Merge branch 'main' of https://github.com/authorizerdev/authorizer into feat/casandra-db

server/constants/env.go

@@ -16,11 +16,12 @@ const (
 	// EnvKeyEnvPath key for cli arg variable ENV_PATH
 	EnvKeyEnvPath = "ENV_PATH"
 	// EnvKeyAuthorizerURL key for env variable AUTHORIZER_URL
-	// TODO: remove support AUTHORIZER_URL env
 	EnvKeyAuthorizerURL = "AUTHORIZER_URL"
 	// EnvKeyPort key for env variable PORT
 	EnvKeyPort = "PORT"
 
+	// EnvKeyAccessTokenExpiryTime key for env variable ACCESS_TOKEN_EXPIRY_TIME
+	EnvKeyAccessTokenExpiryTime = "ACCESS_TOKEN_EXPIRY_TIME"
 	// EnvKeyAdminSecret key for env variable ADMIN_SECRET
 	EnvKeyAdminSecret = "ADMIN_SECRET"
 	// EnvKeyDatabaseType key for env variable DATABASE_TYPE

server/db/models/user.go

@@ -27,6 +27,7 @@ type User struct {
 	Roles                 string  `json:"roles" bson:"roles" cql:"roles"`
 	UpdatedAt             int64   `json:"updated_at" bson:"updated_at" cql:"updated_at"`
 	CreatedAt             int64   `json:"created_at" bson:"created_at" cql:"created_at"`
+	RevokedTimestamp      *int64  `json:"revoked_timestamp" bson:"revoked_timestamp" cql:"revoked_timestamp"`
 }
 
 func (user *User) AsAPIUser() *model.User {
@@ -35,6 +36,7 @@ func (user *User) AsAPIUser() *model.User {
 	email := user.Email
 	createdAt := user.CreatedAt
 	updatedAt := user.UpdatedAt
+	revokedTimestamp := user.RevokedTimestamp
 	return &model.User{
 		ID:                  user.ID,
 		Email:               user.Email,
@@ -53,5 +55,6 @@ func (user *User) AsAPIUser() *model.User {
 		Roles:               strings.Split(user.Roles, ","),
 		CreatedAt:           &createdAt,
 		UpdatedAt:           &updatedAt,
+		RevokedTimestamp:    revokedTimestamp,
 	}
 }

server/db/models/verification_requests.go

@@ -4,14 +4,14 @@ import "github.com/authorizerdev/authorizer/server/graph/model"
 
 // VerificationRequest model for db
 type VerificationRequest struct {
-	Key         string `json:"_key,omitempty" bson:"_key,omitempty" cql:"_key,omitempty"` // for arangodb
+	Key         string `json:"_key,omitempty" bson:"_key" cql:"_key,omitempty"` // for arangodb
 	ID          string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id" cql:"id"`
 	Token       string `gorm:"type:text" json:"token" bson:"token" cql:"token"`
-	Identifier  string `gorm:"uniqueIndex:idx_email_identifier" json:"identifier" bson:"identifier" cql:"identifier"`
+	Identifier  string `gorm:"uniqueIndex:idx_email_identifier;type:varchar(64)" json:"identifier" bson:"identifier" cql:"identifier"`
 	ExpiresAt   int64  `json:"expires_at" bson:"expires_at" cql:"expires_at"`
 	CreatedAt   int64  `json:"created_at" bson:"created_at" cql:"created_at"`
 	UpdatedAt   int64  `json:"updated_at" bson:"updated_at" cql:"updated_at"`
-	Email       string `gorm:"uniqueIndex:idx_email_identifier" json:"email" bson:"email" cql:"email"`
+	Email       string `gorm:"uniqueIndex:idx_email_identifier;type:varchar(256)" json:"email" bson:"email" cql:"email"`
 	Nonce       string `gorm:"type:text" json:"nonce" bson:"nonce" cql:"nonce"`
 	RedirectURI string `gorm:"type:text" json:"redirect_uri" bson:"redirect_uri" cql:"redirect_uri"`
 }

server/env/env.go

@@ -113,6 +113,10 @@ func InitAllEnv() error {
 		envData.StringEnv[constants.EnvKeyAppURL] = os.Getenv(constants.EnvKeyAppURL)
 	}
 
+	if envData.StringEnv[constants.EnvKeyAuthorizerURL] == "" {
+		envData.StringEnv[constants.EnvKeyAuthorizerURL] = os.Getenv(constants.EnvKeyAuthorizerURL)
+	}
+
 	if envData.StringEnv[constants.EnvKeyPort] == "" {
 		envData.StringEnv[constants.EnvKeyPort] = os.Getenv(constants.EnvKeyPort)
 		if envData.StringEnv[constants.EnvKeyPort] == "" {
@@ -120,6 +124,13 @@ func InitAllEnv() error {
 		}
 	}
 
