Comparison

util/jwt.lua @ 10660:c4ded3be7cc0

util.jwt: Basic JSON Web Token library supporting HS256 tokens
author Kim Alvefur <zash@zash.se>
date Mon, 24 Feb 2020 01:24:25 +0100
child 11561:d2f33b8fdc96
comparison
equal deleted inserted replaced
10659:8f95308c3c45 10660:c4ded3be7cc0
1 local s_gsub = string.gsub;
2 local json = require "util.json";
3 local hashes = require "util.hashes";
4 local base64_encode = require "util.encodings".base64.encode;
5 local base64_decode = require "util.encodings".base64.decode;
6
7 local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] = "/" };
8 local function b64url(data)
9 return (s_gsub(base64_encode(data), "[+/=]", b64url_rep));
10 end
11 local function unb64url(data)
12 return base64_decode(s_gsub(data, "[-_]", b64url_rep).."==");
13 end
14
15 local static_header = b64url('{"alg":"HS256","typ":"JWT"}') .. '.';
16
17 local function sign(key, payload)
18 local encoded_payload = json.encode(payload);
19 local signed = static_header .. b64url(encoded_payload);
20 local signature = hashes.hmac_sha256(key, signed);
21 return signed .. "." .. b64url(signature);
22 end
23
24 local jwt_pattern = "^(([A-Za-z0-9-_]+)%.([A-Za-z0-9-_]+))%.([A-Za-z0-9-_]+)$"
25 local function verify(key, blob)
26 local signed, bheader, bpayload, signature = string.match(blob, jwt_pattern);
27 if not signed then
28 return nil, "invalid-encoding";
29 end
30 local header = json.decode(unb64url(bheader));
31 if not header or type(header) ~= "table" then
32 return nil, "invalid-header";
33 elseif header.alg ~= "HS256" then
34 return nil, "unsupported-algorithm";
35 end
36 if b64url(hashes.hmac_sha256(key, signed)) ~= signature then
37 return false, "signature-mismatch";
38 end
39 local payload, err = json.decode(unb64url(bpayload));
40 if err ~= nil then
41 return nil, "json-decode-error";
42 end
43 return true, payload;
44 end
45
46 return {
47 sign = sign;
48 verify = verify;
49 };
50