69*e7b1675dSTing-Kang Chang 70*e7b1675dSTing-Kang Chang// Subject returns the subject claim ('sub') or an error if no claim is present. 71*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) Subject() (string, error) { 72*e7b1675dSTing-Kang Chang return v.token.Subject() 73*e7b1675dSTing-Kang Chang} 74*e7b1675dSTing-Kang Chang 75*e7b1675dSTing-Kang Chang// HasIssuer checks whether a JWT contains an issuer claim ('iss'). 76*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasIssuer() bool { 77*e7b1675dSTing-Kang Chang return v.token.HasIssuer() 78*e7b1675dSTing-Kang Chang} 79*e7b1675dSTing-Kang Chang 80*e7b1675dSTing-Kang Chang// Issuer returns the issuer claim ('iss') or an error if no claim is present. 81*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) Issuer() (string, error) { 82*e7b1675dSTing-Kang Chang return v.token.Issuer() 83*e7b1675dSTing-Kang Chang} 84*e7b1675dSTing-Kang Chang 85*e7b1675dSTing-Kang Chang// HasJWTID checks whether a JWT contains an JWT ID claim ('jti'). 86*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasJWTID() bool { 87*e7b1675dSTing-Kang Chang return v.token.HasJWTID() 88*e7b1675dSTing-Kang Chang} 89*e7b1675dSTing-Kang Chang 90*e7b1675dSTing-Kang Chang// JWTID returns the JWT ID claim ('jti') or an error if no claim is present. 91*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) JWTID() (string, error) { 92*e7b1675dSTing-Kang Chang return v.token.JWTID() 93*e7b1675dSTing-Kang Chang} 94*e7b1675dSTing-Kang Chang 95*e7b1675dSTing-Kang Chang// HasIssuedAt checks whether a JWT contains an issued at claim ('iat'). 96*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasIssuedAt() bool { 97*e7b1675dSTing-Kang Chang return v.token.HasIssuedAt() 98*e7b1675dSTing-Kang Chang} 99*e7b1675dSTing-Kang Chang 100*e7b1675dSTing-Kang Chang// IssuedAt returns the issued at claim ('iat') or an error if no claim is present. 101*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) IssuedAt() (time.Time, error) { 102*e7b1675dSTing-Kang Chang return v.token.IssuedAt() 103*e7b1675dSTing-Kang Chang} 104*e7b1675dSTing-Kang Chang 105*e7b1675dSTing-Kang Chang// HasExpiration checks whether a JWT contains an expiration time claim ('exp'). 106*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasExpiration() bool { 107*e7b1675dSTing-Kang Chang return v.token.HasExpiration() 108*e7b1675dSTing-Kang Chang} 109*e7b1675dSTing-Kang Chang 110*e7b1675dSTing-Kang Chang// ExpiresAt returns the expiration claim ('exp') or an error if no claim is present. 111*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) ExpiresAt() (time.Time, error) { 112*e7b1675dSTing-Kang Chang return v.token.ExpiresAt() 113*e7b1675dSTing-Kang Chang} 114*e7b1675dSTing-Kang Chang 115*e7b1675dSTing-Kang Chang// HasNotBefore checks whether a JWT contains a not before claim ('nbf'). 116*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasNotBefore() bool { 117*e7b1675dSTing-Kang Chang return v.token.HasNotBefore() 118*e7b1675dSTing-Kang Chang} 119*e7b1675dSTing-Kang Chang 120*e7b1675dSTing-Kang Chang// NotBefore returns the not before claim ('nbf') or an error if no claim is present. 121*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) NotBefore() (time.Time, error) { 122*e7b1675dSTing-Kang Chang return v.token.NotBefore() 123*e7b1675dSTing-Kang Chang} 124*e7b1675dSTing-Kang Chang 125*e7b1675dSTing-Kang Chang// HasStringClaim checks whether a claim of type string is present. 126*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasStringClaim(name string) bool { 127*e7b1675dSTing-Kang Chang return v.token.HasStringClaim(name) 128*e7b1675dSTing-Kang Chang} 129*e7b1675dSTing-Kang Chang 130*e7b1675dSTing-Kang Chang// StringClaim returns a custom string claim or an error if no claim is present. 