+	if envData.StringEnv[constants.EnvKeyAccessTokenExpiryTime] == "" {
+		envData.StringEnv[constants.EnvKeyAccessTokenExpiryTime] = os.Getenv(constants.EnvKeyAccessTokenExpiryTime)
+		if envData.StringEnv[constants.EnvKeyAccessTokenExpiryTime] == "" {
+			envData.StringEnv[constants.EnvKeyAccessTokenExpiryTime] = "30m"
+		}
+	}
+
 	if envData.StringEnv[constants.EnvKeyAdminSecret] == "" {
 		envData.StringEnv[constants.EnvKeyAdminSecret] = os.Getenv(constants.EnvKeyAdminSecret)
 	}

server/env/persist_env.go

@@ -165,6 +165,7 @@ func PersistEnv() error {
 				hasChanged = true
 			}
 		}
+
 		envstore.EnvStoreObj.UpdateEnvStore(storeData)
 		jwk, err := crypto.GenerateJWKBasedOnEnv()
 		if err != nil {

server/graph/model/models_gen.go

@@ -24,6 +24,7 @@ type DeleteUserInput struct {
 }
 
 type Env struct {
+	AccessTokenExpiryTime      *string  `json:"ACCESS_TOKEN_EXPIRY_TIME"`
 	AdminSecret                *string  `json:"ADMIN_SECRET"`
 	DatabaseName               string   `json:"DATABASE_NAME"`
 	DatabaseURL                string   `json:"DATABASE_URL"`
@@ -75,6 +76,16 @@ type ForgotPasswordInput struct {
 	RedirectURI *string `json:"redirect_uri"`
 }
 
+type GenerateJWTKeysInput struct {
+	Type string `json:"type"`
+}
+
+type GenerateJWTKeysResponse struct {
+	Secret     *string `json:"secret"`
+	PublicKey  *string `json:"public_key"`
+	PrivateKey *string `json:"private_key"`
+}
+
 type InviteMemberInput struct {
 	Emails      []string `json:"emails"`
 	RedirectURI *string  `json:"redirect_uri"`
@@ -164,7 +175,12 @@ type SignUpInput struct {
 	RedirectURI     *string  `json:"redirect_uri"`
 }
 
+type UpdateAccessInput struct {
+	UserID string `json:"user_id"`
+}
+
 type UpdateEnvInput struct {
+	AccessTokenExpiryTime      *string  `json:"ACCESS_TOKEN_EXPIRY_TIME"`
 	AdminSecret                *string  `json:"ADMIN_SECRET"`
 	CustomAccessTokenScript    *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT"`
 	OldAdminSecret             *string  `json:"OLD_ADMIN_SECRET"`
@@ -249,6 +265,7 @@ type User struct {
 	Roles               []string `json:"roles"`
 	CreatedAt           *int64   `json:"created_at"`
 	UpdatedAt           *int64   `json:"updated_at"`
+	RevokedTimestamp    *int64   `json:"revoked_timestamp"`
 }
 
 type Users struct {
@@ -256,6 +273,16 @@ type Users struct {
 	Users      []*User     `json:"users"`
 }
 
+type ValidateJWTTokenInput struct {
+	TokenType string   `json:"token_type"`
+	Token     string   `json:"token"`
+	Roles     []string `json:"roles"`
+}
+
+type ValidateJWTTokenResponse struct {
+	IsValid bool `json:"is_valid"`
+}
+
 type VerificationRequest struct {
 	ID          string  `json:"id"`
 	Identifier  *string `json:"identifier"`

server/graph/schema.graphqls

@@ -43,6 +43,7 @@ type User {
 	roles: [String!]!
 	created_at: Int64
 	updated_at: Int64
+	revoked_timestamp: Int64
 }
 
 type Users {
@@ -86,6 +87,7 @@ type Response {
 }
 
 type Env {
+	ACCESS_TOKEN_EXPIRY_TIME: String
 	ADMIN_SECRET: String
 	DATABASE_NAME: String!
 	DATABASE_URL: String!
@@ -126,7 +128,18 @@ type Env {
 	ORGANIZATION_LOGO: String
 }
 
+type ValidateJWTTokenResponse {
+	is_valid: Boolean!
+}
+
+type GenerateJWTKeysResponse {
+	secret: String
+	public_key: String
+	private_key: String
+}
+
 input UpdateEnvInput {
+	ACCESS_TOKEN_EXPIRY_TIME: String
 	ADMIN_SECRET: String
 	CUSTOM_ACCESS_TOKEN_SCRIPT: String
 	OLD_ADMIN_SECRET: String
@@ -281,6 +294,20 @@ input InviteMemberInput {
 	redirect_uri: String
 }
 
+input UpdateAccessInput {
+	user_id: String!
+}
+
+input ValidateJWTTokenInput {
+	token_type: String!
+	token: String!
+	roles: [String!]
+}
+
+input GenerateJWTKeysInput {
+	type: String!
+}
+
 type Mutation {
 	signup(params: SignUpInput!): AuthResponse!
 	login(params: LoginInput!): AuthResponse!
@@ -300,12 +327,16 @@ type Mutation {
 	_admin_logout: Response!
 	_update_env(params: UpdateEnvInput!): Response!
 	_invite_members(params: InviteMemberInput!): Response!
+	_revoke_access(param: UpdateAccessInput!): Response!
+	_enable_access(param: UpdateAccessInput!): Response!
+	_generate_jwt_keys(params: GenerateJWTKeysInput!): GenerateJWTKeysResponse!
 }
 
 type Query {
 	meta: Meta!
 	session(params: SessionQueryInput): AuthResponse!
 	profile: User!
+	validate_jwt_token(params: ValidateJWTTokenInput!): ValidateJWTTokenResponse!
 	# admin only apis
 	_users(params: PaginatedInput): Users!
 	_verification_requests(params: PaginatedInput): VerificationRequests!

