JWT validation only in Middleware

[Martin Palma]

Hello,

I'm in the process of writing an HTTP API with Go. I use a middleware for generating and validating JWT tokens. On any incoming request the middleware checks the JWT and validates it. If valid it adds it to the request header and calls the next handler. 

Is it save to use the JWT in the next handler without validating it again and using the claims?

Best,

Martin

[burak serdar]

If you make sure you have those two handlers in that order, then the
answer is yes.

Another approach is to validate the JWT in the first handler, and put
the claims into the request context for the next handler, so the next
handler doesn't even deal with the JWT, and gets the claims from the
context. This assumes the second handler won't be called if JWT
doesn't validate.

>
> Best,
> Martin
>
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/69d031e5-2a11-4904-84d6-1e67c0bc85a9%40googlegroups.com.

[Martin Palma]

Yes the handler are arranged as follows: 

OAuth2Middleware (JWT token creation on login / JWT validation) -> InputValidationMiddleware (decoding and validating user input and checks if the user has the rights to view/request the data according to the claims in the JWT) -> API Handler (decoding user input and talking to the backend, return response to the user) 

You are right the OAuth2Middlware could instead of passing the token after validation also pass the claims using the request context. That's right. 

Thank you for the feedback. 

[Matt-Klaus Mush]

While trying to make Go my #1 backend language, I decided to build an API authentication app, since most of the applications I work on require it. 

Have a look at my code on Github (at https://github.com/mmattklaus/go-jwt-demo), and see how I approached it. 

I documented every bit. Hopefully, it'll help.

To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CANMxC7C_kXNmX1_RCCYwCS3X-7dTrLc_sfzLi-F8mLpcffMY2A%40mail.gmail.com.