fix: add namespace to session token keys

2022-06-29 22:24:00 +05:30
parent e6a4670ba9
commit 2a5d5d43b0
24 changed files with 258 additions and 149 deletions
--- a/server/handlers/authorize.go
+++ b/server/handlers/authorize.go
@@ -218,13 +218,18 @@ func AuthorizeHandler() gin.HandlerFunc {
 			return
 		}

+		sessionKey := user.ID
+		if claims.LoginMethod != "" {
+			sessionKey = claims.LoginMethod + ":" + user.ID
+		}
+
 		// if user is logged in
 		// based on the response type code, generate the response
 		if isResponseTypeCode {
 			// rollover the session for security
-			go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce)
+			go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
 			nonce := uuid.New().String()
-			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope)
+			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
 			if err != nil {
 				if isQuery {
 					gc.Redirect(http.StatusFound, loginURL)
@@ -262,7 +267,7 @@ func AuthorizeHandler() gin.HandlerFunc {

 		if isResponseTypeToken {
 			// rollover the session for security
-			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope)
+			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod)
 			if err != nil {
 				if isQuery {
 					gc.Redirect(http.StatusFound, loginURL)
@@ -280,9 +285,10 @@ func AuthorizeHandler() gin.HandlerFunc {
 				}
 				return
 			}
-			go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce)
-			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
-			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+
+			go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 			cookie.SetSession(gc, authToken.FingerPrintHash)

 			expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
@@ -305,7 +311,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 			if authToken.RefreshToken != nil {
 				res["refresh_token"] = authToken.RefreshToken.Token
 				params += "&refresh_token=" + authToken.RefreshToken.Token
-				memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+				memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 			}

 			if isQuery {
--- a/server/handlers/oauth_callback.go
+++ b/server/handlers/oauth_callback.go
@@ -57,15 +57,15 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		user := models.User{}
 		code := c.Request.FormValue("code")
 		switch provider {
-		case constants.SignupMethodGoogle:
+		case constants.AuthRecipeMethodGoogle:
 			user, err = processGoogleUserInfo(code)
-		case constants.SignupMethodGithub:
+		case constants.AuthRecipeMethodGithub:
 			user, err = processGithubUserInfo(code)
-		case constants.SignupMethodFacebook:
+		case constants.AuthRecipeMethodFacebook:
 			user, err = processFacebookUserInfo(code)
-		case constants.SignupMethodLinkedIn:
+		case constants.AuthRecipeMethodLinkedIn:
 			user, err = processLinkedInUserInfo(code)
-		case constants.SignupMethodApple:
+		case constants.AuthRecipeMethodApple:
 			user, err = processAppleUserInfo(code)
 		default:
 			log.Info("Invalid oauth provider")
@@ -192,7 +192,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			}
 		}

-		authToken, err := token.CreateAuthToken(c, user, inputRoles, scopes)
+		authToken, err := token.CreateAuthToken(c, user, inputRoles, scopes, provider)
 		if err != nil {
 			log.Debug("Failed to create auth token: ", err)
 			c.JSON(500, gin.H{"error": err.Error()})
@@ -205,13 +205,14 @@ func OAuthCallbackHandler() gin.HandlerFunc {

 		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + stateValue + "&id_token=" + authToken.IDToken.Token

+		sessionKey := provider + ":" + user.ID
 		cookie.SetSession(c, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)

 		if authToken.RefreshToken != nil {
 			params = params + `&refresh_token=` + authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 		}

