The latest articles on DEV Community by Muhammad Yahya Muhaimin (@yaliv). https://dev.to/yaliv https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F468423%2Fcd832911-06b3-4f93-947b-3635a8e409cf.jpeg https://dev.to/yaliv en Muhammad Yahya Muhaimin Tue, 26 Jul 2022 01:23:02 +0000 https://dev.to/hash-id/lessons-learned-from-developing-serverless-workflow-runtime-implementation-2fh8 https://dev.to/hash-id/lessons-learned-from-developing-serverless-workflow-runtime-implementation-2fh8 <p>At Hash Rekayasa Teknologi, we've been developing and using <a href="https://www.hash.id/mocobaas/" rel="noopener noreferrer">MocoBaaS</a>, a Backend-as-a-Service solution.<br> One of the features for implementing business logic is Custom Script.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihrz0zzyx2wdet3dftmx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihrz0zzyx2wdet3dftmx.png" alt="MocoBaaS Custom Script flow" width="668" height="371"></a></p> <p>This feature has served us well for many use cases.<br> However, there are some use cases that consist of multiple steps. They can be implemented by "chaining" multiple scripts, one script triggering another. While this can get the job done, it's hard to keep track of the steps that were executed.</p> <p>Imagine we have a use case like Marketplace Order:</p> <blockquote> <p>DISCLAIMER: It may not represent a real world use case.</p> </blockquote> <ol> <li>Create Order</li> <li>Confirm Payment</li> <li>Confirm Delivery</li> <li>Confirm Completed</li> </ol> <p>It can be done by defining this flow:</p> <ol> <li>Script: <code>create-order</code> <ul> <li>Triggered By: HTTP source</li> <li>Triggers: <code>create-order-success</code> event</li> </ul> </li> <li>Script: <code>confirm-payment</code> <ul> <li>Triggered By: Event source</li> <li>Triggers: <code>confirm-payment-success</code> event</li> </ul> </li> <li>Script: <code>confirm-delivery</code> <ul> <li>Triggered By: Event source</li> <li>Triggers: <code>confirm-delivery-success</code> event</li> </ul> </li> <li>Script: <code>confirm-completed</code> <ul> <li>Triggered By: Event source</li> </ul> </li> </ol> <p>With the flow above, the scripts were executed as is. There is no centralized mechanism of tracking the executed steps, whether they were executed properly or not.</p> <h2> Serverless Workflow to the rescue </h2> <p>Among workflow languages out there, we choose <a href="https://serverlessworkflow.io" rel="noopener noreferrer">Serverless Workflow</a>. It's a vendor-neutral, open-source and community-driven workflow ecosystem.<br> The workflow definition can be written in JSON or YAML format.<br> And then there are SDKs available in various programming languanges, like Java, Go, TypeScript, .NET, Python.</p> <p>The Marketplace Order use case above can be defined like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">id</span><span class="pi">:</span> <span class="s">marketplaceorder</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0"</span> <span class="na">specVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.7"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Marketplace Order Workflow</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Create and process orders on the marketplace.</span> <span class="na">start</span><span class="pi">:</span> <span class="s">CreateOrder</span> <span class="na">functions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">createOrderFunction</span> <span class="na">operation</span><span class="pi">:</span> <span class="s">mocobaas://marketplace-order#create-order</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">confirmPaymentFunction</span> <span class="na">operation</span><span class="pi">:</span> <span class="s">mocobaas://marketplace-order#confirm-payment</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">confirmDeliveryFunction</span> <span class="na">operation</span><span class="pi">:</span> <span class="s">mocobaas://marketplace-order#confirm-delivery</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">confirmCompletedFunction</span> <span class="na">operation</span><span class="pi">:</span> <span class="s">mocobaas://marketplace-order#confirm-completed</span> <span class="na">states</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CreateOrder</span> <span class="na">type</span><span class="pi">:</span> <span class="s">operation</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">functionRef</span><span class="pi">:</span> <span class="s">createOrderFunction</span> <span class="na">transition</span><span class="pi">:</span> <span class="s">ConfirmPayment</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ConfirmPayment</span> <span class="na">type</span><span class="pi">:</span> <span class="s">operation</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">functionRef</span><span class="pi">:</span> <span class="s">confirmPaymentFunction</span> <span class="na">transition</span><span class="pi">:</span> <span class="s">ConfirmDelivery</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ConfirmDelivery</span> <span class="na">type</span><span class="pi">:</span> <span class="s">operation</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">functionRef</span><span class="pi">:</span> <span class="s">confirmDeliveryFunction</span> <span class="na">transition</span><span class="pi">:</span> <span class="s">ConfirmCompleted</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ConfirmCompleted</span> <span class="na">type</span><span class="pi">:</span> <span class="s">operation</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">functionRef</span><span class="pi">:</span> <span class="s">confirmCompletedFunction</span> <span class="na">end</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>And this is the diagram visualization:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7dwpfcght3yl3qfiizui.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7dwpfcght3yl3qfiizui.png" alt="Marketplace Order workflow diagram" width="254" height="704"></a></p> <p>If you are new to Serverless Workflow, or workflow in general, you may have so many questions about that 😁</p> <p>I recommend you to watch this presentation:</p> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/I66zBOpnUy0"> </iframe> </p> <p>And then read the official Serverless Workflow examples and specification:</p> <ul> <li>Version 0.7: <a href="https://github.com/serverlessworkflow/specification/blob/0.7.x/examples/README.md" rel="noopener noreferrer">examples</a>, <a href="https://github.com/serverlessworkflow/specification/blob/0.7.x/specification.md" rel="noopener noreferrer">specification</a>.</li> <li>Version 0.8: <a href="https://github.com/serverlessworkflow/specification/blob/0.8.x/examples/README.md" rel="noopener noreferrer">examples</a>, <a href="https://github.com/serverlessworkflow/specification/blob/0.8.x/specification.md" rel="noopener noreferrer">specification</a>.</li> </ul> <p>Let me continue the story...</p> <p>What we need to build is a runtime implementation that execute workflows based on the definitions.<br> Golang has become an important part of our stack at Hash Rekayasa Teknologi. So we simply choose the <a href="https://github.com/serverlessworkflow/sdk-go" rel="noopener noreferrer">Go SDK for Serverless Workflow</a>. Although I didn't try other SDKs, I'm sure there shouldn't be much difference to what I'm using here.<br> The most important question with the SDK: <strong>What it does and doesn't?