server/graph/schema.resolvers.go

@@ -79,6 +79,18 @@ func (r *mutationResolver) InviteMembers(ctx context.Context, params model.Invit
 	return resolvers.InviteMembersResolver(ctx, params)
 }
 
+func (r *mutationResolver) RevokeAccess(ctx context.Context, param model.UpdateAccessInput) (*model.Response, error) {
+	return resolvers.RevokeAccessResolver(ctx, param)
+}
+
+func (r *mutationResolver) EnableAccess(ctx context.Context, param model.UpdateAccessInput) (*model.Response, error) {
+	return resolvers.EnableAccessResolver(ctx, param)
+}
+
+func (r *mutationResolver) GenerateJwtKeys(ctx context.Context, params model.GenerateJWTKeysInput) (*model.GenerateJWTKeysResponse, error) {
+	return resolvers.GenerateJWTKeysResolver(ctx, params)
+}
+
 func (r *queryResolver) Meta(ctx context.Context) (*model.Meta, error) {
 	return resolvers.MetaResolver(ctx)
 }
@@ -91,6 +103,10 @@ func (r *queryResolver) Profile(ctx context.Context) (*model.User, error) {
 	return resolvers.ProfileResolver(ctx)
 }
 
+func (r *queryResolver) ValidateJwtToken(ctx context.Context, params model.ValidateJWTTokenInput) (*model.ValidateJWTTokenResponse, error) {
+	return resolvers.ValidateJwtTokenResolver(ctx, params)
+}
+
 func (r *queryResolver) Users(ctx context.Context, params *model.PaginatedInput) (*model.Users, error) {
 	return resolvers.UsersResolver(ctx, params)
 }

server/handlers/authorize.go

@@ -1,10 +1,10 @@
 package handlers
 
 import (
-	"fmt"
 	"net/http"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
@@ -51,8 +51,6 @@ func AuthorizeHandler() gin.HandlerFunc {
 			gc.JSON(400, gin.H{"error": "invalid response mode"})
 		}
 
-		fmt.Println("=> redirect URI:", redirectURI)
-		fmt.Println("=> state:", state)
 		if redirectURI == "" {
 			redirectURI = "/app"
 		}
@@ -279,7 +277,11 @@ func AuthorizeHandler() gin.HandlerFunc {
 			sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 			sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 			cookie.SetSession(gc, authToken.FingerPrintHash)
-			expiresIn := int64(1800)
+
+			expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+			if expiresIn <= 0 {
+				expiresIn = 1
+			}
 
 			// used of query mode
 			params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token

server/handlers/oauth_callback.go

@@ -95,9 +95,12 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			user.EmailVerifiedAt = &now
 			user, _ = db.Provider.AddUser(user)
 		} else {
+			if user.RevokedTimestamp != nil {
+				c.JSON(400, gin.H{"error": "user access has been revoked"})
+			}
+
 			// user exists in db, check if method was google
 			// if not append google to existing signup method and save it
-
 			signupMethod := existingUser.SignupMethods
 			if !strings.Contains(signupMethod, provider) {
 				signupMethod = signupMethod + "," + provider
@@ -154,7 +157,12 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		if err != nil {
 			c.JSON(500, gin.H{"error": err.Error()})
 		}
-		expiresIn := int64(1800)
+
+		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+		if expiresIn <= 0 {
+			expiresIn = 1
+		}
+
 		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + stateValue + "&id_token=" + authToken.IDToken.Token
 
 		cookie.SetSession(c, authToken.FingerPrintHash)

server/handlers/token.go

@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
@@ -174,7 +175,11 @@ func TokenHandler() gin.HandlerFunc {
 		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 		cookie.SetSession(gc, authToken.FingerPrintHash)
 
-		expiresIn := int64(1800)
+		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+		if expiresIn <= 0 {
+			expiresIn = 1
+		}
+
 		res := map[string]interface{}{
 			"access_token": authToken.AccessToken.Token,
 			"id_token":     authToken.IDToken.Token,

server/handlers/verify_email.go

@@ -82,7 +82,12 @@ func VerifyEmailHandler() gin.HandlerFunc {
 			c.JSON(500, errorRes)
 			return
 		}
-		expiresIn := int64(1800)
+
+		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+		if expiresIn <= 0 {
+			expiresIn = 1
+		}
+
 		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
 
 		cookie.SetSession(c, authToken.FingerPrintHash)

server/middlewares/cors.go

@@ -15,7 +15,7 @@ func CORSMiddleware() gin.HandlerFunc {
 		}
 
 		c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
-		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With")
+		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With,  X-authorizer-url")
 		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT")
 