 		go db.Provider.AddSession(models.Session{
--- a/server/handlers/oauth_login.go
+++ b/server/handlers/oauth_login.go
@@ -100,13 +100,13 @@ func OAuthLoginHandler() gin.HandlerFunc {
 		provider := c.Param("oauth_provider")
 		isProviderConfigured := true
 		switch provider {
-		case constants.SignupMethodGoogle:
+		case constants.AuthRecipeMethodGoogle:
 			if oauth.OAuthProviders.GoogleConfig == nil {
 				log.Debug("Google OAuth provider is not configured")
 				isProviderConfigured = false
 				break
 			}
-			err := memorystore.Provider.SetState(oauthStateString, constants.SignupMethodGoogle)
+			err := memorystore.Provider.SetState(oauthStateString, constants.AuthRecipeMethodGoogle)
 			if err != nil {
 				log.Debug("Error setting state: ", err)
 				c.JSON(500, gin.H{
@@ -115,16 +115,16 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				return
 			}
 			// during the init of OAuthProvider authorizer url might be empty
-			oauth.OAuthProviders.GoogleConfig.RedirectURL = hostname + "/oauth_callback/" + constants.SignupMethodGoogle
+			oauth.OAuthProviders.GoogleConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodGoogle
 			url := oauth.OAuthProviders.GoogleConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
-		case constants.SignupMethodGithub:
+		case constants.AuthRecipeMethodGithub:
 			if oauth.OAuthProviders.GithubConfig == nil {
 				log.Debug("Github OAuth provider is not configured")
 				isProviderConfigured = false
 				break
 			}
-			err := memorystore.Provider.SetState(oauthStateString, constants.SignupMethodGithub)
+			err := memorystore.Provider.SetState(oauthStateString, constants.AuthRecipeMethodGithub)
 			if err != nil {
 				log.Debug("Error setting state: ", err)
 				c.JSON(500, gin.H{
@@ -132,16 +132,16 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				})
 				return
 			}
-			oauth.OAuthProviders.GithubConfig.RedirectURL = hostname + "/oauth_callback/" + constants.SignupMethodGithub
+			oauth.OAuthProviders.GithubConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodGithub
 			url := oauth.OAuthProviders.GithubConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
-		case constants.SignupMethodFacebook:
+		case constants.AuthRecipeMethodFacebook:
 			if oauth.OAuthProviders.FacebookConfig == nil {
 				log.Debug("Facebook OAuth provider is not configured")
 				isProviderConfigured = false
 				break
 			}
-			err := memorystore.Provider.SetState(oauthStateString, constants.SignupMethodFacebook)
+			err := memorystore.Provider.SetState(oauthStateString, constants.AuthRecipeMethodFacebook)
 			if err != nil {
 				log.Debug("Error setting state: ", err)
 				c.JSON(500, gin.H{
@@ -149,16 +149,16 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				})
 				return
 			}
-			oauth.OAuthProviders.FacebookConfig.RedirectURL = hostname + "/oauth_callback/" + constants.SignupMethodFacebook
+			oauth.OAuthProviders.FacebookConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodFacebook
 			url := oauth.OAuthProviders.FacebookConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
-		case constants.SignupMethodLinkedIn:
+		case constants.AuthRecipeMethodLinkedIn:
 			if oauth.OAuthProviders.LinkedInConfig == nil {
 				log.Debug("Linkedin OAuth provider is not configured")
 				isProviderConfigured = false
 				break
 			}
-			err := memorystore.Provider.SetState(oauthStateString, constants.SignupMethodLinkedIn)
+			err := memorystore.Provider.SetState(oauthStateString, constants.AuthRecipeMethodLinkedIn)
 			if err != nil {
 				log.Debug("Error setting state: ", err)
 				c.JSON(500, gin.H{
@@ -166,16 +166,16 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				})
 				return
 			}
-			oauth.OAuthProviders.LinkedInConfig.RedirectURL = hostname + "/oauth_callback/" + constants.SignupMethodLinkedIn
+			oauth.OAuthProviders.LinkedInConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodLinkedIn
 			url := oauth.OAuthProviders.LinkedInConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
-		case constants.SignupMethodApple:
+		case constants.AuthRecipeMethodApple:
 			if oauth.OAuthProviders.AppleConfig == nil {
 				log.Debug("Apple OAuth provider is not configured")
 				isProviderConfigured = false
 				break
 			}
-			err := memorystore.Provider.SetState(oauthStateString, constants.SignupMethodApple)
+			err := memorystore.Provider.SetState(oauthStateString, constants.AuthRecipeMethodApple)
 			if err != nil {
 				log.Debug("Error setting state: ", err)
 				c.JSON(500, gin.H{
@@ -183,7 +183,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				})
 				return
 			}
-			oauth.OAuthProviders.AppleConfig.RedirectURL = hostname + "/oauth_callback/" + constants.SignupMethodApple
+			oauth.OAuthProviders.AppleConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodApple
 			// there is scope encoding issue with oauth2 and how apple expects, hence added scope manually
 			// check: https://github.com/golang/oauth2/issues/449
 			url := oauth.OAuthProviders.AppleConfig.AuthCodeURL(oauthStateString, oauth2.SetAuthURLParam("response_mode", "form_post")) + "&scope=name email"
--- a/server/handlers/revoke.go
+++ b/server/handlers/revoke.go
@@ -56,7 +56,14 @@ func RevokeHandler() gin.HandlerFunc {
 			return
 		}

