mirror of
https://github.com/gogrlx/nats-server.git
synced 2026-04-15 10:40:41 -07:00
84a7e289b0
* Added support for account signing keys. When account signing keys change the validity of the client JWT and token imports need to be checked as well as it is possible for the signing key used to sign the user or import token to have been removed from the source account.
JWT
A JWT implementation that uses nkeys to digitally sign JWT tokens. Nkeys use Ed25519 to provide authentication of JWT claims.
// Need a private key to sign the claim, nkeys makes it easy to create
kp, err := nkeys.CreateAccount()
if err != nil {
t.Fatal("unable to create account key", err)
}
pk, err := kp.PublicKey()
if err != nil {
t.Fatal("error getting public key", err)
}
// create a new claim
claims := NewAccountClaims(pk)
claims.Expires = time.Now().Add(time.Duration(time.Hour)).Unix()
// add details by modifying claims.Account
// serialize the claim to a JWT token
token, err := claims.Encode(kp)
if err != nil {
t.Fatal("error encoding token", err)
}
// on the receiving side, decode the token
c, err := DecodeAccountClaims(token)
if err != nil {
t.Fatal(err)
}
// if the token was decoded, it means that it
// validated and it wasn't tampered. the remaining and
// required test is to insure the issuer is trusted
pk, err := kp.PublicKey()
if err != nil {
t.Fatalf("unable to read public key: %v", err)
}
if c.Issuer != pk {
t.Fatalf("the public key is not trusted")
}