[SDK-5703] [GH-283] Add support for exclusion URLs in JWT middleware (#319)

Author: developerkunal

middleware.go

@@ -17,6 +17,7 @@ type JWTMiddleware struct {
 	tokenExtractor      TokenExtractor
 	credentialsOptional bool
 	validateOnOptions   bool
+	exclusionUrlHandler ExclusionUrlHandler
 }
 
 // ValidateToken takes in a string JWT and makes sure it is valid and
@@ -26,6 +27,10 @@ type JWTMiddleware struct {
 // In the default implementation we can add safe defaults for those.
 type ValidateToken func(context.Context, string) (interface{}, error)
 
+// ExclusionUrlHandler is a function that takes in a http.Request and returns
+// true if the request should be excluded from JWT validation.
+type ExclusionUrlHandler func(r *http.Request) bool
+
 // New constructs a new JWTMiddleware instance with the supplied options.
 // It requires a ValidateToken function to be passed in, so it can
 // properly validate tokens.
@@ -49,6 +54,11 @@ func New(validateToken ValidateToken, opts ...Option) *JWTMiddleware {
 // is passed a http.Handler which will be called if the JWT passes validation.
 func (m *JWTMiddleware) CheckJWT(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// If there's an exclusion handler and the URL matches, skip JWT validation
+		if m.exclusionUrlHandler != nil && m.exclusionUrlHandler(r) {
+			next.ServeHTTP(w, r)
+			return
+		}
 		// If we don't validate on OPTIONS and this is OPTIONS
 		// then continue onto next without validating.
 		if !m.validateOnOptions && r.Method == http.MethodOptions {

middleware_test.go

@@ -46,6 +46,7 @@ func Test_CheckJWT(t *testing.T) {
 		wantToken      interface{}
 		wantStatusCode int
 		wantBody       string
+		path           string
 	}{
 		{
 			name:           "it can successfully validate a token",
@@ -133,6 +134,50 @@ func Test_CheckJWT(t *testing.T) {
 			wantStatusCode: http.StatusBadRequest,
 			wantBody:       `{"message":"JWT is missing."}`,
 		},
+		{
+			name: "JWT not required for /public",
+			options: []Option{
+				WithExclusionUrls([]string{"/public", "/health", "/special"}),
+			},
+			method:         http.MethodGet,
+			path:           "/public",
+			token:          "",
+			wantStatusCode: http.StatusOK,
+			wantBody:       `{"message":"Authenticated."}`,
+		},
+		{
+			name: "JWT not required for /health",
+			options: []Option{
+				WithExclusionUrls([]string{"/public", "/health", "/special"}),
+			},
+			method:         http.MethodGet,
+			path:           "/health",
+			token:          "",
+			wantStatusCode: http.StatusOK,
+			wantBody:       `{"message":"Authenticated."}`,
+		},
+		{
+			name: "JWT not required for /special",
+			options: []Option{
+				WithExclusionUrls([]string{"/public", "/health", "/special"}),
+			},
+			method:         http.MethodGet,
+			path:           "/special",
+			token:          "",
+			wantStatusCode: http.StatusOK,
+			wantBody:       `{"message":"Authenticated."}`,
+		},
+		{
+			name: "JWT required for /secure (not in exclusion list)",
+			options: []Option{
+				WithExclusionUrls([]string{"/public", "/health", "/special"}),
+			},
+			method:         http.MethodGet,
+			path:           "/secure",
+			token:          "",
+			wantStatusCode: http.StatusBadRequest,
+			wantBody:       `{"message":"JWT is missing."}`,
+		},
 	}
 
 	for _, testCase := range testCases {
@@ -154,7 +199,8 @@ func Test_CheckJWT(t *testing.T) {
 			testServer := httptest.NewServer(middleware.CheckJWT(handler))
 			defer testServer.Close()
 
-			request, err := http.NewRequest(testCase.method, testServer.URL, nil)
+			url := testServer.URL + testCase.path
+			request, err := http.NewRequest(testCase.method, url, nil)
 			require.NoError(t, err)
 
 			if testCase.token != "" {

option.go

@@ -1,5 +1,9 @@
 package jwtmiddleware
 
+import (
+	"net/http"
+)
+
 // Option is how options for the JWTMiddleware are set up.
 type Option func(*JWTMiddleware)
 
@@ -44,3 +48,21 @@ func WithTokenExtractor(e TokenExtractor) Option {
 		m.tokenExtractor = e
 	}
 }
+
+// WithExclusionUrls allows configuring the exclusion URL handler with multiple URLs
+// that should be excluded from JWT validation.
+func WithExclusionUrls(exclusions []string) Option {
+	return func(m *JWTMiddleware) {
+		m.exclusionUrlHandler = func(r *http.Request) bool {
+			requestFullURL := r.URL.String()
+			requestPath := r.URL.Path
+
+			for _, exclusion := range exclusions {
+				if requestFullURL == exclusion || requestPath == exclusion {
+					return true
+				}
+			}
+			return false
+		}
+	}
+}