我正在尝试实现jwtauth,但是当应该激活验证jwtoken时,会发生奇怪的错误。
因此,就像它们提供的示例一样,我们以这种方式生成并返回 token :
func (s *Service) loginEmployer(w http.ResponseWriter, r *http.Request) {
u := &User{}
hashed, err := bcrypt.GenerateFromPassword([]byte(r.FormValue("password")), 8)
if err != nil {
panic(err)
}
tokenAuth = jwtauth.New("HS256", []byte(hashed), nil)
_, tokenString, _ := tokenAuth.Encode(jwtauth.Claims{"login": r.FormValue("login")})
u.TokenString = tokenString
WriteJSON(w, u, 200)
} else {
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
}
}
jwtauth.Verifier在doc全局变量中声明为。
var tokenAuth *jwtauth.JwtAuth
func routes(s *Service) *chi.Mux {
// Private access login
r.Group(func(r chi.Router) {
r.Use(jwtauth.Verifier(tokenAuth))
r.Use(jwtauth.Authenticator)
r.Mount("/employer", employerRoutes())
...
但是,当我尝试访问/ employer中的路由时,
我收到此错误:
2017/07/19 18:16:22 http: panic serving 127.0.0.1:59856: runtime error: invalid memory address or nil pointer dereference
goroutine 15 [running]:
net/http.(*conn).serve.func1(0xc420019680)
/usr/lib/go-1.8/src/net/http/server.go:1721 +0xd0
panic(0x7f9620, 0xa64510)
/usr/lib/go-1.8/src/runtime/panic.go:489 +0x2cf
github.com/go-chi/jwtauth.(*JwtAuth).Decode(0x0, 0xc420192707, 0x67, 0x6, 0x6e, 0x0)
/home/antiaskid/go/src/github.com/go-chi/jwtauth/jwtauth.go:168 +0x40
github.com/go-chi/jwtauth.VerifyRequest(0x0, 0xc4201aa400, 0xc420180b10, 0x1, 0x1, 0x0, 0x1, 0xc420180f30)
/home/antiaskid/go/src/github.com/go-chi/jwtauth/jwtauth.go:124 +0x154
github.com/go-chi/jwtauth.Verify.func1.1(0xa40920, 0xc4201a8380, 0xc4201aa400)
/home/antiaskid/go/src/github.com/go-chi/jwtauth/jwtauth.go:79 +0x89
net/http.HandlerFunc.ServeHTTP(0xc4201ae5c0, 0xa40920, 0xc4201a8380, 0xc4201aa400)
/usr/lib/go-1.8/src/net/http/server.go:1942 +0x44
github.com/go-chi/chi.(*ChainHandler).ServeHTTP(0xc4201ae600, 0xa40920, 0xc4201a8380, 0xc4201aa400)
/home/antiaskid/go/src/github.com/go-chi/chi/chain.go:29 +0x52
github.com/go-chi/chi.(*Mux).routeHTTP(0xc420192150, 0xa40920, 0xc4201a8380, 0xc4201aa400)
/home/antiaskid/go/src/github.com/go-chi/chi/mux.go:415 +0x26d
github.com/go-chi/chi.(*Mux).(github.com/go-chi/chi.routeHTTP)-fm(0xa40920, 0xc4201a8380, 0xc4201aa400)
/home/antiaskid/go/src/github.com/go-chi/chi/mux.go:351 +0x48
net/http.HandlerFunc.ServeHTTP(0xc4201808a0, 0xa40920, 0xc4201a8380, 0xc4201aa400)
/usr/lib/go-1.8/src/net/http/server.go:1942 +0x44
main.(*Service).sessionMiddleware.func1(0xa40920, 0xc4201a8380, 0xc4201aa300)
/home/antiaskid/go/src/bitbucket.org/victoria/middlewares.go:17 +0x148
net/http.HandlerFunc.ServeHTTP(0xc4201824e0, 0xa40920, 0xc4201a8380, 0xc4201aa300)
/usr/lib/go-1.8/src/net/http/server.go:1942 +0x44
github.com/go-chi/chi.(*Mux).ServeHTTP(0xc420192150, 0xa40920, 0xc4201a8380, 0xc42000b000)
/home/antiaskid/go/src/github.com/go-chi/chi/mux.go:80 +0x1df
net/http.serverHandler.ServeHTTP(0xc4201980b0, 0xa40920, 0xc4201a8380, 0xc42000b000)
/usr/lib/go-1.8/src/net/http/server.go:2568 +0x92
net/http.(*conn).serve(0xc420019680, 0xa41020, 0xc420017300)
/usr/lib/go-1.8/src/net/http/server.go:1825 +0x612
created by net/http.(*Server).Serve
/usr/lib/go-1.8/src/net/http/server.go:2668 +0x2ce
他们的例子很好,但是初始化总是在发生。书面说明,Verify将把 token 从标头请求中取出作为“授权”,如果我删除验证并检查标头,则 token +标头名称存在(r.Header.Get(“Authorization”))
有任何关于如何使其工作的想法吗?
最佳答案
我看到的问题,可能是我不正确的问题,您正在为每个登录的用户创建tokenAuth。应该有一个tokenAuth实例,并使用该实例进行编码和解码。我相信所有用户的签名密钥都应该相同,因此您可以从tokenAuth实例进行验证。由于过去的HS256问题,您可能还需要考虑使用RS256对其进行签名。
https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/