How to use JWT in different packages?

[bcodus]

I have difficulty retriving JWT in my controller package, when the claim is set in route package:

In my routes.go I have:

       type jwtCustomClaims struct {
	Name string `json:"name"`
	jwt.StandardClaims
    }
         

	r := e.Group("/restricted")
	config := middleware.JWTConfig{
		Claims:     &jwtCustomClaims{},
		SigningKey: []byte("myHyperSecret"),
	}
	r.Use(middleware.JWTWithConfig(config))
	r.GET("", controller.Restricted)

And in my controller package I have this:

func Restricted(c echo.Context) error {
	user := c.Get("user").(*jwt.Token)
	claims := user.Claims.(*jwtCustomClaims)
	log.Println(claims, "claims")
	name := claims.Name
	return c.String(http.StatusOK, "Welcome "+name+"!")
}

But when I call /restricted route I get 500 error:

{"time":"2022-11-26T05:08:41.829715242+01:00","level":"-","prefix":"echo","file":"recover.go","line":"113","message":"[PANIC RECOVER] interface conversion: jwt.Claims is *routes.jwtCustomClaims, not *controller.jwtCustomClaims goroutine 34 [running]:\ngithub.com/labstack/echo/v4/middleware.RecoverWithConfig.func1.1.1()\n\t/home/pc3/go/pkg/mod/github.com/labstack/echo/[email protected]/middleware/recover.

I tried to use claims := user.Claims.(jwtCustomClaims) where I defined the same jwtCustomClaims in the controller package but still get a similar error:

{"time":"2022-11-26T05:13:57.279260477+01:00","level":"-","prefix":"echo","file":"recover.go","line":"113","message":"[PANIC RECOVER] interface conversion: jwt.Claims is *routes.jwtCustomClaims, not controller.jwtCustomClaims goroutine 7 [running]:\ngithub.com/labstack/echo/v4/middleware.RecoverWithConfig.

So I'm left clueless and appreciate your help.

[aldas]

If I understand this correctly - you have 2 versions of jwtCustomClaims. This will not work as their structure are identical they are not the same struct type.

This is working example which uses same struct TYPE that is given to middleware.JWTConfig.Claims when casting back to claims.

package main

import (
	"errors"
	"github.com/golang-jwt/jwt"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
	"log"
	"net/http"
)

type jwtCustomClaims struct {
	Name string `json:"name"`
	jwt.StandardClaims
}

func main() {
	e := echo.New()

	e.Use(middleware.JWTWithConfig(middleware.JWTConfig{
		SigningKey: []byte("secret"),
		Claims:     &jwtCustomClaims{},
	}))

	e.GET("/", func(c echo.Context) error {
		user, ok := c.Get("user").(*jwt.Token)
		if !ok {
			return errors.New("toke missing or could not cast token to *jwt.Token")
		}
		claims, ok := user.Claims.(*jwtCustomClaims)
		if !ok {
			return errors.New("could not cast claims to *jwtCustomClaims")
		}

		name := claims.Name
		return c.String(http.StatusOK, "Welcome "+name+"!")
	})

	if err := e.Start(":8080"); err != http.ErrServerClosed {
		log.Fatal(err)
	}
}

Test with

curl -v -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" http://localhost:8080

Output

*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=UTF-8
< Date: Sat, 26 Nov 2022 07:46:45 GMT
< Content-Length: 17
< 
* Connection #0 to host localhost left intact
Welcome John Doe!

