1 files changed, 29 insertions, 0 deletions

diff --git a/weed/security/jwt.go b/weed/security/jwt.go
index 1976c8ffe..82ba0df12 100644
--- a/weed/security/jwt.go
+++ b/weed/security/jwt.go
@@ -20,6 +20,13 @@ type SeaweedFileIdClaims struct {
 	jwt.StandardClaims
 }
 
+// SeaweedFilerClaims is created e.g. by S3 proxy server and consumed by Filer server.
+// Right now, it only contains the standard claims; but this might be extended later
+// for more fine-grained permissions.
+type SeaweedFilerClaims struct {
+	jwt.StandardClaims
+}
+
 func GenJwtForVolumeServer(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
 	if len(signingKey) == 0 {
 		return ""
@@ -41,6 +48,28 @@ func GenJwtForVolumeServer(signingKey SigningKey, expiresAfterSec int, fileId st
 	return EncodedJwt(encoded)
 }
 
+// GenJwtForFilerServer creates a JSON-web-token for using the authenticated Filer API. Used f.e. inside
+// the S3 API
+func GenJwtForFilerServer(signingKey SigningKey, expiresAfterSec int) EncodedJwt {
+	if len(signingKey) == 0 {
+		return ""
+	}
+
+	claims := SeaweedFilerClaims{
+		jwt.StandardClaims{},
+	}
+	if expiresAfterSec > 0 {
+		claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
+	}
+	t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	encoded, e := t.SignedString([]byte(signingKey))
+	if e != nil {
+		glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)
+		return ""
+	}
+	return EncodedJwt(encoded)
+}
+
 func GetJwt(r *http.Request) EncodedJwt {
 
 	// Get token from query params