 		if c.Request.Method == "OPTIONS" {

server/resolvers/enable_access.go

@@ -0,0 +1,44 @@
+package resolvers
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
+)
+
+// EnableAccessResolver is a resolver for enabling user access
+func EnableAccessResolver(ctx context.Context, params model.UpdateAccessInput) (*model.Response, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	var res *model.Response
+	if err != nil {
+		return res, err
+	}
+
+	if !token.IsSuperAdmin(gc) {
+		return res, fmt.Errorf("unauthorized")
+	}
+
+	user, err := db.Provider.GetUserByID(params.UserID)
+	if err != nil {
+		return res, err
+	}
+
+	user.RevokedTimestamp = nil
+
+	user, err = db.Provider.UpdateUser(user)
+	if err != nil {
+		log.Println("error updating user:", err)
+		return res, err
+	}
+
+	res = &model.Response{
+		Message: `user access enabled successfully`,
+	}
+
+	return res, nil
+}

server/resolvers/env.go

@@ -27,6 +27,7 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 
 	// get clone of store
 	store := envstore.EnvStoreObj.GetEnvStoreClone()
+	accessTokenExpiryTime := store.StringEnv[constants.EnvKeyAccessTokenExpiryTime]
 	adminSecret := store.StringEnv[constants.EnvKeyAdminSecret]
 	clientID := store.StringEnv[constants.EnvKeyClientID]
 	clientSecret := store.StringEnv[constants.EnvKeyClientSecret]
@@ -66,7 +67,12 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 	organizationName := store.StringEnv[constants.EnvKeyOrganizationName]
 	organizationLogo := store.StringEnv[constants.EnvKeyOrganizationLogo]
 
+	if accessTokenExpiryTime == "" {
+		accessTokenExpiryTime = "30m"
+	}
+
 	res = &model.Env{
+		AccessTokenExpiryTime:      &accessTokenExpiryTime,
 		AdminSecret:                &adminSecret,
 		DatabaseName:               databaseName,
 		DatabaseURL:                databaseURL,

server/resolvers/generate_jwt_keys.go

@@ -0,0 +1,60 @@
+package resolvers
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
+)
+
+// GenerateJWTKeysResolver mutation to generate new jwt keys
+func GenerateJWTKeysResolver(ctx context.Context, params model.GenerateJWTKeysInput) (*model.GenerateJWTKeysResponse, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if !token.IsSuperAdmin(gc) {
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	clientID := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID)
+	if crypto.IsHMACA(params.Type) {
+		secret, _, err := crypto.NewHMACKey(params.Type, clientID)
+		if err != nil {
+			return nil, err
+		}
+		return &model.GenerateJWTKeysResponse{
+			Secret: &secret,
+		}, nil
+	}
+
+	if crypto.IsRSA(params.Type) {
+		_, privateKey, publicKey, _, err := crypto.NewRSAKey(params.Type, clientID)
+		if err != nil {
+			return nil, err
+		}
+		return &model.GenerateJWTKeysResponse{
+			PrivateKey: &privateKey,
+			PublicKey:  &publicKey,
+		}, nil
+	}
+
+	if crypto.IsECDSA(params.Type) {
+		_, privateKey, publicKey, _, err := crypto.NewECDSAKey(params.Type, clientID)
+		if err != nil {
+			return nil, err
+		}
+		return &model.GenerateJWTKeysResponse{
+			PrivateKey: &privateKey,
+			PublicKey:  &publicKey,
+		}, nil
+	}
+
+	return nil, fmt.Errorf("invalid algorithm")
+}

server/resolvers/login.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"strings"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
@@ -35,6 +36,10 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		return res, fmt.Errorf(`user with this email not found`)
 	}
 
+	if user.RevokedTimestamp != nil {
+		return res, fmt.Errorf(`user access has been revoked`)
+	}
+
 	if !strings.Contains(user.SignupMethods, constants.SignupMethodBasicAuth) {
 		return res, fmt.Errorf(`user has not signed up email & password`)
 	}
@@ -69,7 +74,11 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		return res, err
 	}
 
-	expiresIn := int64(1800)
+	expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+	if expiresIn <= 0 {
+		expiresIn = 1
+	}
+
 	res = &model.AuthResponse{
 		Message:     `Logged in successfully`,
 		AccessToken: &authToken.AccessToken.Token,

server/resolvers/magic_link_login.go

@@ -70,6 +70,10 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		// 2. user has not signed up for one of the available role but trying to signup.
 		// 		Need to modify roles in this case
 
+		if user.RevokedTimestamp != nil {
+			return res, fmt.Errorf(`user access has been revoked`)
+		}
+
 		// find the unassigned roles
 		if len(params.Roles) <= 0 {
 			inputRoles = envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)

server/resolvers/revoke_access.go

@@ -0,0 +1,49 @@
+package resolvers
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
+)
+
+// RevokeAccessResolver is a resolver for revoking user access
+func RevokeAccessResolver(ctx context.Context, params model.UpdateAccessInput) (*model.Response, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	var res *model.Response
+	if err != nil {
+		return res, err
+	}
+
+	if !token.IsSuperAdmin(gc) {
+		return res, fmt.Errorf("unauthorized")
+	}
+
+	user, err := db.Provider.GetUserByID(params.UserID)
+	if err != nil {
+		return res, err
+	}
+
+	now := time.Now().Unix()
+	user.RevokedTimestamp = &now
+
+	user, err = db.Provider.UpdateUser(user)
+	if err != nil {
+		log.Println("error updating user:", err)
+		return res, err
+	}
+
+	go sessionstore.DeleteAllUserSession(fmt.Sprintf("%x", user.ID))
+
+	res = &model.Response{
+		Message: `user access revoked successfully`,
+	}
+
+	return res, nil
+}

server/resolvers/session.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
@@ -73,7 +74,11 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 	sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 	cookie.SetSession(gc, authToken.FingerPrintHash)
 