</strong></p> <p>It does:</p> <ul> <li>Parse workflow JSON and YAML definitions.</li> <li>One workflow definition has a hierarchical structure. Each definition from top level to sub-levels will be represented <a href="https://pkg.go.dev/github.com/serverlessworkflow/sdk-go/v2/model" rel="noopener noreferrer">as a Model</a>, such as Workflow, State, Action, Function, Retry.</li> </ul> <p>It doesn't:</p> <ul> <li>There is no Workflow Instance representation. For the execution, you have to define the unique identifier yourself.</li> <li>The duration values in ISO 8601 duration format are not parsed.</li> <li>The workflow expressions in jq format are not parsed.</li> </ul> <p>With those limitations, there doesn't seem to be much we can do with the SDK. Just parse the workflow definition and use the hierarchical structure as a guide for executions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">sw</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"errors"</span> <span class="s">"os"</span> <span class="s">"path/filepath"</span> <span class="s">"github.com/google/uuid"</span> <span class="s">"github.com/serverlessworkflow/sdk-go/v2/model"</span> <span class="s">"github.com/serverlessworkflow/sdk-go/v2/parser"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">StartWorkflowResult</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">InstanceID</span> <span class="kt">string</span> <span class="s">`json:"instanceId"`</span> <span class="p">}</span> <span class="k">var</span> <span class="n">workflows</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Workflow</span> <span class="k">func</span> <span class="n">LoadWorkflows</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">const</span> <span class="n">definitionsDir</span> <span class="o">=</span> <span class="s">"definitions"</span> <span class="n">dirEntries</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">ReadDir</span><span class="p">(</span><span class="n">definitionsDir</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">workflows</span> <span class="o">=</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Workflow</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">entry</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">dirEntries</span> <span class="p">{</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">entry</span><span class="o">.</span><span class="n">Name</span><span class="p">()</span> <span class="n">path</span> <span class="o">:=</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">definitionsDir</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="n">wf</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">parser</span><span class="o">.</span><span class="n">FromFile</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">workflows</span><span class="p">[</span><span class="n">name</span><span class="p">]</span> <span class="o">=</span> <span class="n">wf</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">StartWorkflow</span><span class="p">(</span><span class="n">name</span> <span class="kt">string</span><span class="p">,</span> <span class="n">input</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{})</span> <span class="p">(</span><span class="o">*</span><span class="n">StartWorkflowResult</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">wf</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">workflows</span><span class="p">[</span><span class="n">name</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"Workflow not found: "</span> <span class="o">+</span> <span class="n">name</span><span class="p">)</span> <span class="p">}</span> <span class="n">instanceID</span> <span class="o">:=</span> <span class="n">uuid</span><span class="o">.</span><span class="n">NewString</span><span class="p">()</span> <span class="c">// Start a new instance.</span> <span class="c">// Parameters: instanceID, wf, input</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">StartWorkflowResult</span><span class="p">{</span><span class="n">instanceID</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Here we store the Workflow models in a map, so the <code>LoadWorkflows()</code> function only needs to be called once.<br> And then the <code>StartWorkflow()</code> function will be called in every execution.</p> <h2> Take notes for the implemented features </h2> <p>We may not implement all the features in the specification. One thing we can do is document them. Each feature will have status:</p> <ul> <li>implemented according to the spec 🟢🟢</li> <li>implemented, but not according to the spec or using own standard 🟢🔴</li> <li>not/not yet implemented 🔴</li> </ul> <p>I took notes on a spreadsheet. You can see it <a href="https://docs.google.com/spreadsheets/d/1x92axugs8grW-wPCOF0E246fRYrZsxY97aSYI2Qzs40/edit?usp=sharing" rel="noopener noreferrer">here</a>.<br> I use my native language, Bahasa Indonesia.<br> And it's not complete. I take note of a definition only when I start implementing it.</p> <p>Let's see one example, the Function Definition:</p> <ul> <li>As we know, service call is defined here.</li> <li>The workflow runtime is written in Go, while the scripts are written in JavaScript (Node.js).</li> <li>MocoBaaS already has an internal RPC mechanism, so we want to use "custom" type.</li> <li>In spec v0.8, there's "custom" type. But as of this writing, the Go SDK only supports spec v0.7.</li> </ul> <p>As you can see, we tried to stick to the spec as far as we could. But sometimes we have to use our own standards.</p> <h2> Executing workflow </h2> <p>The Marketplace Order Workflow has a linear flow, from create order to confirm completed. This is the directory structure containing workflow definition and scripts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. └── marketplace-order ├── definition.sw.yaml └── scripts ├── confirm-completed.js ├── confirm-delivery.js ├── confirm-payment.js └── create-order.js </code></pre> </div> <p>The end result will be a JSON like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"createOrder"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"confirmPayment"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"confirmDelivery"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"confirmCompleted"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>When the workflow is executed, starting with <code>create-order.js</code>, data is a new object:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">createOrder</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>Next, <code>confirm-payment.js</code> extends the data from previous state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">data</span><span class="p">,</span> <span class="na">confirmPayment</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>And so on.</p> <h2> Tracking workflow execution </h2> <p>As written in the spec:<br> <em>Depending on their workflow definition, workflow instances can be short-lived or can execute for days, weeks, or years.</em></p> <p>There is no recommendation on how to store the tracking information. Any database can be used.<br> We need to handle these requirements:</p> <ul> <li>One instance can have more than one states.</li> <li>The state's data input is typically the previous state's data output.</li> <li>If the state is the workflow starting state, its data input is the workflow data input.</li> <li>When workflow execution ends, the data output of the last executed state becomes the workflow data output.