131*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) StringClaim(name string) (string, error) { 132*e7b1675dSTing-Kang Chang return v.token.StringClaim(name) 133*e7b1675dSTing-Kang Chang} 134*e7b1675dSTing-Kang Chang 135*e7b1675dSTing-Kang Chang// HasNumberClaim checks whether a claim of type number is present. 136*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasNumberClaim(name string) bool { 137*e7b1675dSTing-Kang Chang return v.token.HasNumberClaim(name) 138*e7b1675dSTing-Kang Chang} 139*e7b1675dSTing-Kang Chang 140*e7b1675dSTing-Kang Chang// NumberClaim returns a custom number claim or an error if no claim is present. 141*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) NumberClaim(name string) (float64, error) { 142*e7b1675dSTing-Kang Chang return v.token.NumberClaim(name) 143*e7b1675dSTing-Kang Chang} 144*e7b1675dSTing-Kang Chang 145*e7b1675dSTing-Kang Chang// HasBooleanClaim checks whether a claim of type boolean is present. 146*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasBooleanClaim(name string) bool { 147*e7b1675dSTing-Kang Chang return v.token.HasBooleanClaim(name) 148*e7b1675dSTing-Kang Chang} 149*e7b1675dSTing-Kang Chang 150*e7b1675dSTing-Kang Chang// BooleanClaim returns a custom bool claim or an error if no claim is present. 151*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) BooleanClaim(name string) (bool, error) { 152*e7b1675dSTing-Kang Chang return v.token.BooleanClaim(name) 153*e7b1675dSTing-Kang Chang} 154*e7b1675dSTing-Kang Chang 155*e7b1675dSTing-Kang Chang// HasNullClaim checks whether a claim of type null is present. 156*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasNullClaim(name string) bool { 157*e7b1675dSTing-Kang Chang return v.token.HasNullClaim(name) 158*e7b1675dSTing-Kang Chang} 159*e7b1675dSTing-Kang Chang 160*e7b1675dSTing-Kang Chang// HasArrayClaim checks whether a claim of type list is present. 161*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasArrayClaim(name string) bool { 162*e7b1675dSTing-Kang Chang return v.token.HasArrayClaim(name) 163*e7b1675dSTing-Kang Chang} 164*e7b1675dSTing-Kang Chang 165*e7b1675dSTing-Kang Chang// ArrayClaim returns a slice representing a JSON array for a claim or an error if the claim is empty. 166*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) ArrayClaim(name string) ([]interface{}, error) { 167*e7b1675dSTing-Kang Chang return v.token.ArrayClaim(name) 168*e7b1675dSTing-Kang Chang} 169*e7b1675dSTing-Kang Chang 170*e7b1675dSTing-Kang Chang// HasObjectClaim checks whether a claim of type JSON object is present. 171*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) HasObjectClaim(name string) bool { 172*e7b1675dSTing-Kang Chang return v.token.HasObjectClaim(name) 173*e7b1675dSTing-Kang Chang} 174*e7b1675dSTing-Kang Chang 175*e7b1675dSTing-Kang Chang// ObjectClaim returns a map representing a JSON object for a claim or an error if the claim is empty. 176*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) ObjectClaim(name string) (map[string]interface{}, error) { 177*e7b1675dSTing-Kang Chang return v.token.ObjectClaim(name) 178*e7b1675dSTing-Kang Chang} 179*e7b1675dSTing-Kang Chang 180*e7b1675dSTing-Kang Chang// CustomClaimNames returns a list with the name of custom claims in a VerifiedJWT. 181*e7b1675dSTing-Kang Changfunc (v *VerifiedJWT) CustomClaimNames() []string { 182*e7b1675dSTing-Kang Chang return v.token.CustomClaimNames() 183*e7b1675dSTing-Kang Chang} 184