-		memorystore.Provider.DeleteUserSession(claims["sub"].(string), claims["nonce"].(string))
+		userID := claims["sub"].(string)
+		loginMethod := claims["login_method"]
+		sessionToken := userID
+		if loginMethod != nil && loginMethod != "" {
+			sessionToken = loginMethod.(string) + ":" + userID
+		}
+
+		memorystore.Provider.DeleteUserSession(sessionToken, claims["nonce"].(string))

 		gc.JSON(http.StatusOK, gin.H{
 			"message": "Token revoked successfully",
--- a/server/handlers/token.go
+++ b/server/handlers/token.go
@@ -72,6 +72,9 @@ func TokenHandler() gin.HandlerFunc {

 		var userID string
 		var roles, scope []string
+		loginMethod := ""
+		sessionKey := ""
+
 		if isAuthorizationCodeGrant {

 			if codeVerifier == "" {
@@ -134,8 +137,13 @@ func TokenHandler() gin.HandlerFunc {
 			userID = claims.Subject
 			roles = claims.Roles
 			scope = claims.Scope
+			loginMethod = claims.LoginMethod
 			// rollover the session for security
-			go memorystore.Provider.DeleteUserSession(userID, claims.Nonce)
+			sessionKey = userID
+			if loginMethod != "" {
+				sessionKey = loginMethod + ":" + userID
+			}
+			go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
 		} else {
 			// validate refresh token
 			if refreshToken == "" {
@@ -155,6 +163,7 @@ func TokenHandler() gin.HandlerFunc {
 				})
 			}
 			userID = claims["sub"].(string)
+			loginMethod := claims["login_method"]
 			rolesInterface := claims["roles"].([]interface{})
 			scopeInterface := claims["scope"].([]interface{})
 			for _, v := range rolesInterface {
@@ -163,8 +172,22 @@ func TokenHandler() gin.HandlerFunc {
 			for _, v := range scopeInterface {
 				scope = append(scope, v.(string))
 			}
+
+			sessionKey = userID
+			if loginMethod != nil && loginMethod != "" {
+				sessionKey = loginMethod.(string) + ":" + sessionKey
+			}
 			// remove older refresh token and rotate it for security
-			go memorystore.Provider.DeleteUserSession(userID, claims["nonce"].(string))
+			go memorystore.Provider.DeleteUserSession(sessionKey, claims["nonce"].(string))
+		}
+
+		if sessionKey == "" {
+			log.Debug("Error getting sessionKey: ", sessionKey, loginMethod)
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error":             "unauthorized",
+				"error_description": "User not found",
+			})
+			return
 		}

 		user, err := db.Provider.GetUserByID(userID)
@@ -177,7 +200,7 @@ func TokenHandler() gin.HandlerFunc {
 			return
 		}

-		authToken, err := token.CreateAuthToken(gc, user, roles, scope)
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod)
 		if err != nil {
 			log.Debug("Error creating auth token: ", err)
 			gc.JSON(http.StatusUnauthorized, gin.H{
@@ -186,8 +209,8 @@ func TokenHandler() gin.HandlerFunc {
 			})
 			return
 		}
-		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 		cookie.SetSession(gc, authToken.FingerPrintHash)

 		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
@@ -205,7 +228,7 @@ func TokenHandler() gin.HandlerFunc {

 		if authToken.RefreshToken != nil {
 			res["refresh_token"] = authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 		}

 		gc.JSON(http.StatusOK, res)
--- a/server/handlers/verify_email.go
+++ b/server/handlers/verify_email.go
@@ -92,7 +92,11 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		} else {
 			scope = strings.Split(scopeString, " ")
 		}
-		authToken, err := token.CreateAuthToken(c, user, roles, scope)
+		loginMethod := constants.AuthRecipeMethodBasicAuth
+		if verificationRequest.Identifier == constants.VerificationTypeMagicLinkLogin {
+			loginMethod = constants.AuthRecipeMethodMagicLinkLogin
+		}
+		authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod)
 		if err != nil {
 			log.Debug("Error creating auth token: ", err)
 			errorRes["error_description"] = err.Error()
@@ -107,13 +111,14 @@ func VerifyEmailHandler() gin.HandlerFunc {

 		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token

+		sessionKey := loginMethod + ":" + user.ID
 		cookie.SetSession(c, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)

 		if authToken.RefreshToken != nil {
 			params = params + `&refresh_token=` + authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 		}

 		if redirectURL == "" {