-	expiresIn := int64(1800)
+	expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+	if expiresIn <= 0 {
+		expiresIn = 1
+	}
+
 	res = &model.AuthResponse{
 		Message:     `Session token refreshed`,
 		AccessToken: &authToken.AccessToken.Token,

server/resolvers/signup.go

@@ -176,7 +176,10 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		cookie.SetSession(gc, authToken.FingerPrintHash)
 		go utils.SaveSessionInDB(gc, user.ID)
 
-		expiresIn := int64(1800)
+		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+		if expiresIn <= 0 {
+			expiresIn = 1
+		}
 
 		res = &model.AuthResponse{
 			Message:     `Signed up successfully.`,

server/resolvers/update_env.go

@@ -53,11 +53,19 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 	}
 
 	if isJWTUpdated {
+		// use to reset when type is changed from rsa, edsa -> hmac or vice a versa
+		defaultSecret := ""
+		defaultPublicKey := ""
+		defaultPrivateKey := ""
 		// check if jwt secret is provided
 		if crypto.IsHMACA(algo) {
 			if params.JwtSecret == nil {
 				return res, fmt.Errorf("jwt secret is required for HMAC algorithm")
 			}
+
+			// reset public key and private key
+			params.JwtPrivateKey = &defaultPrivateKey
+			params.JwtPublicKey = &defaultPublicKey
 		}
 
 		if crypto.IsRSA(algo) {
@@ -65,6 +73,8 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 				return res, fmt.Errorf("jwt private and public key is required for RSA (PKCS1) / ECDSA algorithm")
 			}
 
+			// reset the jwt secret
+			params.JwtSecret = &defaultSecret
 			_, err = crypto.ParseRsaPrivateKeyFromPemStr(*params.JwtPrivateKey)
 			if err != nil {
 				return res, err
@@ -81,6 +91,8 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 				return res, fmt.Errorf("jwt private and public key is required for RSA (PKCS1) / ECDSA algorithm")
 			}
 
+			// reset the jwt secret
+			params.JwtSecret = &defaultSecret
 			_, err = crypto.ParseEcdsaPrivateKeyFromPemStr(*params.JwtPrivateKey)
 			if err != nil {
 				return res, err

server/resolvers/validate_jwt_token.go

@@ -0,0 +1,86 @@
+package resolvers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/golang-jwt/jwt"
+)
+
+// ValidateJwtTokenResolver is used to validate a jwt token without its rotation
+// this can be used at API level (backend)
+// it can validate:
+// access_token
+// id_token
+// refresh_token
+func ValidateJwtTokenResolver(ctx context.Context, params model.ValidateJWTTokenInput) (*model.ValidateJWTTokenResponse, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	tokenType := params.TokenType
+	if tokenType != "access_token" && tokenType != "refresh_token" && tokenType != "id_token" {
+		return nil, errors.New("invalid token type")
+	}
+
+	userID := ""
+	nonce := ""
+	// access_token and refresh_token should be validated from session store as well
+	if tokenType == "access_token" || tokenType == "refresh_token" {
+		savedSession := sessionstore.GetState(params.Token)
+		if savedSession == "" {
+			return &model.ValidateJWTTokenResponse{
+				IsValid: false,
+			}, nil
+		}
+		savedSessionSplit := strings.Split(savedSession, "@")
+		nonce = savedSessionSplit[0]
+		userID = savedSessionSplit[1]
+	}
+
+	hostname := utils.GetHost(gc)
+	var claimRoles []string
+	var claims jwt.MapClaims
+
+	// we cannot validate sub and nonce in case of id_token as that token is not persisted in session store
+	if userID != "" && nonce != "" {
+		claims, err = token.ParseJWTToken(params.Token, hostname, nonce, userID)
+		if err != nil {
+			return &model.ValidateJWTTokenResponse{
+				IsValid: false,
+			}, nil
+		}
+	} else {
+		claims, err = token.ParseJWTTokenWithoutNonce(params.Token, hostname)
+		if err != nil {
+			return &model.ValidateJWTTokenResponse{
+				IsValid: false,
+			}, nil
+		}
+
+	}
+
+	claimRolesInterface := claims["roles"]
+	roleSlice := utils.ConvertInterfaceToSlice(claimRolesInterface)
+	for _, v := range roleSlice {
+		claimRoles = append(claimRoles, v.(string))
+	}
+
+	if params.Roles != nil && len(params.Roles) > 0 {
+		for _, v := range params.Roles {
+			if !utils.StringSliceContains(claimRoles, v) {
+				return nil, fmt.Errorf(`unauthorized`)
+			}
+		}
+	}
+	return &model.ValidateJWTTokenResponse{
+		IsValid: true,
+	}, nil
+}

server/resolvers/verify_email.go

@@ -64,7 +64,11 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	cookie.SetSession(gc, authToken.FingerPrintHash)
 	go utils.SaveSessionInDB(gc, user.ID)
 
