func ValidateLogin()

in helpers/jwt.go [68:142]

• 65 lines of code
• 14 McCabe index (conditional complexity)

func ValidateLogin(h *http.Request, config *Config) (string, error) {
	rawData, rawErr := extractAuth(h)
	if rawErr != nil {
		return "", rawErr
	}

	var token *jwt.Token

	if strings.HasPrefix(config.JWT.CertFile, "http") {
		options := keyfunc.Options{
				RefreshErrorHandler: func(err error) {
						log.Printf("ERROR There was an error with the jwt.Keyfunc\nError: %s", err.Error())
				},
				RefreshInterval:   time.Hour,
				RefreshRateLimit:  time.Minute * 5,
				RefreshTimeout:    time.Second * 10,
				RefreshUnknownKID: true,
		}

		jwks, err := keyfunc.Get(config.JWT.CertFile, options)
		if err != nil {
				log.Printf("ERROR Failed to create JWKS from resource at the given URL.\nError: %s", err.Error())
				return "", errors.New("Error loading JWKS from given URL")
		}

		if token, err = jwt.Parse(rawData, jwks.Keyfunc); err != nil {
				log.Printf("ERROR Failed to parse the JWT.\nError: %s", err.Error())
				return "", errors.New("Error parsing token using JWKS")
		}
	} else {
		publicCertData, loadErr := LoadPublicKey(config.JWT.CertFile)
		if loadErr != nil {
			return "", errors.New("Server setup problem, see logs")
		}

		var tokErr error

		token, tokErr = jwt.Parse(rawData, func(token *jwt.Token) (interface{}, error) {
			if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
				return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
			}
			return extractPublicKey(publicCertData)
		})

		if tokErr != nil {
			if validationErr, isValidationErr := tokErr.(*jwt.ValidationError); isValidationErr {
				log.Print("ERROR helpers.jwt.ValidateLogin could not validate: ", validationErr.Error())
				if (validationErr.Errors | jwt.ValidationErrorExpired) != 0 {
					return "", errors.New("Token is expired")
				}
			} else {
				log.Printf("ERROR helpers.jwt.ValidateLogin could not validate token '%s': %s", rawData, tokErr)
			}
			return "", errors.New("Internal validation error")
		}
	}

	if !token.Valid {
		log.Printf("ERROR token %s is not valid", rawData)
		return "", errors.New("token is not valid")
	}

	if claims, claimsOk := token.Claims.(jwt.MapClaims); claimsOk {
		for _, claimName := range config.JWT.UserNameClaims {
			if username, hasUsername := claims[claimName]; hasUsername {
				return username.(string), nil
			}
		}
		log.Printf("ERROR helpers.jwt.ValidateLogin token validated but could not get a username from any of %v", config.JWT.UserNameClaims)
		return "", errors.New("no username claim")
	}

	log.Printf("ERROR helpers.jwt.ValidateLogin claims data was not present or incorrect")
	return "", errors.New("incorrect claims data")
}