|
package main |
|
|
|
import ( |
|
"context" |
|
"crypto/sha256" |
|
"encoding/json" |
|
"fmt" |
|
"io" |
|
"os" |
|
|
|
"github.com/go-jose/go-jose/v4" |
|
"golang.org/x/crypto/hkdf" |
|
) |
|
|
|
// Decrypt algorithm got from Auth0 cookie format: https://github.com/auth0/nextjs-auth0/blob/main/src/server/cookies.ts |
|
var encKeyHash = sha256.New |
|
|
|
const encryptionAlg = jose.A256GCM |
|
const keyAlg = jose.DIRECT |
|
const encKeyLength = 32 |
|
const encKeyInfo = "JWE CEK" |
|
|
|
// The cookie needs to be appended from N cookies named like `appSession_X`. |
|
const cookie = "xxxxxxx" |
|
|
|
var auth0Secret = os.Getenv("AUTH0_COOKIE_SECRET") |
|
|
|
func run(ctx context.Context) error { |
|
sessionData, err := decryptAuth0Cookie(cookie, auth0Secret) |
|
if err != nil { |
|
panic(err) |
|
} |
|
|
|
idToken := sessionData["idToken"] |
|
fmt.Println(idToken) |
|
|
|
return nil |
|
} |
|
|
|
func decryptAuth0Cookie(cookie string, auth0Secret string) (map[string]interface{}, error) { |
|
// Derive key using HKDF. |
|
encryptionKey, err := getEncryptKey(auth0Secret) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
// Parse JWE. |
|
object, err := jose.ParseEncrypted(cookie, []jose.KeyAlgorithm{keyAlg}, []jose.ContentEncryption{encryptionAlg}) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
// Decrypt. |
|
plaintext, err := object.Decrypt(encryptionKey) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
// Parse JSON. |
|
var data map[string]interface{} |
|
if err := json.Unmarshal(plaintext, &data); err != nil { |
|
return nil, err |
|
} |
|
|
|
return data, nil |
|
} |
|
|
|
func getEncryptKey(secret string) ([]byte, error) { |
|
hkdfReader := hkdf.New(encKeyHash, []byte(secret), []byte{}, []byte(encKeyInfo)) |
|
key := make([]byte, encKeyLength) |
|
if _, err := io.ReadFull(hkdfReader, key); err != nil { |
|
return nil, err |
|
} |
|
return key, nil |
|
} |
|
|
|
func main() { |
|
err := run(context.Background()) |
|
if err != nil { |
|
panic(err) |
|
} |
|
} |
