JWT発行API

.env.example

@@ -6,6 +6,7 @@ WEBHOOK_SECRET=
 ACTIVITY_CHANNEL_ID=
 DAILY_CHANNEL_ID=
 TOKEN_KEY=
+JWT_KEY=
 KNOQ_VERSION=
 KNOQ_REVISION=
 DEVELOPMENT=

README.md

@@ -41,6 +41,7 @@ knoQ の全ての機能を動作させるためには、追加の情報が必要
 | DAILY_CHANNEL_ID    | 環境変数 |                                        | Bot が毎日定時に投稿する先のチャンネル                          |
 | ACTIVITY_CHANNEL_ID | 環境変数 |                                        | Bot が都度送信するチャンネル                               |
 | TOKEN_KEY           | 環境変数 | `random32wordsXXXXXXXXXXXXXXXXXXX`     | Token を暗号化する。長さ 32 文字のランダム文字列。存在しない場合はエラー。     |
+| JWT_KEY             | 環境変数 | `random_wordsXXXXXXXXXXXXXXXXXXXXXXX`  | JWT に署名する。長さ 32 文字以上のランダム文字列。存在しない場合はエラー。 |
 | KNOQ_VERSION        | 環境変数 | UNKNOWN                                | knoQ のバージョン (github actions でイメージ作成時に指定)       |
 | KNOQ_REVISION       | 環境変数 | UNKNOWN                                | git の sha1 (github actions でイメージ作成時に指定)        |
 | DEVELOPMENT         | 環境変数 |                                        | 開発時かどうか                                        |

docker-compose.yml

@@ -3,7 +3,6 @@ version: "3"
 networks:
   default:
 
-
 services:
   knoq:
     build:
@@ -19,13 +18,14 @@ services:
       ORIGIN: http://localhost:6006
       SESSION_KEY: ${SESSION_KEY:-random32wordsXXXXXXXXXXXXXXXXXXX}
       TRAQ_CALENDARID: ${TRAQ_CALENDARID}
-      CLIENT_ID: ${CLIENT_ID:-aYj6mwyLcpBIrxZZD8jkCzH3Gsdqc9DJqle2}
+      CLIENT_ID: ${CLIENT_ID:-hhCZHJemBHaIPPYFxBLElXnOG2X8jelWLCyj}
       WEBHOOK_ID: ${WEBHOOK_ID}
       WEBHOOK_SECRET: ${WEBHOOK_SECRET}
       CHANNEL_ID: ${CHANNEL_ID}
       DAILY_CHANNEL_ID: ${DAILY_CHANNEL_ID}
       ACTIVITY_CHANNEL_ID: ${ACTIVITY_CHANNEL_ID}
       TOKEN_KEY: ${TOKEN_KEY:-random32wordsXXXXXXXXXXXXXXXXXXX}
+      JWT_KEY: ${JWT_KEY:-random32wordsXXXXXXXXXXXXXXXXXXX}
       KNOQ_VERSION: ${KNOQ_VERSION:-dev}
       DEVELOPMENT: true
       GORM_LOG_LEVEL: info

docs/swagger.yaml

@@ -556,6 +556,23 @@ paths:
       responses:
         '302':
           description: 成功。/callbackにリダイレクト。（その後はuiがリダイレクトする）
+  /token:
+    post:
+      tags:
+        - authentication
+      operationId: createToken
+      description: APIトークンを発行します。
+      responses:
+        '201':
+          description: 成功
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  token:
+                    type: string
+                    description: APIトークン(JWT)
 