-	expiresIn := int64(1800)
+	expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+	if expiresIn <= 0 {
+		expiresIn = 1
+	}
+
 	res = &model.AuthResponse{
 		Message:     `Email verified successfully.`,
 		AccessToken: &authToken.AccessToken.Token,

server/test/enable_access_test.go

@@ -0,0 +1,57 @@
+package test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/stretchr/testify/assert"
+)
+
+func enableAccessTest(t *testing.T, s TestSetup) {
+	t.Helper()
+	t.Run(`should revoke access`, func(t *testing.T) {
+		req, ctx := createContext(s)
+		email := "revoke_access." + s.TestInfo.Email
+		_, err := resolvers.MagicLinkLoginResolver(ctx, model.MagicLinkLoginInput{
+			Email: email,
+		})
+		assert.NoError(t, err)
+		verificationRequest, err := db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeMagicLinkLogin)
+		verifyRes, err := resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
+			Token: verificationRequest.Token,
+		})
+		assert.NoError(t, err)
+		assert.NotNil(t, verifyRes.AccessToken)
+
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		assert.Nil(t, err)
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+
+		res, err := resolvers.RevokeAccessResolver(ctx, model.UpdateAccessInput{
+			UserID: verifyRes.User.ID,
+		})
+		assert.NoError(t, err)
+		assert.NotEmpty(t, res.Message)
+
+		res, err = resolvers.EnableAccessResolver(ctx, model.UpdateAccessInput{
+			UserID: verifyRes.User.ID,
+		})
+		assert.NoError(t, err)
+		assert.NotEmpty(t, res.Message)
+
+		// it should allow login with revoked access
+		res, err = resolvers.MagicLinkLoginResolver(ctx, model.MagicLinkLoginInput{
+			Email: email,
+		})
+		assert.Nil(t, err)
+		assert.NotEmpty(t, res.Message)
+
+		cleanData(email)
+	})
+}

server/test/generate_jwt_keys_test.go

@@ -0,0 +1,62 @@
+package test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/stretchr/testify/assert"
+)
+
+func generateJWTkeyTest(t *testing.T, s TestSetup) {
+	t.Helper()
+	req, ctx := createContext(s)
+	t.Run(`generate_jwt_keys`, func(t *testing.T) {
+		t.Run(`should throw unauthorized`, func(t *testing.T) {
+			res, err := resolvers.GenerateJWTKeysResolver(ctx, model.GenerateJWTKeysInput{
+				Type: "HS256",
+			})
+			assert.Error(t, err)
+			assert.Nil(t, res)
+		})
+		t.Run(`should throw invalid`, func(t *testing.T) {
+			res, err := resolvers.GenerateJWTKeysResolver(ctx, model.GenerateJWTKeysInput{
+				Type: "test",
+			})
+			assert.Error(t, err)
+			assert.Nil(t, res)
+		})
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		assert.Nil(t, err)
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+		t.Run(`should generate HS256 secret`, func(t *testing.T) {
+			res, err := resolvers.GenerateJWTKeysResolver(ctx, model.GenerateJWTKeysInput{
+				Type: "HS256",
+			})
+			assert.NoError(t, err)
+			assert.NotEmpty(t, res.Secret)
+		})
+
+		t.Run(`should generate RS256 secret`, func(t *testing.T) {
+			res, err := resolvers.GenerateJWTKeysResolver(ctx, model.GenerateJWTKeysInput{
+				Type: "RS256",
+			})
+			assert.NoError(t, err)
+			assert.NotEmpty(t, res.PrivateKey)
+			assert.NotEmpty(t, res.PublicKey)
+		})
+
+		t.Run(`should generate ES256 secret`, func(t *testing.T) {
+			res, err := resolvers.GenerateJWTKeysResolver(ctx, model.GenerateJWTKeysInput{
+				Type: "ES256",
+			})
+			assert.NoError(t, err)
+			assert.NotEmpty(t, res.PrivateKey)
+			assert.NotEmpty(t, res.PublicKey)
+		})
+	})
+}

server/test/resolvers_test.go

@@ -48,6 +48,9 @@ func TestResolvers(t *testing.T) {
 			adminSessionTests(t, s)
 			updateEnvTests(t, s)
 			envTests(t, s)
+			revokeAccessTest(t, s)
+			enableAccessTest(t, s)
+			generateJWTkeyTest(t, s)
 