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7l1x9qakox35xmxw4icr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7l1x9qakox35xmxw4icr.png" alt="Information passing between states" width="800" height="974"></a></p> <p>For example, we have two tables:</p> <ul> <li>instances</li> <li>instance_states</li> </ul> <p>The Marketplace Order Workflow execution can be stored like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fohein5an3d9bdun5zfmt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fohein5an3d9bdun5zfmt.png" alt="Table instances" width="800" height="128"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91x54cc12jbbyateu154.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91x54cc12jbbyateu154.png" alt="Table instance_states" width="800" height="116"></a></p> <h2> Retrying actions </h2> <p>If a state returning an error, we can leave it as the final result or define a retry policy.<br> For example, we have a Chance of Success Workflow.</p> <p>Directory structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. └── chance-of-success ├── definition.sw.yaml └── scripts └── chance.js </code></pre> </div> <p><code>chance.js</code> will randomize a boolean. If true, returns data. If false, returns error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">chance</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">chance</span><span class="dl">"</span><span class="p">).</span><span class="nc">Chance</span><span class="p">();</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isTrue</span> <span class="o">=</span> <span class="nx">chance</span><span class="p">.</span><span class="nf">bool</span><span class="p">({</span> <span class="na">likelihood</span><span class="p">:</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">likelihood</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isTrue</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">failed</span><span class="dl">"</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">success</span><span class="dl">"</span> <span class="p">},</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>And the workflow definition contains a retry definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">id</span><span class="pi">:</span> <span class="s">chanceofsuccess</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0"</span> <span class="na">specVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.7"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Chance of Success Workflow</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Try your chance of success. Retry if failed.</span> <span class="na">start</span><span class="pi">:</span> <span class="s">TakeAChance</span> <span class="na">functions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">chanceFunction</span> <span class="na">operation</span><span class="pi">:</span> <span class="s">mocobaas://chance-of-success#chance</span> <span class="na">retries</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">chanceRetryStrategy</span> <span class="na">delay</span><span class="pi">:</span> <span class="s">PT10S</span> <span class="na">maxAttempts</span><span class="pi">:</span> <span class="m">3</span> <span class="na">states</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TakeAChance</span> <span class="na">type</span><span class="pi">:</span> <span class="s">operation</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">functionRef</span><span class="pi">:</span> <span class="s">chanceFunction</span> <span class="na">retryRef</span><span class="pi">:</span> <span class="s">chanceRetryStrategy</span> <span class="na">end</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>With that retry definition, the runtime will perform this mechanism:</p> <ul> <li>The maximum attempts is 3 times.</li> <li>There is 10 second delay between retries.</li> <li>If we get data before maxAttempts, there will be no more retries.</li> <li>If maxAttempts is reached, there will be no more retries, regardless of the result.</li> </ul> <p>Before we can use the delay duration, it needs to be parsed. For example, I use <a href="https://github.com/sosodev/duration" rel="noopener noreferrer">sosodev/duration</a> and it works well.</p> <h2> Diagram visualization </h2> <p>Generating a diagram visualization from the workflow definition is really helpful, especially when you have complex workflows.<br> One way is that you can use the <a href="https://serverlessworkflow.io/editor.html" rel="noopener noreferrer">Web Editor in the official website</a>. It can generate diagram from JSON or YAML, but the linter in the text editor will always expect JSON.</p> <p>For VS Code users, there's an <a href="https://marketplace.visualstudio.com/items?itemName=serverlessworkflow.serverless-workflow-vscode-extension" rel="noopener noreferrer">official extension</a>, But as of this writing, it is outdated, only supports spec v0.6.<br> A better alternative is to use an <a href="https://marketplace.visualstudio.com/items?itemName=redhat.vscode-extension-serverless-workflow-editor" rel="noopener noreferrer">extension from Red Hat</a>. It supports spec v0.8. It also works well with spec v0.7. The only requirement is you must name the definition files to <code>*.sw.json</code>, <code>*.sw.yaml</code> or <code>*.sw.yml</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frcleq66k8j81cv2bexhw.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frcleq66k8j81cv2bexhw.gif" alt="VS Code extension by Red Hat" width="480" height="306"></a></p> <p>Caveat:<br> Looks like those tools use the same generator, as they produce the same diagram visualization. I noticed that they can only visualize the flow, but don't include other details, such as functions or retries.</p> <h2> Closing Thoughts </h2> <p>Workflow is quite a huge feature. And as you can see, Serverless Workflow offers a great flexibility between standard and customization. But if you need more training wheels in using a workflow system, there may be better solutions out there.</p> <p>We haven't implemented most of the Serverless Workflow features yet.<br> For example, the workflow expressions I mentioned above. Using a library like <a href="https://github.com/itchyny/gojq" rel="noopener noreferrer">itchyny/gojq</a> looks promising, although I haven't tried it.<br> But at least this little effort is enough for a minimal functioning system.</p> <p>Well, hope you enjoyed this article and found it useful 😉</p> architecture workflow go node Muhammad Yahya Muhaimin Mon, 23 May 2022 01:32:02 +0000 https://dev.to/hash-id/id-otentikasi-skema-hybrid-jwt-userinfo-5aba https://dev.to/hash-id/id-otentikasi-skema-hybrid-jwt-userinfo-5aba <p>Sebagai pengembang backend, barangkali Anda pernah membangun sendiri sistem otentikasi untuk aplikasi yang Anda buat. Jika Anda mengelola session, misalnya dengan memanfaatkan database, maka itu disebut stateful.<br> Kebalikan dari stateful adalah stateless. Beberapa standar otentikasi stateless yang umum di antaranya JWT dan SAML.^[1]</p> <p>Di artikel ini kita akan mengupas bagaimana JWT digunakan dan mengapa kita tidak bisa mengandalkan dia seutuhnya.</p> <p>Aplikasi demo yang akan kita buat berbasis framework <a href="https://gofiber.io" rel="noopener noreferrer">Fiber</a>.<br> Jika Anda punya preferensi lain, secara prinsip soal JWT dan otentikasi skema hybrid ini harusnya sama.