package auth import ( "crypto/sha256" "fmt" "time" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" ) type Manager struct { secret []byte accessTTL time.Duration refreshTTL time.Duration } func NewManager(secret string, accessTTL, refreshTTL time.Duration) *Manager { return &Manager{ secret: []byte(secret), accessTTL: accessTTL, refreshTTL: refreshTTL, } } type TokenPair struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` AccessJTI string `json:"-"` RefreshJTI string `json:"-"` ExpiresAt int64 `json:"expires_at"` } func (m *Manager) Issue(userID, tenantID int64, role string) (*TokenPair, error) { now := time.Now() accessJTI := uuid.New().String() refreshJTI := uuid.New().String() accessClaims := Claims{ UserID: userID, TenantID: tenantID, Role: role, RegisteredClaims: jwt.RegisteredClaims{ ID: accessJTI, Subject: "access", IssuedAt: jwt.NewNumericDate(now), ExpiresAt: jwt.NewNumericDate(now.Add(m.accessTTL)), }, } accessToken, err := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims).SignedString(m.secret) if err != nil { return nil, fmt.Errorf("sign access token: %w", err) } refreshClaims := Claims{ UserID: userID, TenantID: tenantID, Role: role, RegisteredClaims: jwt.RegisteredClaims{ ID: refreshJTI, Subject: "refresh", IssuedAt: jwt.NewNumericDate(now), ExpiresAt: jwt.NewNumericDate(now.Add(m.refreshTTL)), }, } refreshToken, err := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims).SignedString(m.secret) if err != nil { return nil, fmt.Errorf("sign refresh token: %w", err) } return &TokenPair{ AccessToken: accessToken, RefreshToken: refreshToken, AccessJTI: accessJTI, RefreshJTI: refreshJTI, ExpiresAt: now.Add(m.accessTTL).Unix(), }, nil } func (m *Manager) Parse(tokenStr string) (*Claims, error) { token, err := jwt.ParseWithClaims(tokenStr, &Claims{}, func(t *jwt.Token) (interface{}, error) { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"]) } return m.secret, nil }) if err != nil { return nil, err } claims, ok := token.Claims.(*Claims) if !ok || !token.Valid { return nil, fmt.Errorf("invalid token claims") } return claims, nil } func (m *Manager) AccessTTL() time.Duration { return m.accessTTL } func (m *Manager) RefreshTTL() time.Duration { return m.refreshTTL } func HashToken(raw string) string { h := sha256.Sum256([]byte(raw)) return fmt.Sprintf("%x", h) }