   /ical/v1/{icalToken}:
     get:

go.mod

@@ -8,11 +8,13 @@ require (
 	github.com/go-gormigrate/gormigrate/v2 v2.1.0
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/gofrs/uuid v4.4.0+incompatible
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/gorilla/securecookie v1.1.1
 	github.com/gorilla/sessions v1.2.1
 	github.com/jinzhu/copier v0.3.5
 	github.com/jszwec/csvutil v1.8.0
 	github.com/labstack/echo-contrib v0.15.0
+	github.com/labstack/echo-jwt/v4 v4.2.0
 	github.com/labstack/echo/v4 v4.11.1
 	github.com/ory/dockertest/v3 v3.10.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible

go.sum

@@ -71,6 +71,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -143,6 +145,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/labstack/echo-contrib v0.15.0 h1:9K+oRU265y4Mu9zpRDv3X+DGTqUALY6oRHCSZZKCRVU=
 github.com/labstack/echo-contrib v0.15.0/go.mod h1:lei+qt5CLB4oa7VHTE0yEfQSEB9XTJI1LUqko9UWvo4=
+github.com/labstack/echo-jwt/v4 v4.2.0 h1:odSISV9JgcSCuhgQSV/6Io3i7nUmfM/QkBeR5GVJj5c=
+github.com/labstack/echo-jwt/v4 v4.2.0/go.mod h1:MA2RqdXdEn4/uEglx0HcUOgQSyBaTh5JcaHIan3biwU=
 github.com/labstack/echo/v4 v4.11.1 h1:dEpLU2FLg4UVmvCGPuk/APjlH6GDpbEPti61srUUUs4=
 github.com/labstack/echo/v4 v4.11.1/go.mod h1:YuYRTSM3CHs2ybfrL8Px48bO6BAnYIN4l8wSTMP6BDQ=
 github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8=

main.go

@@ -10,8 +10,8 @@ import (
 
 	"github.com/traPtitech/knoQ/domain"
 	"github.com/traPtitech/knoQ/infra/db"
-	"github.com/traPtitech/knoQ/repository"
 	"github.com/traPtitech/knoQ/infra/traq"
+	"github.com/traPtitech/knoQ/repository"
 	"github.com/traPtitech/knoQ/utils"
 	"golang.org/x/oauth2"
 
@@ -32,7 +32,8 @@ var (
 	mariadbPassword = getenv("MARIADB_PASSWORD", "password")
 	mariadbDatabase = getenv("MARIADB_DATABASE", "knoQ")
 	mariadbPort     = getenv("MARIADB_PORT", "3306")
-	tokenKey        = getenv("TOKEN_KEY", "random32wordsXXXXXXXXXXXXXXXXXXX")
+	tokenKey        = mustGetenv("TOKEN_KEY")
+	jwtKey          = mustGetenv("JWT_KEY")
 	gormLogLevel    = getenv("GORM_LOG_LEVEL", "silent")
 
 	clientID          = getenv("CLIENT_ID", "client_id")
@@ -47,6 +48,10 @@ var (
 )
 
 func main() {
+	if len(jwtKey) < 32 {
+		panic("JWT_KEY must be at least 32 characters")
+	}
+
 	logger, _ := zap.NewDevelopment()
 	domain.VERSION = version
 	domain.REVISION = revision
@@ -89,6 +94,7 @@ func main() {
 		ActivityChannelID: activityChannelID,
 		DailyChannelId:    dailyChannelID,
 		Origin:            origin,
+		JWTKey:            jwtKey,
 	}
 
 	e := handler.SetupRoute()
@@ -120,3 +126,10 @@ func getenv(key, fallback string) string {
 	}
 	return fallback
 }
+
+func mustGetenv(key string) string {
+	if value, ok := os.LookupEnv(key); ok {
+		return value
+	}
+	panic("environment variable " + key + " is not set")
+}

router/authorization.go

@@ -5,9 +5,11 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/labstack/echo-contrib/session"
 	"github.com/labstack/echo/v4"
 	"github.com/patrickmn/go-cache"
+	"github.com/traPtitech/knoQ/router/presentation"
 	"github.com/traPtitech/knoQ/utils/random"
 )
 