</p> <h2> Development Tools </h2> <ul> <li><a href="https://go.dev/dl/" rel="noopener noreferrer">Go</a></li> <li> <a href="https://code.visualstudio.com/" rel="noopener noreferrer">Visual Studio Code</a> + <a href="https://marketplace.visualstudio.com/items?itemName=golang.Go" rel="noopener noreferrer">ekstensi Go</a> </li> <li><a href="https://www.postman.com/downloads/" rel="noopener noreferrer">Postman</a></li> </ul> <h2> Cara Kerja JWT </h2> <p>JWT (dibaca "jot") merupakan sebuah standar internet untuk pertukaran informasi, dituangkan dalam dokumen <a href="https://datatracker.ietf.org/doc/html/rfc7519" rel="noopener noreferrer">RFC 7519</a>.<br> JSON Web Token, sesuai namanya, dia membawa payload dalam bentuk objek JSON. Setiap properti di dalamnya disebut dengan <strong>claim</strong>.</p> <p>Langsung saja kita mulai dengan membuat sebuah folder, misalnya dengan nama <code>how-to-hybrid-auth</code>. Kemudian masuk ke folder tersebut, buka terminal dan ketik:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go mod init how-to-hybrid-auth </code></pre> </div> <p>Maka akan muncul file <code>go.mod</code>.<br> File ini bersama dengan file <code>go.sum</code> nantinya digunakan untuk mencatat berbagai dependency project. Kecuali project yang zero dependency, hanya membutuhkan standard packages, maka hanya akan ada file <code>go.mod</code>, tanpa file <code>go.sum</code>.</p> <p>Di tutorial ini struktur projectnya seperti ini:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── go.mod ├── go.sum ├── main.go └── pkg ├── authenticate │ └── handler.go ├── getaccess │ └── handler.go ├── getprofile │ └── handler.go ├── jwt │ └── jwt.go └── store ├── seeder.go └── store.go </code></pre> </div> <h3> 1. Data contoh: users </h3> <p>Misalnya ada data profil pengguna sebagai dasar untuk mengidentifikasi pengguna aplikasi. Di sini kita simpan datanya dalam file JSON.</p> <p>Isi file <code>pkg/store/store.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">store</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"encoding/json"</span> <span class="s">"os"</span> <span class="p">)</span> <span class="k">type</span> <span class="p">(</span> <span class="n">Item</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="n">Data</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">Item</span> <span class="p">)</span> <span class="k">func</span> <span class="n">Get</span><span class="p">(</span><span class="n">storeName</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="n">Data</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Read file content.</span> <span class="n">content</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">ReadFile</span><span class="p">(</span><span class="n">storeName</span> <span class="o">+</span> <span class="s">".json"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Parse it.</span> <span class="k">var</span> <span class="n">data</span> <span class="n">Data</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">content</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">data</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">Set</span><span class="p">(</span><span class="n">storeName</span> <span class="kt">string</span><span class="p">,</span> <span class="n">data</span> <span class="n">Data</span><span class="p">,</span> <span class="n">overwrite</span> <span class="kt">bool</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Serialize the data.</span> <span class="n">out</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">MarshalIndent</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">" "</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">if</span> <span class="n">overwrite</span> <span class="p">{</span> <span class="c">// Write file (overwrite existing file).</span> <span class="k">return</span> <span class="n">os</span><span class="o">.</span><span class="n">WriteFile</span><span class="p">(</span><span class="n">storeName</span><span class="o">+</span><span class="s">".json"</span><span class="p">,</span> <span class="n">out</span><span class="p">,</span> <span class="n">os</span><span class="o">.</span><span class="n">ModePerm</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Check if file doesn't exist.</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Stat</span><span class="p">(</span><span class="n">storeName</span> <span class="o">+</span> <span class="s">".json"</span><span class="p">);</span> <span class="n">errors</span><span class="o">.</span><span class="n">Is</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="n">os</span><span class="o">.</span><span class="n">ErrNotExist</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Write file.</span> <span class="k">return</span> <span class="n">os</span><span class="o">.</span><span class="n">WriteFile</span><span class="p">(</span><span class="n">storeName</span><span class="o">+</span><span class="s">".json"</span><span class="p">,</span> <span class="n">out</span><span class="p">,</span> <span class="n">os</span><span class="o">.</span><span class="n">ModePerm</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Fungsi <code>Set</code> untuk memformat data menjadi JSON dan menulisnya ke file, sedangkan fungsi <code>Get</code> untuk membaca file JSON dan mengonversinya menjadi data.</p> <p>Dan isi file <code>pkg/store/seeder.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">store</span> <span class="k">func</span> <span class="n">Seed</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">users</span> <span class="o">:=</span> <span class="n">Data</span><span class="p">{</span> <span class="s">"rI3sMqctRUv9Cv9CdvJIV"</span><span class="o">:</span> <span class="n">Item</span><span class="p">{</span> <span class="s">"name"</span><span class="o">:</span> <span class="s">"Agni"</span><span class="p">,</span> <span class="s">"role"</span><span class="o">:</span> <span class="s">"Owner"</span><span class="p">,</span> <span class="p">},</span> <span class="s">"ELjvSoCYudoMnlEYlhCjP"</span><span class="o">:</span> <span class="n">Item</span><span class="p">{</span> <span class="s">"name"</span><span class="o">:</span> <span class="s">"Bisma"</span><span class="p">,</span> <span class="s">"role"</span><span class="o">:</span> <span class="s">"Maintainer"</span><span class="p">,</span> <span class="p">},</span> <span class="s">"5hkcRZcrOWTxaeFhq3EdD"</span><span class="o">:</span> <span class="n">Item</span><span class="p">{</span> <span class="s">"name"</span><span class="o">:</span> <span class="s">"Catur"</span><span class="p">,</span> <span class="s">"role"</span><span class="o">:</span> <span class="s">"Developer"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">Set</span><span class="p">(</span><span class="s">"users"</span><span class="p">,</span> <span class="n">users</span><span class="p">,</span> <span class="no">false</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Fungsi <code>Seed</code> akan membuatkan data awal jika belum ada.</p> <p>Sekarang gunakan fungsi tersebut di entry point aplikasi, yaitu file <code>main.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"how-to-hybrid-auth/pkg/store"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Seed some data.</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Seed</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Jika kita jalankan aplikasi dengan perintah:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go run main.go </code></pre> </div> <p>Maka akan muncul file <code>users.json</code>, yang berisi data awal seperti definisi di atas.