[FEAT/BE] resolve jwks

2026-05-20 13:31:56 +00:00 · 2026-02-24 15:16:09 +07:00
parent 5fb7a78a5a
commit f6f4cc5a10
4 changed files with 240 additions and 19 deletions
@@ -19,11 +19,11 @@ const (

 // AuthContext keeps authentication details captured by the middleware.
 type AuthContext struct {
-	Token        string
-	Verification *sso.VerificationResult
-	User         *entity.User
-	Roles        []sso.Role
-	Permissions  map[string]struct{}
+	Token           string
+	Verification    *sso.VerificationResult
+	User            *entity.User
+	Roles           []sso.Role
+	Permissions     map[string]struct{}
 	UserAreaIDs     []uint
 	UserLocationIDs []uint
 	UserAllArea     bool
@@ -36,8 +36,30 @@ type AuthContext struct {
 func Auth(userService service.UserService, requiredScopes ...string) fiber.Handler {
 	return func(c *fiber.Ctx) error {
 		token := bearerToken(c)
-		if token == "" {
-			token = strings.TrimSpace(c.Cookies(config.SSOAccessCookieName))
+		tokenSource := ""
+		if token != "" {
+			tokenSource = "header"
+		} else {
+			primaryName := strings.TrimSpace(config.SSOAccessCookieName)
+			if primaryName != "" {
+				token = strings.TrimSpace(c.Cookies(primaryName))
+				if token != "" {
+					tokenSource = "cookie:" + primaryName
+				}
+			}
+			if token == "" {
+				for _, name := range config.SSOAccessCookieFallback {
+					name = strings.TrimSpace(name)
+					if name == "" || name == primaryName {
+						continue
+					}
+					token = strings.TrimSpace(c.Cookies(name))
+					if token != "" {
+						tokenSource = "cookie:" + name
+						break
+					}
+				}
+			}
 		}
 		if token == "" {
 			return fiber.NewError(fiber.StatusUnauthorized, "Please authenticate")
@@ -45,7 +67,11 @@ func Auth(userService service.UserService, requiredScopes ...string) fiber.Handl

 		verification, err := sso.VerifyAccessToken(token)
 		if err != nil {
-			utils.Log.WithError(err).Warn("auth: token verification failed")
+			if sso.IsSignatureError(err) {
+				logSignatureError("auth", tokenSource, token, err)
+			} else {
+				utils.Log.WithError(err).Warn("auth: token verification failed")
+			}
 			return fiber.NewError(fiber.StatusUnauthorized, "Please authenticate")
 		}

@@ -89,11 +115,11 @@ func Auth(userService service.UserService, requiredScopes ...string) fiber.Handl
 		}

 		ctx := &AuthContext{
-			Token:        token,
-			Verification: verification,
-			User:         user,
-			Roles:        roles,
-			Permissions:  permissions,
+			Token:           token,
+			Verification:    verification,
+			User:            user,
+			Roles:           roles,
+			Permissions:     permissions,
 			UserAreaIDs:     nil,
 			UserLocationIDs: nil,
 			UserAllArea:     false,
@@ -216,6 +242,26 @@ func hasAllScopes(have, required []string) bool {
 	return true
 }

+func logSignatureError(ctxLabel, tokenSource, token string, err error) {
+	info := sso.ExtractTokenInfo(token)
+	aud := strings.Join(info.Aud, ",")
+	utils.Log.Errorf(
+		"access token verification failed: %v | ctx=%s source=%s iss=%s kid=%s aud=%s sub=%s exp=%d iat=%d nbf=%d expected_iss=%s expected_aud=%v",
+		err,
+		ctxLabel,
+		tokenSource,
+		info.Iss,
+		info.Kid,
+		aud,
+		info.Sub,
+		info.Exp,
+		info.Iat,
+		info.Nbf,
+		config.SSOIssuer,
+		config.SSOAllowedAudiences,
+	)
+}
+
 // RequirePermissions ensures the authenticated user possesses all specified permissions.
 func RequirePermissions(perms ...string) fiber.Handler {
 	required := canonicalPermissions(perms)