fix: add namespace to session token keys
This commit is contained in:
Lakhan Samani
@@ -129,11 +129,11 @@ func InviteMembersResolver(ctx context.Context, params model.InviteMemberInput)
|
||||
|
||||
// use magic link login if that option is on
|
||||
if !isMagicLinkLoginDisabled {
|
||||
user.SignupMethods = constants.SignupMethodMagicLinkLogin
|
||||
user.SignupMethods = constants.AuthRecipeMethodMagicLinkLogin
|
||||
verificationRequest.Identifier = constants.VerificationTypeMagicLinkLogin
|
||||
} else {
|
||||
// use basic authentication if that option is on
|
||||
user.SignupMethods = constants.SignupMethodBasicAuth
|
||||
user.SignupMethods = constants.AuthRecipeMethodBasicAuth
|
||||
verificationRequest.Identifier = constants.VerificationTypeForgotPassword
|
||||
|
||||
verifyEmailURL = appURL + "/setup-password"
|
||||
|
||||
@@ -56,7 +56,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||
return res, fmt.Errorf(`user access has been revoked`)
|
||||
}
|
||||
|
||||
if !strings.Contains(user.SignupMethods, constants.SignupMethodBasicAuth) {
|
||||
if !strings.Contains(user.SignupMethods, constants.AuthRecipeMethodBasicAuth) {
|
||||
log.Debug("User signup method is not basic auth")
|
||||
return res, fmt.Errorf(`user has not signed up email & password`)
|
||||
}
|
||||
@@ -97,7 +97,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||
scope = params.Scope
|
||||
}
|
||||
|
||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope)
|
||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth)
|
||||
if err != nil {
|
||||
log.Debug("Failed to create auth token", err)
|
||||
return res, err
|
||||
@@ -117,12 +117,13 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||
}
|
||||
|
||||
cookie.SetSession(gc, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
sessionStoreKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
|
||||
memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
|
||||
if authToken.RefreshToken != nil {
|
||||
res.RefreshToken = &authToken.RefreshToken.Token
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
}
|
||||
|
||||
go db.Provider.AddSession(models.Session{
|
||||
|
||||
@@ -41,7 +41,12 @@ func LogoutResolver(ctx context.Context) (*model.Response, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
memorystore.Provider.DeleteUserSession(sessionData.Subject, sessionData.Nonce)
|
||||
sessionKey := sessionData.Subject
|
||||
if sessionData.LoginMethod != "" {
|
||||
sessionKey = sessionData.LoginMethod + ":" + sessionData.Subject
|
||||
}
|
||||
|
||||
memorystore.Provider.DeleteUserSession(sessionKey, sessionData.Nonce)
|
||||
cookie.DeleteSession(gc)
|
||||
|
||||
res := &model.Response{
|
||||
|
||||
@@ -70,7 +70,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
|
||||
return res, fmt.Errorf(`signup is disabled for this instance`)
|
||||
}
|
||||
|
||||
user.SignupMethods = constants.SignupMethodMagicLinkLogin
|
||||
user.SignupMethods = constants.AuthRecipeMethodMagicLinkLogin
|
||||
// define roles for new user
|
||||
if len(params.Roles) > 0 {
|
||||
// check if roles exists
|
||||
@@ -158,8 +158,8 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
|
||||
}
|
||||
|
||||
signupMethod := existingUser.SignupMethods
|
||||
if !strings.Contains(signupMethod, constants.SignupMethodMagicLinkLogin) {
|
||||
signupMethod = signupMethod + "," + constants.SignupMethodMagicLinkLogin
|
||||
if !strings.Contains(signupMethod, constants.AuthRecipeMethodMagicLinkLogin) {
|
||||
signupMethod = signupMethod + "," + constants.AuthRecipeMethodMagicLinkLogin
|
||||
}
|
||||
|
||||
user.SignupMethods = signupMethod
|
||||
|
||||
@@ -82,8 +82,8 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
|
||||
user.Password = &password
|
||||
|
||||
signupMethod := user.SignupMethods
|
||||
if !strings.Contains(signupMethod, constants.SignupMethodBasicAuth) {
|
||||
signupMethod = signupMethod + "," + constants.SignupMethodBasicAuth
|
||||
if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) {
|
||||
signupMethod = signupMethod + "," + constants.AuthRecipeMethodBasicAuth
|
||||
}
|
||||
user.SignupMethods = signupMethod
|
||||
|
||||
|
||||
@@ -70,14 +70,18 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
|
||||
scope = params.Scope
