Using JWT with Iris

The Iris JWT middleware was designed with security, performance and simplicity in mind, it protects your tokens from critical vulnerabilities that you may find in other libraries. It is based on kataras/jwt package.

  1. package main
  3. import (
  4.     "time"
  6.     "github.com/kataras/iris/v12"
  7.     "github.com/kataras/iris/v12/middleware/jwt"
  8. )
  10. var (
  11.     sigKey = []byte("signature_hmac_secret_shared_key")
  12.     encKey = []byte("GCM_AES_256_secret_shared_key_32")
  13. )
  15. type fooClaims struct {
  16.     Foo string `json:"foo"`
  17. }
  19. func main() {
  20.     app := iris.New()
  22.     signer := jwt.NewSigner(jwt.HS256, sigKey, 10*time.Minute)
  23.     // Enable payload encryption with:
  24.     // signer.WithEncryption(encKey, nil)
  25.     app.Get("/", generateToken(signer))
  27.     verifier := jwt.NewVerifier(jwt.HS256, sigKey)
  28.     // Enable server-side token block feature (even before its expiration time):
  29.     verifier.WithDefaultBlocklist()
  30.     // Enable payload decryption with:
  31.     // verifier.WithDecryption(encKey, nil)
  32.     verifyMiddleware := verifier.Verify(func() interface{} {
  33.         return new(fooClaims)
  34.     })
  36.     protectedAPI := app.Party("/protected")
  37.     // Register the verify middleware to allow access only to authorized clients.
  38.     protectedAPI.Use(verifyMiddleware)
  39.     // ^ or UseRouter(verifyMiddleware) to disallow unauthorized http error handlers too.
  41.     protectedAPI.Get("/", protected)
  42.     // Invalidate the token through server-side, even if it's not expired yet.
  43.     protectedAPI.Get("/logout", logout)
  45.     // http://localhost:8080
  46.     // http://localhost:8080/protected?token=$token (or Authorization: Bearer $token)
  47.     // http://localhost:8080/protected/logout?token=$token
  48.     // http://localhost:8080/protected?token=$token (401)
  49.     app.Listen(":8080")
  50. }
  52. func generateToken(signer *jwt.Signer) iris.Handler {
  53.     return func(ctx iris.Context) {
  54.         claims := fooClaims{Foo: "bar"}
  56.         token, err := signer.Sign(claims)
  57.         if err != nil {
  58.             ctx.StopWithStatus(iris.StatusInternalServerError)
  59.             return
  60.         }
  62.         ctx.Write(token)
  63.     }
  64. }
  66. func protected(ctx iris.Context) {
  67.     // Get the verified and decoded claims.
  68.     claims := jwt.Get(ctx).(*fooClaims)
  70.     // Optionally, get token information if you want to work with them.
  71.     // Just an example on how you can retrieve all the standard claims (set by signer's max age, "exp").
  72.     standardClaims := jwt.GetVerifiedToken(ctx).StandardClaims
  73.     expiresAtString := standardClaims.ExpiresAt().Format(ctx.Application().ConfigurationReadOnly().GetTimeFormat())
  74.     timeLeft := standardClaims.Timeleft()
  76.     ctx.Writef("foo=%s\nexpires at: %s\ntime left: %s\n", claims.Foo, expiresAtString, timeLeft)
  77. }
  79. func logout(ctx iris.Context) {
  80.     err := ctx.Logout()
  81.     if err != nil {
  82.         ctx.WriteString(err.Error())
  83.     } else {
  84.         ctx.Writef("token invalidated, a new token is required to access the protected API")
  85.     }
  86. }

Learn about refresh tokens, blocklist and more at: _examples/auth/jwt.