 			// user tests
 			loginTests(t, s)
@@ -63,6 +66,7 @@ func TestResolvers(t *testing.T) {
 			logoutTests(t, s)
 			metaTests(t, s)
 			inviteUserTest(t, s)
+			validateJwtTokenTest(t, s)
 		})
 	}
 }

server/test/revoke_access_test.go

@@ -0,0 +1,54 @@
+package test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/stretchr/testify/assert"
+)
+
+func revokeAccessTest(t *testing.T, s TestSetup) {
+	t.Helper()
+	t.Run(`should revoke access`, func(t *testing.T) {
+		req, ctx := createContext(s)
+		email := "revoke_access." + s.TestInfo.Email
+		_, err := resolvers.MagicLinkLoginResolver(ctx, model.MagicLinkLoginInput{
+			Email: email,
+		})
+		assert.NoError(t, err)
+		verificationRequest, err := db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeMagicLinkLogin)
+		verifyRes, err := resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
+			Token: verificationRequest.Token,
+		})
+		assert.NoError(t, err)
+		assert.NotNil(t, verifyRes.AccessToken)
+
+		res, err := resolvers.RevokeAccessResolver(ctx, model.UpdateAccessInput{
+			UserID: verifyRes.User.ID,
+		})
+		assert.Error(t, err)
+
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		assert.Nil(t, err)
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+
+		res, err = resolvers.RevokeAccessResolver(ctx, model.UpdateAccessInput{
+			UserID: verifyRes.User.ID,
+		})
+		assert.NoError(t, err)
+		assert.NotEmpty(t, res.Message)
+
+		// it should not allow login with revoked access
+		_, err = resolvers.MagicLinkLoginResolver(ctx, model.MagicLinkLoginInput{
+			Email: email,
+		})
+		assert.Error(t, err)
+		cleanData(email)
+	})
+}

server/test/validate_jwt_token_test.go

@@ -0,0 +1,90 @@
+package test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func validateJwtTokenTest(t *testing.T, s TestSetup) {
+	t.Helper()
+	_, ctx := createContext(s)
+	t.Run(`validate params`, func(t *testing.T) {
+		res, err := resolvers.ValidateJwtTokenResolver(ctx, model.ValidateJWTTokenInput{
+			TokenType: "access_token",
+			Token:     "",
+		})
+		assert.False(t, res.IsValid)
+		res, err = resolvers.ValidateJwtTokenResolver(ctx, model.ValidateJWTTokenInput{
+			TokenType: "access_token",
+			Token:     "invalid",
+		})
+		assert.False(t, res.IsValid)
+		_, err = resolvers.ValidateJwtTokenResolver(ctx, model.ValidateJWTTokenInput{
+			TokenType: "access_token_invalid",
+			Token:     "invalid@invalid",
+		})
+		assert.Error(t, err, "invalid token")
+	})
+
+	scope := []string{"openid", "email", "profile", "offline_access"}
+	user := models.User{
+		ID:        uuid.New().String(),
+		Email:     "jwt_test_" + s.TestInfo.Email,
+		Roles:     "user",
+		UpdatedAt: time.Now().Unix(),
+		CreatedAt: time.Now().Unix(),
+	}
+
+	roles := []string{"user"}
+	gc, err := utils.GinContextFromContext(ctx)
+	assert.NoError(t, err)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope)
+	sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+	sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
+
+	t.Run(`should validate the access token`, func(t *testing.T) {
+		res, err := resolvers.ValidateJwtTokenResolver(ctx, model.ValidateJWTTokenInput{
+			TokenType: "access_token",
+			Token:     authToken.AccessToken.Token,
+			Roles:     []string{"user"},
+		})
+
+		assert.NoError(t, err)
+		assert.True(t, res.IsValid)
+
+		res, err = resolvers.ValidateJwtTokenResolver(ctx, model.ValidateJWTTokenInput{
+			TokenType: "access_token",
+			Token:     authToken.AccessToken.Token,
+			Roles:     []string{"invalid_role"},
+		})
+
+		assert.Error(t, err)
+	})
+
+	t.Run(`should validate the refresh token`, func(t *testing.T) {
+		res, err := resolvers.ValidateJwtTokenResolver(ctx, model.ValidateJWTTokenInput{
+			TokenType: "refresh_token",
+			Token:     authToken.RefreshToken.Token,
+		})
+		assert.NoError(t, err)
+		assert.True(t, res.IsValid)
+	})
+
+	t.Run(`should validate the id token`, func(t *testing.T) {
+		res, err := resolvers.ValidateJwtTokenResolver(ctx, model.ValidateJWTTokenInput{
+			TokenType: "id_token",
+			Token:     authToken.IDToken.Token,
+		})
+		assert.NoError(t, err)
+		assert.True(t, res.IsValid)
+	})
+}

server/token/auth_token.go

@@ -130,7 +130,11 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc
 // CreateAccessToken util to create JWT token, based on
 // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
 func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce string) (string, int64, error) {
-	expiryBound := time.Minute * 30
+	expiryBound, err := utils.ParseDurationInSeconds(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime))
+	if err != nil {
+		expiryBound = time.Minute * 30
+	}
+
 	expiresAt := time.Now().Add(expiryBound).Unix()
 
 	customClaims := jwt.MapClaims{
@@ -161,7 +165,12 @@ func GetAccessToken(gc *gin.Context) (string, error) {
 		return "", fmt.Errorf(`unauthorized`)
 	}
 
-	if !strings.HasPrefix(auth, "Bearer ") {
+	authSplit := strings.Split(auth, " ")
+	if len(authSplit) != 2 {
+		return "", fmt.Errorf(`unauthorized`)
+	}
+
+	if strings.ToLower(authSplit[0]) != "bearer" {
 		return "", fmt.Errorf(`not a bearer token`)
 	}
 