|
||||
}
|
||||
|
||||
authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope)
|
||||
authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod)
|
||||
if err != nil {
|
||||
log.Debug("Failed to create auth token: ", err)
|
||||
return res, err
|
||||
}
|
||||
|
||||
// rollover the session for security
|
||||
go memorystore.Provider.DeleteUserSession(userID, claims.Nonce)
|
||||
sessionKey := userID
|
||||
if claims.LoginMethod != "" {
|
||||
sessionKey = claims.LoginMethod + ":" + userID
|
||||
}
|
||||
go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
|
||||
|
||||
expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
|
||||
if expiresIn <= 0 {
|
||||
@@ -93,12 +97,12 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
|
||||
}
|
||||
|
||||
cookie.SetSession(gc, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
|
||||
if authToken.RefreshToken != nil {
|
||||
res.RefreshToken = &authToken.RefreshToken.Token
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
}
|
||||
return res, nil
|
||||
}
|
||||
|
||||
@@ -157,7 +157,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
|
||||
user.Picture = params.Picture
|
||||
}
|
||||
|
||||
user.SignupMethods = constants.SignupMethodBasicAuth
|
||||
user.SignupMethods = constants.AuthRecipeMethodBasicAuth
|
||||
isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
|
||||
if err != nil {
|
||||
log.Debug("Error getting email verification disabled: ", err)
|
||||
@@ -219,7 +219,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
|
||||
scope = params.Scope
|
||||
}
|
||||
|
||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope)
|
||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth)
|
||||
if err != nil {
|
||||
log.Debug("Failed to create auth token: ", err)
|
||||
return res, err
|
||||
@@ -243,13 +243,14 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
|
||||
User: userToReturn,
|
||||
}
|
||||
|
||||
sessionKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
|
||||
cookie.SetSession(gc, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
|
||||
if authToken.RefreshToken != nil {
|
||||
res.RefreshToken = &authToken.RefreshToken.Token
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -50,7 +50,12 @@ func ValidateJwtTokenResolver(ctx context.Context, params model.ValidateJWTToken
|
||||
// access_token and refresh_token should be validated from session store as well
|
||||
if tokenType == constants.TokenTypeAccessToken || tokenType == constants.TokenTypeRefreshToken {
|
||||
nonce = claims["nonce"].(string)
|
||||
token, err := memorystore.Provider.GetUserSession(userID, tokenType+"_"+claims["nonce"].(string))
|
||||
loginMethod := claims["login_method"]
|
||||
sessionKey := userID
|
||||
if loginMethod != nil && loginMethod != "" {
|
||||
sessionKey = loginMethod.(string) + ":" + userID
|
||||
}
|
||||
token, err := memorystore.Provider.GetUserSession(sessionKey, tokenType+"_"+claims["nonce"].(string))
|
||||
if err != nil || token == "" {
|
||||
log.Debug("Failed to get user session: ", err)
|
||||
return nil, errors.New("invalid token")
|
||||
|
||||
@@ -73,9 +73,14 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
|
||||
return res, err
|
||||
}
|
||||
|
||||
loginMethod := constants.AuthRecipeMethodBasicAuth
|
||||
if loginMethod == constants.VerificationTypeMagicLinkLogin {
|
||||
loginMethod = constants.AuthRecipeMethodMagicLinkLogin
|
||||
}
|
||||
|
||||
roles := strings.Split(user.Roles, ",")
|
||||
scope := []string{"openid", "email", "profile"}
|
||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope)
|
||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod)
|
||||
if err != nil {
|
||||
log.Debug("Failed to create auth token: ", err)
|
||||
return res, err
|
||||
@@ -100,13 +105,14 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
|
||||
User: user.AsAPIUser(),
|
||||
}
|
||||
|
||||
sessionKey := loginMethod + ":" + user.ID
|
||||
cookie.SetSession(gc, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
|
||||
if authToken.RefreshToken != nil {
|
||||
res.RefreshToken = &authToken.RefreshToken.Token
|
||||
memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
}
|
||||
return res, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user