</p> <h3> 2. Membuat Access Token </h3> <p>Di sini kita mulai menggunakan Fiber, diawali dengan sebuah endpoint API untuk membuat Access Token.</p> <p>Ubah file <code>main.go</code> seperti berikut:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"log"</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="s">"how-to-hybrid-auth/pkg/getaccess"</span> <span class="s">"how-to-hybrid-auth/pkg/store"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Seed some data.</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Seed</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Create Fiber app.</span> <span class="n">app</span> <span class="o">:=</span> <span class="n">fiber</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="c">// External endpoints.</span> <span class="n">app</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"/get-access"</span><span class="p">,</span> <span class="n">getaccess</span><span class="o">.</span><span class="n">Handle</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">app</span><span class="o">.</span><span class="n">Listen</span><span class="p">(</span><span class="s">":3000"</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Untuk memfungsikan endpoint tersebut, pertama siapkan satu fungsi khusus untuk membuat token JWT di file <code>pkg/jwt/jwt.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">jwtutil</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"time"</span> <span class="s">"github.com/golang-jwt/jwt/v4"</span> <span class="p">)</span> <span class="k">const</span> <span class="p">(</span> <span class="n">SigMethod</span> <span class="o">=</span> <span class="s">"HS256"</span> <span class="n">SigKey</span> <span class="o">=</span> <span class="s">"2022terceS"</span> <span class="n">Issuer</span> <span class="o">=</span> <span class="s">"localhost"</span> <span class="n">Audience</span> <span class="o">=</span> <span class="s">"localhost"</span> <span class="p">)</span> <span class="c">// Sign creates a token from the specified claims.</span> <span class="k">func</span> <span class="n">Sign</span><span class="p">(</span><span class="n">claims</span> <span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">,</span> <span class="n">expiresIn</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">claims</span><span class="p">[</span><span class="s">"iss"</span><span class="p">]</span> <span class="o">=</span> <span class="n">Issuer</span> <span class="n">claims</span><span class="p">[</span><span class="s">"aud"</span><span class="p">]</span> <span class="o">=</span> <span class="n">Audience</span> <span class="n">now</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span> <span class="n">claims</span><span class="p">[</span><span class="s">"iat"</span><span class="p">]</span> <span class="o">=</span> <span class="n">now</span><span class="o">.</span><span class="n">Unix</span><span class="p">()</span> <span class="n">claims</span><span class="p">[</span><span class="s">"exp"</span><span class="p">]</span> <span class="o">=</span> <span class="n">now</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">expiresIn</span><span class="p">)</span><span class="o">.</span><span class="n">Unix</span><span class="p">()</span> <span class="n">token</span> <span class="o">:=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">NewWithClaims</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">GetSigningMethod</span><span class="p">(</span><span class="n">SigMethod</span><span class="p">),</span> <span class="n">claims</span><span class="p">)</span> <span class="n">out</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">token</span><span class="o">.</span><span class="n">SignedString</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">SigKey</span><span class="p">))</span> <span class="k">return</span> <span class="n">out</span> <span class="p">}</span> </code></pre> </div> <p>Di sini kita menggunakan signing method yang mudah dulu, yaitu <strong>HS256</strong>, di mana signing key yang digunakan sifatnya <strong>simetris</strong>: Key yang digunakan <em>sama persis</em> untuk signing dan verifikasi JWT.^[2]</p> <p>Issuer = Pihak yang menerbitkan JWT. Audience = Pihak yang menggunakan JWT.<br> Jika dibuat sama, bisa bermaksud bahwa JWT diterbitkan dan digunakan sendiri. Meskipun itu bukan berarti JWT tersebut tidak akan berpindah tangan.<br> Setidaknya antara aplikasi server dan aplikasi client sudah termasuk dua pihak yang berbeda. JWT diterbitkan oleh server, kemudian "dipinjamkan" ke client, tetapi hanya server yang berhak untuk memverifikasinya.</p> <p>Setelah itu buat fungsi handler yang dipasangkan ke endpoint <code>/get-access</code> itu tadi, yaitu di file <code>pkg/getaccess/handler.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">getaccess</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="s">"github.com/golang-jwt/jwt/v4"</span> <span class="n">jwtutil</span> <span class="s">"how-to-hybrid-auth/pkg/jwt"</span> <span class="s">"how-to-hybrid-auth/pkg/store"</span> <span class="p">)</span> <span class="k">type</span> <span class="p">(</span> <span class="n">findUser</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="s">`form:"id"`</span> <span class="p">}</span> <span class="n">accessResponse</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">AccessToken</span> <span class="kt">string</span> <span class="s">`json:"access_token"`</span> <span class="p">}</span> <span class="p">)</span> <span class="k">func</span> <span class="n">Handle</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">fiber</span><span class="o">.</span><span class="n">Ctx</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Find user by ID.</span> <span class="n">fUser</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">findUser</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">BodyParser</span><span class="p">(</span><span class="n">fUser</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">users</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"users"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">user</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">users</span><span class="p">[</span><span class="n">fUser</span><span class="o">.</span><span class="n">ID</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">SendStatus</span><span class="p">(</span><span class="n">fiber</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Generate access token.</span> <span class="n">accessClaims</span> <span class="o">:=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">{</span> <span class="s">"sub"</span><span class="o">:</span> <span class="n">fUser</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="p">}</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">user</span> <span class="p">{</span> <span class="n">accessClaims</span><span class="p">[</span><span class="n">k</span><span class="p">]</span> <span class="o">=</span> <span class="n">v</span> <span class="p">}</span> <span class="n">accessToken</span> <span class="o">:=</span> <span class="n">jwtutil</span><span class="o">.</span><span class="n">Sign</span><span class="p">(</span><span class="n">accessClaims</span><span class="p">,</span> <span class="m">5</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">)</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">accessResponse</span><span class="p">{</span><span class="n">accessToken</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Fungsi <code>getaccess.Handle</code> akan mencari user berdasarkan ID. Jika ada, maka ambil semua informasi dari user tersebut menjadi claim-claim JWT, kemudian operkan ke fungsi <code>jwtutil.Sign</code> untuk digabungkan dengan beberapa claim khusus.