@@ -277,7 +286,11 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD
 // CreateIDToken util to create JWT token, based on
 // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
 func CreateIDToken(user models.User, roles []string, hostname, nonce string) (string, int64, error) {
-	expiryBound := time.Minute * 30
+	expiryBound, err := utils.ParseDurationInSeconds(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime))
+	if err != nil {
+		expiryBound = time.Minute * 30
+	}
+
 	expiresAt := time.Now().Add(expiryBound).Unix()
 
 	resUser := user.AsAPIUser()
@@ -350,7 +363,12 @@ func GetIDToken(gc *gin.Context) (string, error) {
 		return "", fmt.Errorf(`unauthorized`)
 	}
 
-	if !strings.HasPrefix(auth, "Bearer ") {
+	authSplit := strings.Split(auth, " ")
+	if len(authSplit) != 2 {
+		return "", fmt.Errorf(`unauthorized`)
+	}
+
+	if strings.ToLower(authSplit[0]) != "bearer" {
 		return "", fmt.Errorf(`not a bearer token`)
 	}
 

server/token/jwt.go

@@ -105,3 +105,59 @@ func ParseJWTToken(token, hostname, nonce, subject string) (jwt.MapClaims, error
 
 	return claims, nil
 }
+
+// ParseJWTTokenWithoutNonce common util to parse jwt token without nonce
+// used to validate ID token as it is not persisted in store
+func ParseJWTTokenWithoutNonce(token, hostname string) (jwt.MapClaims, error) {
+	jwtType := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)
+	signingMethod := jwt.GetSigningMethod(jwtType)
+
+	var err error
+	var claims jwt.MapClaims
+
+	switch signingMethod {
+	case jwt.SigningMethodHS256, jwt.SigningMethodHS384, jwt.SigningMethodHS512:
+		_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {
+			return []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)), nil
+		})
+	case jwt.SigningMethodRS256, jwt.SigningMethodRS384, jwt.SigningMethodRS512:
+		_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {
+			key, err := crypto.ParseRsaPublicKeyFromPemStr(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey))
+			if err != nil {
+				return nil, err
+			}
+			return key, nil
+		})
+	case jwt.SigningMethodES256, jwt.SigningMethodES384, jwt.SigningMethodES512:
+		_, err = jwt.ParseWithClaims(token, &claims, func(token *jwt.Token) (interface{}, error) {
+			key, err := crypto.ParseEcdsaPublicKeyFromPemStr(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey))
+			if err != nil {
+				return nil, err
+			}
+			return key, nil
+		})
+	default:
+		err = errors.New("unsupported signing method")
+	}
+	if err != nil {
+		return claims, err
+	}
+
+	// claim parses exp & iat into float 64 with e^10,
+	// but we expect it to be int64
+	// hence we need to assert interface and convert to int64
+	intExp := int64(claims["exp"].(float64))
+	intIat := int64(claims["iat"].(float64))
+	claims["exp"] = intExp
+	claims["iat"] = intIat
+
+	if claims["aud"] != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) {
+		return claims, errors.New("invalid audience")
+	}
+
+	if claims["iss"] != hostname {
+		return claims, errors.New("invalid issuer")
+	}
+
+	return claims, nil
+}

server/utils/common.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"log"
+	"reflect"
 
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
@@ -47,3 +48,24 @@ func RemoveDuplicateString(strSlice []string) []string {
 	}
 	return list
 }
+
+// ConvertInterfaceToSlice to convert interface to slice interface
+func ConvertInterfaceToSlice(slice interface{}) []interface{} {
+	s := reflect.ValueOf(slice)
+	if s.Kind() != reflect.Slice {
+		return nil
+	}
+
+	// Keep the distinction between nil and empty slice input
+	if s.IsNil() {
+		return nil
+	}
+
+	ret := make([]interface{}, s.Len())
+
+	for i := 0; i < s.Len(); i++ {
+		ret[i] = s.Index(i).Interface()
+	}
+
+	return ret
+}

server/utils/parser.go

@@ -0,0 +1,21 @@
+package utils
+
+import (
+	"errors"
+	"time"
+)
+
+// ParseDurationInSeconds parses input s, removes ms/us/ns and returns result duration
+func ParseDurationInSeconds(s string) (time.Duration, error) {
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0, err
+	}
+
+	d = d.Truncate(time.Second)
+	if d <= 0 {
+		return 0, errors.New(`duration must be greater than 0s`)
+	}
+
+	return d, nil
+}

server/utils/urls.go

@@ -10,7 +10,20 @@ import (
 )
 
 // GetHost returns hostname from request context
+// if X-Authorizer-URL header is set it is given highest priority
+// if EnvKeyAuthorizerURL is set it is given second highest priority.
+// if above 2 are not set the requesting host name is used
 func GetHost(c *gin.Context) string {
+	authorizerURL := c.Request.Header.Get("X-Authorizer-URL")
+	if authorizerURL != "" {
+		return authorizerURL
+	}
+
+	authorizerURL = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL)
+	if authorizerURL != "" {
+		return authorizerURL
+	}
+
 	scheme := c.Request.Header.Get("X-Forwarded-Proto")
 	if scheme != "https" {
 		scheme = "http"