Verify nbf (livekit#1345)

* return jwt.Claims when Verify token

* fix test

Author: cnderrauber

auth/accesstoken_test.go

@@ -218,7 +218,7 @@ func TestAccessToken(t *testing.T) {
 
 			v, err := ParseAPIToken(value)
 			require.NoError(t, err)
-			claims, err := v.Verify(secret)
+			_, claims, err := v.Verify(secret)
 			require.NoError(t, err)
 
 			rc := (*livekit.RoomConfiguration)(claims.RoomConfig)

auth/verifier.go

@@ -58,23 +58,23 @@ func (v *APIKeyTokenVerifier) Identity() string {
 	return v.identity
 }
 
-func (v *APIKeyTokenVerifier) Verify(key interface{}) (*ClaimGrants, error) {
+func (v *APIKeyTokenVerifier) Verify(key interface{}) (*jwt.Claims, *ClaimGrants, error) {
 	if key == nil || key == "" {
-		return nil, ErrKeysMissing
+		return nil, nil, ErrKeysMissing
 	}
 	if s, ok := key.(string); ok {
 		key = []byte(s)
 	}
 	out := jwt.Claims{}
 	claims := ClaimGrants{}
 	if err := v.token.Claims(key, &out, &claims); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	if err := out.Validate(jwt.Expected{Issuer: v.apiKey, Time: time.Now()}); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	// copy over identity
 	claims.Identity = v.identity
-	return &claims, nil
+	return &out, &claims, nil
 }

auth/verifier_test.go

@@ -33,18 +33,18 @@ func TestVerifier(t *testing.T) {
 		require.NoError(t, err)
 
 		require.Equal(t, apiKey, v.APIKey())
-		_, err = v.Verify("")
+		_, _, err = v.Verify("")
 		require.Error(t, err)
 
-		_, err = v.Verify("anothersecret")
+		_, _, err = v.Verify("anothersecret")
 		require.Error(t, err)
 	})
 
 	t.Run("key has expired", func(t *testing.T) {
 		v, err := auth.ParseAPIToken(accessToken)
 		require.NoError(t, err)
 
-		_, err = v.Verify(secret)
+		_, _, err = v.Verify(secret)
 		require.Error(t, err)
 	})
 
@@ -62,7 +62,7 @@ func TestVerifier(t *testing.T) {
 		require.Equal(t, apiKey, v.APIKey())
 		require.Equal(t, "me", v.Identity())
 
-		decoded, err := v.Verify(secret)
+		_, decoded, err := v.Verify(secret)
 		require.NoError(t, err)
 		require.Equal(t, &claim, decoded.Video)
 	})
@@ -88,7 +88,7 @@ func TestVerifier(t *testing.T) {
 		v, err := auth.ParseAPIToken(authToken)
 		require.NoError(t, err)
 
-		decoded, err := v.Verify(secret)
+		_, decoded, err := v.Verify(secret)
 		require.NoError(t, err)
 
 		require.EqualValues(t, string(md), decoded.Metadata)
@@ -108,7 +108,7 @@ func TestVerifier(t *testing.T) {
 
 		v, err := auth.ParseAPIToken(token)
 		require.NoError(t, err)
-		decoded, err := v.Verify(secret)
+		_, decoded, err := v.Verify(secret)
 		require.NoError(t, err)
 
 		require.Nil(t, decoded.Video.CanSubscribe)

livekit/types.go

@@ -59,6 +59,9 @@ func (s NodeID) String() string              { return string(s) }
 func (s JobID) String() string               { return string(s) }
 func (s DispatchID) String() string          { return string(s) }
 func (s AgentName) String() string           { return string(s) }
+func (s ParticipantKey) String() string {
+	return fmt.Sprintf("%s_%s_%s", s.ProjectID, s.RoomName, s.Identity)
+}
 
 type stringTypes interface {
 	ParticipantID | RoomID | TrackID | ParticipantIdentity | ParticipantName | RoomName | ConnectionID | NodeID

webhook/verifier.go

@@ -51,7 +51,7 @@ func Receive(r *http.Request, provider auth.KeyProvider) ([]byte, error) {
 		return nil, ErrSecretNotFound
 	}
 
-	claims, err := v.Verify(secret)
+	_, claims, err := v.Verify(secret)
 	if err != nil {
 		return nil, err
 	}