<br> Untuk demo ini, expiresIn (masa berlaku JWT) kita buat 5 menit saja, yang kira-kira cukup untuk melihat perubahan dari valid menjadi expired.<br> Terakhir dilakukan signing, sehingga menghasilkan token JWT.</p> <p>Karena sampai di bagian ini kita sudah menggunakan beberapa dependency ekstra (3rd party packages), antara lain <code>gofiber/fiber/v2</code> dan <code>golang-jwt/jwt/v4</code>, maka kita perlu panggil perintah berikut:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go mod tidy </code></pre> </div> <p>Dengan begitu semua dependency tersebut menjadi tersedia untuk project ini.</p> <p>Sekarang jalankan lagi aplikasi:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go run main.go </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxtzfzt3y9ajankgb958v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxtzfzt3y9ajankgb958v.png" alt="Fiber startup message" width="334" height="128"></a></p> <p>Itu menunjukkan bahwa aplikasi ini berjalan dengan Fiber, berupa server HTTP di port 3000.</p> <p>Kita coba panggil endpoint yang dibuat tadi.<br> Tambahkan satu request di Postman seperti berikut:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feqouc19wz1kyz7ptyej9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feqouc19wz1kyz7ptyej9.png" alt="Postman - POST /get-access" width="751" height="364"></a></p> <ul> <li>Method: POST</li> <li>URL: <a href="http://localhost:3000/get-access" rel="noopener noreferrer">http://localhost:3000/get-access</a> </li> <li>Body: x-www-form-urlencoded <ul> <li>id: { salah satu ID user }</li> </ul> </li> </ul> <p>Setelah klik Send, maka akan dapat jawaban seperti berikut:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJsb2NhbGhvc3QiLCJleHAiOjE2NTI5NzA2MzYsImlhdCI6MTY1Mjk3MDMzNiwiaXNzIjoibG9jYWxob3N0IiwibmFtZSI6IkNhdHVyIiwicm9sZSI6IkRldmVsb3BlciIsInN1YiI6IjVoa2NSWmNyT1dUeGFlRmhxM0VkRCJ9.Qo70QaMH0NVo11i8u1uXgJssor1iAtGruXPiWG2PGF0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3. Bedah Singkat Token JWT </h3> <p>Coba salin jawaban <code>access_token</code> di atas, atau yang Anda tes sendiri, ke website <a href="https://jwt.io" rel="noopener noreferrer">jwt.io</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxw4dzbvpi5t1q41aoe0b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxw4dzbvpi5t1q41aoe0b.png" alt="Copas token JWT ke jwt.io" width="800" height="482"></a></p> <p>Di situ kita bisa mengintip isi dari token, ada tiga bagian: Header, Payload dan Signature.</p> <ul> <li>Bagian Header tidak saya jelaskan.</li> <li>Bagian Payload berisi semua claim yang sudah disiapkan sebelumnya.</li> <li>Bagian Signature digunakan untuk verifikasi. Bisa coba salin signing key yang didefinisikan di source code: "2022terceS".</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcnanaqctbarttgmd4syk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcnanaqctbarttgmd4syk.png" alt="Signature Verified di jwt.io" width="800" height="277"></a></p> <p>Sekarang status di pojok kiri-bawah menjadi "Signature Verified".</p> <p>Nah, token yang bisa di-parse sebelum diverifikasi seperti itu berarti dia termasuk jenis <strong>JWS</strong> (<strong>J</strong>SON <strong>W</strong>eb <strong>S</strong>ignature).<br> Jenis lainnya adalah <strong>JWE</strong> (<strong>J</strong>SON <strong>W</strong>eb <strong>E</strong>ncryption), yang isinya terenkripsi dan membutuhkan sebuah secret key untuk membukanya.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr7dpi5knbn3yr9mf3jbx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr7dpi5knbn3yr9mf3jbx.png" alt="JWT berjenis JWS atau JWE" width="800" height="688"></a></p> <p>Jadi sebuah token JWT pasti berbentuk salah satu dari dua jenis tersebut.<br> Yang biasanya digunakan adalah JWS, berisi tiga bagian yang disebutkan di atas. Sedangkan JWE berisi lima bagian, dan salah satu metode enkripsinya adalah AES256-GCM.^[3]^[4]</p> <h3> 4. JWT Middleware (Parse + Verifikasi) </h3> <p>Middleware untuk JWT termasuk <a href="https://github.com/gofiber/fiber#-external-middleware" rel="noopener noreferrer">salah satu</a> yang dibuat oleh para maintainer Fiber, jadi kita tinggal memanfaatkannya saja.</p> <p>Isi file <code>pkg/authenticate/handler.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">authenticate</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="n">jwtware</span> <span class="s">"github.com/gofiber/jwt/v3"</span> <span class="n">jwtutil</span> <span class="s">"how-to-hybrid-auth/pkg/jwt"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">New</span><span class="p">()</span> <span class="n">fiber</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">jwtware</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">jwtware</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">SigningMethod</span><span class="o">:</span> <span class="n">jwtutil</span><span class="o">.</span><span class="n">SigMethod</span><span class="p">,</span> <span class="n">SigningKey</span><span class="o">:</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">jwtutil</span><span class="o">.</span><span class="n">SigKey</span><span class="p">),</span> <span class="n">ContextKey</span><span class="o">:</span> <span class="s">"auth"</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Supaya project mengenali dependency yang baru ditambahkan, panggil lagi perintah berikut:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go mod tidy </code></pre> </div> <p>Signing method dan signing key yang digunakan adalah yang ditetapkan di file <code>pkg/jwt/jwt.go</code>.<br> Dengan konfigurasi minimal seperti di atas, maka otomatis dilakukan verifikasi:</p> <ul> <li>Signature.</li> <li>Expiration.</li> </ul> <p>Jika butuh memverifikasi hal lain, misalnya Audience, maka harus ditulis secara custom:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">authenticate</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="n">jwtware</span> <span class="s">"github.com/gofiber/jwt/v3"</span> <span class="s">"github.com/golang-jwt/jwt/v4"</span> <span class="n">jwtutil</span> <span class="s">"how-to-hybrid-auth/pkg/jwt"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">New</span><span class="p">()</span> <span class="n">fiber</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">jwtware</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">jwtware</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">SigningMethod</span><span class="o">:</span> <span class="n">jwtutil</span><span class="o">.</span><span class="n">SigMethod</span><span class="p">,</span> <span class="n">SigningKey</span><span class="o">:</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">jwtutil</span><span class="o">.</span><span class="n">SigKey</span><span class="p">),</span> <span class="n">ContextKey</span><span class="o">:</span> <span class="s">"auth"</span><span class="p">,</span> <span class="n">SuccessHandler</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">fiber</span><span class="o">.</span><span class="n">Ctx</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">auth</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Locals</span><span class="p">(</span><span class="s">"auth"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">)</span> <span class="n">claims</span> <span class="o">:=</span> <span class="n">auth</span><span class="o">.