Simplify Claims in LFS and remove the float64 casts

Signed-off-by: Andrew Thornton <[email protected]>

cmd/serv.go

@@ -18,6 +18,7 @@ import (
  "time"
 
  "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/lfs"
  "code.gitea.io/gitea/modules/log"
  "code.gitea.io/gitea/modules/pprof"
  "code.gitea.io/gitea/modules/private"
@@ -213,12 +214,14 @@ func runServ(c *cli.Context) error {
  url := fmt.Sprintf("%s%s/%s.git/info/lfs", setting.AppURL, url.PathEscape(results.OwnerName), url.PathEscape(results.RepoName))
 
  now := time.Now()
- claims := jwt.MapClaims{
- "repo": results.RepoID,
- "op": lfsVerb,
- "exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
- "nbf": now.Unix(),
- "user": results.UserID,
+ claims := lfs.Claims{
+ StandardClaims: jwt.StandardClaims{
+ ExpiresAt: now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
+ NotBefore: now.Unix(),
+ },
+ RepoID: results.RepoID,
+ Op: lfsVerb,
+ UserID: results.UserID,
  }
  token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 

modules/lfs/server.go

@@ -65,6 +65,14 @@ type ObjectError struct {
  Message string `json:"message"`
 }
 
+// Claims is a JWT Token Claims
+type Claims struct {
+ RepoID int64
+ Op string
+ UserID int64
+ jwt.StandardClaims
+}
+
 // ObjectLink builds a URL linking to the object.
 func (v *RequestVars) ObjectLink() string {
  return setting.AppURL + path.Join(v.User, v.Repo+".git", "info/lfs/objects", v.Oid)
@@ -591,7 +599,7 @@ func parseToken(authorization string) (*models.User, *models.Repository, string,
  return nil, nil, "unknown", fmt.Errorf("No token")
  }
  if strings.HasPrefix(authorization, "Bearer ") {
- token, err := jwt.Parse(authorization[7:], func(t *jwt.Token) (interface{}, error) {
+ token, err := jwt.ParseWithClaims(authorization[7:], &Claims{}, func(t *jwt.Token) (interface{}, error) {
  if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
  return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
  }
@@ -601,33 +609,21 @@ func parseToken(authorization string) (*models.User, *models.Repository, string,
  // The error here is WARN level because it is caused by bad authorization rather than an internal server error
  return nil, nil, "unknown", err
  }
- claims, claimsOk := token.Claims.(jwt.MapClaims)
+ claims, claimsOk := token.Claims.(*Claims)
  if !token.Valid || !claimsOk {
  return nil, nil, "unknown", fmt.Errorf("Token claim invalid")
  }
- opStr, ok := claims["op"].(string)
- if !ok {
- return nil, nil, "unknown", fmt.Errorf("Token operation invalid")
- }
- repoID, ok := claims["repo"].(float64)
- if !ok {
- return nil, nil, opStr, fmt.Errorf("Token repository id invalid")
- }
- r, err := models.GetRepositoryByID(int64(repoID))
+ r, err := models.GetRepositoryByID(claims.RepoID)
  if err != nil {
- log.Error("Unable to GetRepositoryById[%d]: Error: %v", repoID, err)
- return nil, nil, opStr, err
- }
- userID, ok := claims["user"].(float64)
- if !ok {
- return nil, r, opStr, fmt.Errorf("Token user id invalid")
+ log.Error("Unable to GetRepositoryById[%d]: Error: %v", claims.RepoID, err)
+ return nil, nil, claims.Op, err
  }
- u, err := models.GetUserByID(int64(userID))
+ u, err := models.GetUserByID(claims.UserID)
  if err != nil {
- log.Error("Unable to GetUserById[%d]: Error: %v", int64(userID), err)
- return nil, r, opStr, err
+ log.Error("Unable to GetUserById[%d]: Error: %v", claims.UserID, err)
+ return nil, r, claims.Op, err
  }
- return u, r, opStr, nil
+ return u, r, claims.Op, nil
  }
 
  if strings.HasPrefix(authorization, "Basic ") {