@@ -79,3 +81,28 @@ func (h *Handlers) HandleCallback(c echo.Context) error {
 	}
 	return c.Redirect(http.StatusFound, "/callback")
 }
+
+func (h *Handlers) HandleCreateToken(c echo.Context) error {
+	sess, err := session.Get("session", c)
+	if err != nil {
+		setMaxAgeMinus(c)
+		return unauthorized(err, needAuthorization(true),
+			message("please try again"))
+	}
+
+	claims := jwt.RegisteredClaims{
+		Subject:   sess.Values["userID"].(string),
+		ExpiresAt: jwt.NewNumericDate(time.Now().Add(3 * 24 * time.Hour)),
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+
+	signedToken, err := token.SignedString([]byte(h.JWTKey))
+	if err != nil {
+		return internalServerError(err)
+	}
+
+	return c.JSON(http.StatusCreated, presentation.CreateTokenRes{
+		Token: signedToken,
+	})
+}

router/middleware.go

@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/traPtitech/knoQ/domain"
 	"github.com/traPtitech/knoQ/router/logging"
 	"github.com/traPtitech/knoQ/router/presentation"
@@ -16,6 +17,7 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/labstack/echo-contrib/session"
+	echojwt "github.com/labstack/echo-jwt/v4"
 	"github.com/labstack/echo/v4"
 )
 
@@ -80,6 +82,30 @@ func ServerVersionMiddleware(version string) echo.MiddlewareFunc {
 	}
 }
 
+func (h *Handlers) JWTMiddleware() echo.MiddlewareFunc {
+	return echojwt.WithConfig(
+		echojwt.Config{
+			SigningKey: []byte(h.JWTKey),
+			SuccessHandler: func(c echo.Context) {
+				// jwtの検証に成功したらsessionにuserIDを保存
+				sess, _ := session.Get("session", c)
+				claims := c.Get("user").(*jwt.Token).Claims.(*jwt.RegisteredClaims)
+				sess.Values["userID"] = claims.Subject
+				sess.Options = &h.SessionOption
+				_ = sess.Save(c.Request(), c.Response())
+			},
+			ErrorHandler: func(c echo.Context, err error) error {
+				return nil
+			},
+			ContinueOnIgnoredError: true,
+			ContextKey:             "user",
+			NewClaimsFunc: func(c echo.Context) jwt.Claims {
+				return &jwt.RegisteredClaims{}
+			},
+		},
+	)
+}
+
 // TraQUserMiddleware traQユーザーか判定するミドルウェア
 // TODO funcname fix
 func (h *Handlers) TraQUserMiddleware(next echo.HandlerFunc) echo.HandlerFunc {

router/presentation/authorization.go

@@ -0,0 +1,5 @@
+package presentation
+
+type CreateTokenRes struct {
+	Token string `json:"token"`
+}

router/router.go

@@ -30,6 +30,7 @@ type Handlers struct {
 	ActivityChannelID string
 	DailyChannelId    string
 	Origin            string
+	JWTKey            string
 }
 
 func (h *Handlers) SetupRoute() *echo.Echo {
@@ -57,7 +58,10 @@ func (h *Handlers) SetupRoute() *echo.Echo {
 	}))
 
 	// API定義 (/api)
-	api := e.Group("/api", h.TraQUserMiddleware)
+	api := e.Group("/api",
+		h.JWTMiddleware(),
+		h.TraQUserMiddleware,
+	)
 	{
 		previlegeMiddle := h.PrevilegeUserMiddleware
 
@@ -136,11 +140,7 @@ func (h *Handlers) SetupRoute() *echo.Echo {
 			apiTags.GET("", h.HandleGetTags)
 		}
 
-		// apiActivity := api.Group("/activity")
-		// {
-		// apiActivity.GET("/events", h.HandleGetEventActivities)
-		// }
-
+		api.POST("/token", h.HandleCreateToken)
 	}
 	e.POST("/api/authParams", h.HandlePostAuthParams)
 	e.GET("/api/callback", h.HandleCallback)