</span><span class="n">Claims</span><span class="o">.</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">)</span> <span class="c">// Verify audience.</span> <span class="k">if</span> <span class="o">!</span><span class="n">claims</span><span class="o">.</span><span class="n">VerifyAudience</span><span class="p">(</span><span class="n">jwtutil</span><span class="o">.</span><span class="n">Audience</span><span class="p">,</span> <span class="no">true</span><span class="p">)</span> <span class="p">{</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"Invalid JWT audience. Expected: %s"</span><span class="p">,</span> <span class="n">jwtutil</span><span class="o">.</span><span class="n">Audience</span><span class="p">)</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">Status</span><span class="p">(</span><span class="n">fiber</span><span class="o">.</span><span class="n">StatusUnauthorized</span><span class="p">)</span><span class="o">.</span><span class="n">SendString</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="p">},</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Middleware ini belum bisa digunakan jika belum ada endpoint yang dituju. Jadi kita langsung beranjak ke poin berikutnya.</p> <h3> 5. Meminta Data Profil Pengguna </h3> <p>Buat fungsi handler di file <code>pkg/getprofile/handler.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">getprofile</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="s">"github.com/golang-jwt/jwt/v4"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">reservedClaims</span> <span class="o">=</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">struct</span><span class="p">{}{</span> <span class="s">"iss"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"aud"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"exp"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"nbf"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"iat"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"sub"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"jti"</span><span class="o">:</span> <span class="p">{},</span> <span class="p">}</span> <span class="k">func</span> <span class="n">Handle</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">fiber</span><span class="o">.</span><span class="n">Ctx</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">auth</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Locals</span><span class="p">(</span><span class="s">"auth"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">)</span> <span class="n">claims</span> <span class="o">:=</span> <span class="n">auth</span><span class="o">.</span><span class="n">Claims</span><span class="o">.</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">)</span> <span class="c">// Extract profile from JWT claims.</span> <span class="n">profile</span> <span class="o">:=</span> <span class="n">claims</span> <span class="k">for</span> <span class="n">k</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">reservedClaims</span> <span class="p">{</span> <span class="nb">delete</span><span class="p">(</span><span class="n">profile</span><span class="p">,</span> <span class="n">k</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">profile</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Profil pengguna diekstrak dari claim-claim JWT, dengan mengeliminasi tujuh claim khusus (jika ada) yang disebut dengan <strong>reserved claims</strong>.^[5]</p> <p>Dan ubah file <code>main.go</code> seperti berikut:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"log"</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="s">"how-to-hybrid-auth/pkg/authenticate"</span> <span class="s">"how-to-hybrid-auth/pkg/getaccess"</span> <span class="s">"how-to-hybrid-auth/pkg/getprofile"</span> <span class="s">"how-to-hybrid-auth/pkg/store"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Seed some data.</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Seed</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Create Fiber app.</span> <span class="n">app</span> <span class="o">:=</span> <span class="n">fiber</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="c">// External endpoints.</span> <span class="n">app</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"/get-access"</span><span class="p">,</span> <span class="n">getaccess</span><span class="o">.</span><span class="n">Handle</span><span class="p">)</span> <span class="c">// JWT middleware.</span> <span class="n">app</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">authenticate</span><span class="o">.</span><span class="n">New</span><span class="p">())</span> <span class="c">// Internal endpoints.</span> <span class="n">app</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"/get-profile"</span><span class="p">,</span> <span class="n">getprofile</span><span class="o">.</span><span class="n">Handle</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">app</span><span class="o">.</span><span class="n">Listen</span><span class="p">(</span><span class="s">":3000"</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Jadi umumnya JWT middleware itu ditempatkan setelah endpoint-endpoint eksternal dan sebelum endpoint-endpoint internal.</p> <p>Jalankan lagi aplikasi:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go run main.go </code></pre> </div> <p>Kemudian ke Postman dan tambahkan satu request lagi:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2a4p2t3dh1hgnszz15mc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2a4p2t3dh1hgnszz15mc.png" alt="Postman - POST /get-profile" width="800" height="335"></a></p> <ul> <li>Method: POST</li> <li>URL: <a href="http://localhost:3000/get-profile" rel="noopener noreferrer">http://localhost:3000/get-profile</a> </li> <li>Body: none</li> <li>Authorization: Bearer Token</li> </ul> <p>Isikan Access Token ke kolom yang tersedia.</p> <p>Jika token tidak valid atau sudah expired, maka akan dapat jawaban "Invalid or expired JWT".</p> <p>Sedangkan jika valid, maka akan dapat jawaban seperti berikut:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Catur"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Developer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Keterbatasan JWT </h2> <p>JWT memang dirancang untuk pertukaran informasi. Namun satu problem yang jelas adalah ketika misalnya data profil diubah dan kita butuh agar perubahan tersebut langsung berdampak terhadap penggunaan aplikasi, maka pada kondisi tersebut JWT tidak bisa diandalkan.<br> Jika untuk melihat perubahan itu harus melakukan penerbitan ulang JWT, maka sepertinya itu skenario yang terlalu memaksakan, tidak praktis.</p> <p>Fakta yang ada di lapangan, oleh berbagai sistem penyedia identitas (identity provider), yaitu antara dua kemungkinan:</p> <ul> <li>Token JWT bukan sebagai Access Token, melainkan hanya sebagai ID Token. Ini yang dilakukan oleh Apple.^[6] </li> <li>Pihak provider menyediakan endpoint <code>/userinfo</code> dan butuh Access Token untuk memanggilnya. Ini yang dilakukan oleh Auth0.^[7] </li> </ul> <p>Dalam kasus Apple, mereka tidak peduli terhadap perubahan profil pengguna dan cukup ID Token itu yang dijadikan patokan, selama masih valid.<br> Dari sisi aplikasi, bisa menetapkan durasi expiration, seperti yang ada di library <code>albenik-go/apple-sign-in</code> pada fungsi <a href="https://pkg.go.dev/github.com/albenik-go/apple-sign-in#Client.ValidateCode" rel="noopener noreferrer"><code>Client.ValidateCode</code></a>.