From c76e64f87cab6431b2b873e352db712808f02a89 Mon Sep 17 00:00:00 2001 From: F04C Date: Mon, 16 Mar 2026 09:27:08 +0800 Subject: [PATCH] fixed --- helper/extract_email_from_token.go | 41 +++++++++++++++++++++--------- middleware/jwt.go | 17 +++++++++++-- 2 files changed, 44 insertions(+), 14 deletions(-) diff --git a/helper/extract_email_from_token.go b/helper/extract_email_from_token.go index 40c3d87..ae16b61 100644 --- a/helper/extract_email_from_token.go +++ b/helper/extract_email_from_token.go @@ -2,6 +2,7 @@ package helper import ( "authentication/models" + "encoding/pem" "errors" "log" "os" @@ -20,14 +21,22 @@ func ExtractEmailFromToken(tokenString string) (string, error) { } token, err := jwt.ParseWithClaims(tokenString, &models.AccessToken{}, func(token *jwt.Token) (interface{}, error) { - if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { - return nil, errors.New("unexpected signing method") + if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { + return nil, errors.New("unexpected signing method: expected RSA") } - secretKey := os.Getenv("JWT_SECRET_KEY") - if secretKey == "" { - return nil, errors.New("JWT secret key not set") + publicKeyPEM := os.Getenv("JWT_PUBLIC_KEY") + if publicKeyPEM == "" { + return nil, errors.New("JWT public key not set") } - return []byte(secretKey), nil + block, _ := pem.Decode([]byte(publicKeyPEM)) + if block == nil { + return nil, errors.New("failed to decode PEM block") + } + pubKey, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKeyPEM)) + if err != nil { + return nil, errors.New("failed to parse RSA public key") + } + return pubKey, nil }) if err == nil && token.Valid { @@ -42,14 +51,22 @@ func ExtractEmailFromToken(tokenString string) (string, error) { // If AccessToken parsing failed, try MapClaims for backward compatibility log.Printf("AccessToken parsing failed: %v, trying MapClaims fallback", err) token, err = jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { - if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { - return nil, errors.New("unexpected signing method") + if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { + return nil, errors.New("unexpected signing method: expected RSA") } - secretKey := os.Getenv("JWT_SECRET_KEY") - if secretKey == "" { - return nil, errors.New("JWT secret key not set") + publicKeyPEM := os.Getenv("JWT_PUBLIC_KEY") + if publicKeyPEM == "" { + return nil, errors.New("JWT public key not set") } - return []byte(secretKey), nil + block, _ := pem.Decode([]byte(publicKeyPEM)) + if block == nil { + return nil, errors.New("failed to decode PEM block") + } + pubKey, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKeyPEM)) + if err != nil { + return nil, errors.New("failed to parse RSA public key") + } + return pubKey, nil }) if err != nil { diff --git a/middleware/jwt.go b/middleware/jwt.go index 9d720ff..9d16954 100644 --- a/middleware/jwt.go +++ b/middleware/jwt.go @@ -4,6 +4,7 @@ package middleware import ( "context" "database/sql" + "encoding/pem" "fmt" "net/http" "net/url" @@ -155,10 +156,22 @@ func isSessionBlacklisted(sessionID string) bool { func parseToken(tokenString, secretKey string) (*jwt.Token, error) { return jwt.ParseWithClaims(tokenString, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) { - if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + if token.Method != jwt.SigningMethodRS256 { return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) } - return []byte(secretKey), nil + publicKeyPEM := os.Getenv("JWT_PUBLIC_KEY") + if publicKeyPEM == "" { + return nil, fmt.Errorf("JWT public key not set") + } + block, _ := pem.Decode([]byte(publicKeyPEM)) + if block == nil { + return nil, fmt.Errorf("failed to decode PEM block") + } + pubKey, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKeyPEM)) + if err != nil { + return nil, fmt.Errorf("failed to parse RSA public key") + } + return pubKey, nil }) }