[bcodus]

Sorry, it seems my question was not clear enough.
I have no issues when using the docs example JWT code where both routes and handler function are in the same package.
My problem arises when my handler function is another package.
I follow a MVC pattern so my routes are in route package and my handlers are in controller package:

package routes
import (
	"fmt"
	"os"
	"myapp/app/controller"
	"github.com/golang-jwt/jwt"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

type jwtCustomClaims struct {
	Name string `json:"name"`
	jwt.StandardClaims
}

func Init() *echo.Echo {
 	e := echo.New()
	e.GET("/", controller.GetIndex)
	e.POST("/auth/login", controller.Login)
	r := e.Group("/restricted")
	config := middleware.JWTConfig{
		Claims:     &jwtCustomClaims{},  
		SigningKey: []byte("secret"),
	}
	r.Use(middleware.JWTWithConfig(config))
	r.GET("", controller.Restricted)
 

And int controller I have:

package controller

import (
	"log"
	"net/http"
	"github.com/golang-jwt/jwt"
	"github.com/labstack/echo/v4"
)

 func Restricted(c echo.Context) error {
	user := c.Get("user").(*jwt.Token)
	claims := user.Claims.(*jwtCustomClaims)  //<---------- What should I put here to avoid error? 
	log.Println(claims, "claims")
	name := claims.Name
	return c.String(http.StatusOK, "Welcome "+name+"!")
}

[aldas]

in controller package you need to cast claim into struct that is defined in routes package. claims := user.Claims.(*routes.JwtCustomClaims). This is because 2 identical types defined in different packages are not interchangeable. Only interfaces are interchangeable that way.

[bcodus]

Well, to use claims := user.Claims.(*routes.JwtCustomClaims) in my controller package, I need to import routes package which leads to import cycle not allowed error because I've already imported controller package into routes package. Any solution for this?

[aldas]

I you have divide application into packages by "routes", "controller" etc I think you are going in wrong path. Have package for each domain ala "users", "files" etc. See how Go standard library does not pile everything under some vague package but has many, many different packages. This will help you when your application grows.

For authentication related things I usually create separate package (in this case lets name is auth, could be security etc) that does not depend on any other business related packages, business domains/package depend on it. It holds code related to working JWT, privileges.

I usually have "RegisterRoutes" function in package and I call it where Echo Server resides and if there are subgroup then they will be called inside their parent "RegisterRoutes" function. This way routing dependency direction is always bottoms up - from specific domain up to root/main package that is place where "application" setup by registering routes, middlewares and where services are initialized. This way it is easier to test that domain as it is separated from other domains. Only place where everything end up is place where root level application setup logic is.

main.go or whatever you have as "root" level package to run the server

func main() {
	e := echo.New()

       // register root level middlewares
       // ...

	root := e.Group("/api")
	users.RegisterRoutes(root)

	if err := e.Start(":8080"); err != http.ErrServerClosed {
		e.Logger.Fatal(err)
	}
}

Inside users package

func RegisterRoutes(parent *echo.Group) {
	group := parent.Group("/users")

	group.Use(middleware.RequestID()) // group level middlewares

	// instead of registring handle by anonymous function you could have struct that has method and use it as 
	// `e.GET("/:id", users.get)` where `get` is method `func (u *users) get(c echo.Context) error {`
	// in that case you can hold your pointers to services there
	group.GET("/:id", func(c echo.Context) error {
		sc, err := auth.ExtractSecurityContext(c) // I have middleware that maps claims to user object, adds privileges etc to "securityContext" that is `c.Set()` to `echo.Context` object for to be "extracted" in handlers.
		if err != nil {
			return err
	        }
		// ...
		return c.JSON(http.StatusOK, map[string]string{"uid": "abc123"})
	})

	// Register /users/files/ routes
	//files.RegisterRoutes(group)
}

Inside files package that is under users package (this is to showcase how hierarchy is created)

func RegisterRoutes(parent *echo.Group) {
	group := parent.Group("/files")
	
	group.GET("/report", func(c echo.Context) error {
                sc, err := auth.ExtractSecurityContext(c) // I have middleware that maps claims to user object, adds privilges etc to "securityContext" that is `c.Set()` to `echo.Context` object for to be "extracted" in handlers.
	        if err != nil {
			return err
	        }
		// ...
		return c.String(http.StatusOK, "ok")
	})
}

[bcodus]

Thank for your tips but I still don't know how to write ExtractSecurityContext while avoiding import cycle not allowed .
Can you share a complete example of your typical set up with JWT authentication in a separate package?
I could not find any echo project or tutorial extracting JWT payload in a separate package.