</p> <p>Dalam kasus Auth0, Access Token yang digunakan untuk memanggil endpoint <code>/userinfo</code> bersifat opaque (tidak transparan). Artinya ketika aplikasi memperoleh Access Token, tidak untuk di-parse, sebab bukan JWT.</p> <h2> Userinfo: Tantangan dan Solusinya </h2> <p>Kita tahu bahwa urusan otentikasi dapat dikelola secara internal maupun eksternal.</p> <p>Meskipun di atas sudah disebutkan tentang keterbatasan pada JWT dan keunggulan adanya endpoint <code>/userinfo</code>, tapi kadang kita dihadapkan pada tantangan ketika aplikasinya harus mendukung beberapa penyedia identitas, contohnya Google dan Facebook.</p> <ul> <li>Google punya endpoint <code>/userinfo</code>.</li> <li>Facebook punya endpoint <code>/me</code>.</li> </ul> <p>Kalau hanya satu sumber data, kita bisa mengandalkannya. Tapi kalau lebih dari satu, itu juga menjadi masalah.<br> Mungkin endpoint tersebut hanya berguna untuk membantu pendaftaran pengguna, untuk mengisi profil di awal. Yang berarti aplikasi harus menyimpan data profil secara lokal.<br> Dalam kasus yang seperti ini, tidak ada bedanya antara penyedia identitas menggunakan endpoint <code>/userinfo</code> atau ID Token, karena hanya diakses sekali untuk masing-masing pengguna.</p> <p>Jadi dapat diambil kesimpulan bahwa harusnya selalu ada data profil lokal aplikasi, baik itu otentikasinya secara internal maupun eksternal.</p> <p>Sekarang untuk penyesuaian yang diperlukan di aplikasi demo kita:</p> <p>Di file <code>pkg/getaccess/handler.go</code>, baris 35-49:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">_</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">users</span><span class="p">[</span><span class="n">fUser</span><span class="o">.</span><span class="n">ID</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">SendStatus</span><span class="p">(</span><span class="n">fiber</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Generate access token.</span> <span class="n">accessClaims</span> <span class="o">:=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">{</span> <span class="s">"sub"</span><span class="o">:</span> <span class="n">fUser</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="p">}</span> <span class="n">accessToken</span> <span class="o">:=</span> <span class="n">jwtutil</span><span class="o">.</span><span class="n">Sign</span><span class="p">(</span><span class="n">accessClaims</span><span class="p">,</span> <span class="m">5</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">)</span> </code></pre> </div> <p>Di situ kita hanya membutuhkan informasi ID pengguna dan tidak menyertakan informasi lainnya untuk pembuatan Access Token.</p> <p>Kemudian di file <code>pkg/getprofile/handler.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">getprofile</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="s">"github.com/golang-jwt/jwt/v4"</span> <span class="s">"how-to-hybrid-auth/pkg/store"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">reservedClaims</span> <span class="o">=</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">struct</span><span class="p">{}{</span> <span class="s">"iss"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"aud"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"exp"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"nbf"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"iat"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"sub"</span><span class="o">:</span> <span class="p">{},</span> <span class="s">"jti"</span><span class="o">:</span> <span class="p">{},</span> <span class="p">}</span> <span class="k">func</span> <span class="n">Handle</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">fiber</span><span class="o">.</span><span class="n">Ctx</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">auth</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Locals</span><span class="p">(</span><span class="s">"auth"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">)</span> <span class="n">claims</span> <span class="o">:=</span> <span class="n">auth</span><span class="o">.</span><span class="n">Claims</span><span class="o">.</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">)</span> <span class="c">// Extract user ID from JWT claims.</span> <span class="n">userID</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">claims</span><span class="p">[</span><span class="s">"sub"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">SendStatus</span><span class="p">(</span><span class="n">fiber</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Find user by ID.</span> <span class="n">users</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"users"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">user</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">users</span><span class="p">[</span><span class="n">userID</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">SendStatus</span><span class="p">(</span><span class="n">fiber</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Di situ pertama kita memastikan bahwa JWT berisi claim "sub", yang itu adalah ID pengguna. Setelah itu kita mencari data pengguna berdasarkan ID tersebut.</p> <p>Dengan begitu, hasil yang didapat akan selalu sesuai dengan data profil saat ini.</p> <p>Jawaban pertama:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Catur"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Developer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Jawaban kedua setelah data berubah:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Catur"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Maintainer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Referensi </h2> <ol> <li><a href="https://doubleoctopus.com/security-wiki/network-architecture/stateless-authentication/" rel="noopener noreferrer">https://doubleoctopus.com/security-wiki/network-architecture/stateless-authentication/</a></li> <li><a href="https://youtu.be/XfjQ2qO4ca8" rel="noopener noreferrer">https://youtu.be/XfjQ2qO4ca8</a></li> <li><a href="https://developer.okta.com/blog/2020/12/21/beginners-guide-to-jwt" rel="noopener noreferrer">https://developer.okta.com/blog/2020/12/21/beginners-guide-to-jwt</a></li> <li><a href="https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3" rel="noopener noreferrer">https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3</a></li> <li><a href="https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims" rel="noopener noreferrer">https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims</a></li> <li><a href="https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple" rel="noopener noreferrer">https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple</a></li> <li><a href="https://auth0.com/docs/secure/tokens/access-tokens" rel="noopener noreferrer">https://auth0.com/docs/secure/tokens/access-tokens</a></li> </ol> <h2> Bacaan/Tontonan Lanjutan </h2> <ol> <li>Bagaimana cara logout ketika menggunakan JWT: <a href="https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6" rel="noopener noreferrer">https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6</a> </li> <li>Mengenal OpenID Connect: <a href="https://www.youtube.com/watch?v=6DxRTJN1Ffo&amp;list=PLKCk3OyNwIzuD_jxWu-JddooM2yjX5q99&amp;index=12" rel="noopener noreferrer">https://www.youtube.com/watch?v=6DxRTJN1Ffo&amp;list=PLKCk3OyNwIzuD_jxWu-JddooM2yjX5q99&amp;index=12</a> </li> </ol> go tutorial