JWT (JSON Web Token) generation and verification middleware. More...
#include <stdio.h>#include <stdlib.h>#include <string.h>#include <time.h>#include "csilk/core/internal.h"#include "csilk/csilk.h"
Functions | |
| char * | csilk_jwt_generate (csilk_ctx_t *c, cJSON *payload, const char *secret) |
| Generate a signed HS256 JWT token. | |
| cJSON * | csilk_jwt_verify (csilk_ctx_t *c, const char *token, const char *secret) |
| Verify an HS256 JWT token and return its payload. | |
| void | csilk_jwt_middleware (csilk_ctx_t *c, const char *secret) |
| JWT authentication middleware. | |
Variables | |
| static const char * | JWT_HEADER = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}" |
| JSON-encoded JWT header used for all tokens. | |
Detailed Description
JWT (JSON Web Token) generation and verification middleware.
- Copyright
- MIT License
Function Documentation
◆ csilk_jwt_generate()
| char * csilk_jwt_generate | ( | csilk_ctx_t * | c, |
| cJSON * | payload, | ||
| const char * | secret | ||
| ) |
Generate a signed HS256 JWT token.
Generate a signed JWT token (HS256).
Constructs a JWT with the fixed header {"alg":"HS256","typ":"JWT"} and the caller-supplied cJSON payload. The token is signed using HMAC-SHA256 with the provided secret. Every component (header, payload, signature) is base64url-encoded per RFC 4648 ยง5.
- Parameters
-
c The request context (used for HMAC operations). payload A cJSON object containing the claims. Must not be NULL. secret The HMAC-SHA256 signing secret. Must not be NULL.
- Returns
- A newly allocated, null-terminated JWT string in the format
header.payload.signature, or NULL on allocation failure or invalid arguments.
- Note
- The caller is responsible for freeing the returned string with free().
- Warning
- The payload is NOT deep-copied during generation. The caller retains ownership and should free it after this function returns.
◆ csilk_jwt_middleware()
| void csilk_jwt_middleware | ( | csilk_ctx_t * | c, |
| const char * | secret | ||
| ) |
JWT authentication middleware.
Extracts the Bearer token from the Authorization header, verifies it via csilk_jwt_verify(), and checks the "exp" claim if present. On success the decoded payload is stored in the context under the key "jwt_payload" and the next handler is called. On failure (missing header, invalid token, or expired), a 401 Unauthorized response is sent.
- Parameters
-
c The request context. secret The HMAC-SHA256 verification secret.
- Note
- The jwt_payload is stored with csilk_set() and is NOT automatically freed by the context cleanup. Downstream handlers should retrieve it with csilk_get() and call cJSON_Delete() when done, or register a cleanup callback.
- Warning
- This middleware must be registered before any handler that accesses the jwt_payload via csilk_get(c, "jwt_payload").
◆ csilk_jwt_verify()
| cJSON * csilk_jwt_verify | ( | csilk_ctx_t * | c, |
| const char * | token, | ||
| const char * | secret | ||
| ) |
Verify an HS256 JWT token and return its payload.
Verify a JWT token and extract its payload.
Splits the token into its three dot-separated components (header, payload, signature), recomputes the HMAC-SHA256 signature over the signing input, and compares it against the provided signature (constant-time not guaranteed โ uses strcmp). On success, the payload is base64url-decoded and parsed into a cJSON object.
- Parameters
-
c The request context (used for HMAC operations). token The JWT string in the format header.payload.signature.secret The HMAC-SHA256 verification secret.
- Returns
- A newly allocated cJSON object representing the payload claims, or NULL if the token is malformed, the signature is invalid, or memory allocation fails.
- Note
- The caller owns the returned cJSON object and must free it with cJSON_Delete() when no longer needed.
- Warning
- Signature comparison uses strcmp, which is NOT constant-time. This may be vulnerable to timing attacks in high-security environments.
Variable Documentation
◆ JWT_HEADER
|
static |
JSON-encoded JWT header used for all tokens.
The header is fixed to {"alg":"HS256","typ":"JWT"} (HS256 = HMAC-SHA256). This string is base64url-encoded during token generation.
