auth: Restructure for getting tokens form keystore

daemon/cmd.go

@@ -6,6 +6,7 @@ import (
 	"context"
 
 	"github.com/multiformats/go-multiaddr"
+	"go.uber.org/fx"
 	"gopkg.in/urfave/cli.v2"
 
 	"github.com/filecoin-project/go-lotus/node"
@@ -44,6 +45,10 @@ var Cmd = &cli.Command{
 				}
 				return lr.SetAPIEndpoint(apima)
 			}),
+
+			node.Override(node.ServeRPCKey, func(lc fx.Lifecycle) error {
+
+			}),
 		)
 		if err != nil {
 			return err

daemon/rpc.go

@@ -1,15 +1,23 @@
 package daemon
 
 import (
+	"github.com/filecoin-project/go-lotus/lib/auth"
+	"github.com/gbrlsnchs/jwt/v3"
 	"net/http"
 
 	"github.com/filecoin-project/go-lotus/api"
 	"github.com/filecoin-project/go-lotus/lib/jsonrpc"
 )
 
-func serveRPC(a api.API, addr string) error {
+func serveRPC(a api.API, addr string, authSecret []byte) error {
 	rpcServer := jsonrpc.NewServer()
 	rpcServer.Register("Filecoin", api.Permissioned(a))
-	http.Handle("/rpc/v0", rpcServer)
+
+	authHandler := &auth.Handler{
+		Secret: jwt.NewHS256(authSecret),
+		Next:   rpcServer.ServeHTTP,
+	}
+
+	http.Handle("/rpc/v0", authHandler)
 	return http.ListenAndServe(addr, http.DefaultServeMux)
 }

lib/auth/handler.go

@@ -0,0 +1,55 @@
+package auth
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/filecoin-project/go-lotus/api"
+	"github.com/gbrlsnchs/jwt/v3"
+	logging "github.com/ipfs/go-log"
+)
+
+var log = logging.Logger("auth")
+
+type Handler struct {
+	Secret *jwt.HMACSHA
+	Next http.HandlerFunc
+}
+
+func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	token := r.Header.Get("Authorization")
+	if token != "" {
+		if !strings.HasPrefix(token, "Bearer ") {
+			log.Warn("missing Bearer prefix in auth header")
+			w.WriteHeader(401)
+			return
+		}
+		token = token[len("Bearer "):]
+
+		var payload jwtPayload
+		if _, err := jwt.Verify([]byte(token), h.Secret, &payload); err != nil {
+			log.Warnf("JWT Verification failed: %s", err)
+			w.WriteHeader(401)
+			return
+		}
+
+		ctx = api.WithPerm(ctx, payload.Allow)
+	}
+
+	h.Next(w, r.WithContext(ctx))
+}
+
+type jwtPayload struct {
+	Allow []string
+}
+
+/*func init() {
+	p := jwtPayload{
+		Allow: []string{"read", "write"},
+	}
+	r, _ := jwt.Sign(&p, secret)
+	log.Infof("WRITE TOKEN: %s", string(r))
+}
+*/

lib/jsonrpc/auth.go

@@ -1,19 +0,0 @@
-package jsonrpc
-
-import (
-	"github.com/gbrlsnchs/jwt/v3"
-)
-
-var secret = jwt.NewHS256([]byte("todo: get me from the repo"))
-
-type jwtPayload struct {
-	Allow []string
-}
-
-func init() {
-	p := jwtPayload{
-		Allow: []string{"read", "write"},
-	}
-	r, _ := jwt.Sign(&p, secret)
-	log.Infof("WRITE TOKEN: %s", string(r))
-}

lib/jsonrpc/server.go

@@ -3,14 +3,9 @@ package jsonrpc
 import (
 	"context"
 	"encoding/json"
+	"github.com/gorilla/websocket"
 	"io"
 	"net/http"
-	"strings"
-
-	"github.com/gbrlsnchs/jwt/v3"
-	"github.com/gorilla/websocket"
-
-	"github.com/filecoin-project/go-lotus/api"
 )
 
 const (
@@ -56,23 +51,6 @@ func (s *RPCServer) handleWS(ctx context.Context, w http.ResponseWriter, r *http
 func (s *RPCServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	token := r.Header.Get("Authorization")
-	if token != "" {
-		if !strings.HasPrefix(token, "Bearer ") {
-			w.WriteHeader(401)
-			return
-		}
-		token = token[len("Bearer "):]
-
-		var payload jwtPayload
-		if _, err := jwt.Verify([]byte(token), secret, &payload); err != nil {
-			w.WriteHeader(401)
-			return
-		}
-
-		ctx = api.WithPerm(ctx, payload.Allow)
-	}
-
 	if r.Header.Get("Connection") == "Upgrade" {
 		s.handleWS(ctx, w, r)
 		return

node/builder.go

@@ -70,7 +70,9 @@ const (
 	HandleIncomingBlocksKey
 	HandleIncomingMessagesKey
 
+	// daemon
 	SetApiEndpointKey
+	ServeRPCKey
 
 	_nInvokes // keep this last
 )