Update Verifier for locating jwt token; removing TokenFromQuery from …

…defaults
go-chi · Dec 12, 2020 · 38df5c8 · 38df5c8
1 parent b8af768
commit 38df5c8
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# jwtauth - JWT authentication middleware for Go HTTP services
+# jwtauth - JWT authentication middleware for HTTP services
 
 [![GoDoc Widget]][godoc]
 
@@ -23,12 +23,11 @@ your flow (ie. with a JSON error response body).
 
 By default, the `Verifier` will search for a JWT token in a http request, in the order:
 
-1.  'jwt' URI query parameter
-2.  'Authorization: BEARER T' request header
-3.  'jwt' Cookie value
+1.  'Authorization: BEARER T' request header
+2.  'jwt' Cookie value
 
-The first JWT string that is found as a query parameter, authorization header
-or cookie header is then decoded by the `jwt-go` library and a \*jwt.Token
+The first JWT string that is found as an authorization header
+or cookie header is then decoded by the `lestrrat-go/jwx` library and a jwt.Token
 object is set on the request context. In the case of a signature decoding error
 the Verifier will also set the error on the request context.
 
@@ -39,7 +38,7 @@ http response.
 
 Note: jwtauth supports custom verification sequences for finding a token
 from a request by using the `Verify` middleware instantiator directly. The default
-`Verifier` is instantiated by calling `Verify(ja, TokenFromQuery, TokenFromHeader, TokenFromCookie)`.
+`Verifier` is instantiated by calling `Verify(ja, TokenFromHeader, TokenFromCookie)`.
 
 # Usage
 

diff --git a/jwtauth.go b/jwtauth.go
@@ -12,13 +12,18 @@ import (
 	"github.com/lestrrat-go/jwx/jwt"
 )
 
-// Context keys
+type JWTAuth struct {
+	alg       jwa.SignatureAlgorithm
+	signKey   interface{} // private-key
+	verifyKey interface{} // public-key, only used by RSA and ECDSA algorithms
+	verifier  jwt.ParseOption
+}
+
 var (
 	TokenCtxKey = &contextKey{"Token"}
 	ErrorCtxKey = &contextKey{"Error"}
 )
 
-// Library errors
 var (
 	ErrUnauthorized = errors.New("token is unauthorized")
 	ErrExpired      = errors.New("token is expired")
@@ -28,13 +33,6 @@ var (
 	ErrAlgoInvalid  = errors.New("algorithm mismatch")
 )
 
-type JWTAuth struct {
-	alg       jwa.SignatureAlgorithm
-	signKey   interface{} // private-key
-	verifyKey interface{} // public-key, only used by RSA and ECDSA algorithms
-	verifier  jwt.ParseOption
-}
-
 func New(alg string, signKey interface{}, verifyKey interface{}) *JWTAuth {
 	ja := &JWTAuth{alg: jwa.SignatureAlgorithm(alg), signKey: signKey, verifyKey: verifyKey}
 
@@ -65,7 +63,7 @@ func New(alg string, signKey interface{}, verifyKey interface{}) *JWTAuth {
 // http response.
 func Verifier(ja *JWTAuth) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
-		return Verify(ja, TokenFromQuery, TokenFromHeader, TokenFromCookie)(next)
+		return Verify(ja, TokenFromHeader, TokenFromCookie)(next)
 	}
 }
 
@@ -266,6 +264,14 @@ func TokenFromHeader(r *http.Request) string {
 
 // TokenFromQuery tries to retreive the token string from the "jwt" URI
 // query parameter.
+//
+// To use it, build our own middleware handler, such as:
+//
+// func Verifier(ja *JWTAuth) func(http.Handler) http.Handler {
+// 	return func(next http.Handler) http.Handler {
+// 		return Verify(ja, TokenFromQuery, TokenFromHeader, TokenFromCookie)(next)
+// 	}
+// }
 func TokenFromQuery(r *http.Request) string {
 	// Get token from query param named "jwt".
 	return r.URL.Query().Get("jwt")