egutierrez
eff5771b03
Fase 2 del issue 0010 — auth core: - jwt_generate/validate: HS256 manual con crypto/hmac + crypto/sha256 - password_hash/verify: wrappers de golang.org/x/crypto/bcrypt (cost 12 default) - JWT rechaza alg != HS256 para mitigar ataque 'alg=none' - hmac.Equal para comparacion constant-time de firmas
45 lines
1.1 KiB
Go
45 lines
1.1 KiB
Go
package infra
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"time"
|
|
)
|
|
|
|
// JWTGenerate codifica un JWT firmado con HMAC-SHA256 (alg: HS256).
|
|
// Si claims.IssuedAt viene en cero se setea a time.Now().Unix().
|
|
// Retorna el token en formato "header.payload.signature" con los tres segmentos
|
|
// codificados en base64url sin padding.
|
|
func JWTGenerate(claims JWTClaims, secret string) (string, error) {
|
|
if secret == "" {
|
|
return "", errors.New("jwt_generate: secret vacio")
|
|
}
|
|
if claims.IssuedAt == 0 {
|
|
claims.IssuedAt = time.Now().Unix()
|
|
}
|
|
|
|
header := map[string]string{"alg": "HS256", "typ": "JWT"}
|
|
headerJSON, err := json.Marshal(header)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
payloadJSON, err := json.Marshal(claims)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
enc := base64.RawURLEncoding
|
|
headerPart := enc.EncodeToString(headerJSON)
|
|
payloadPart := enc.EncodeToString(payloadJSON)
|
|
signingInput := headerPart + "." + payloadPart
|
|
|
|
mac := hmac.New(sha256.New, []byte(secret))
|
|
mac.Write([]byte(signingInput))
|
|
sigPart := enc.EncodeToString(mac.Sum(nil))
|
|
|
|
return signingInput + "." + sigPart, nil
|
|
}
|