feat: add resolver to validate browser session

server/resolvers/validate_session.go

@@ -0,0 +1,59 @@
+package resolvers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
+	log "github.com/sirupsen/logrus"
+)
+
+// ValidateSessionResolver is used to validate a cookie session without its rotation
+func ValidateSessionResolver(ctx context.Context, params *model.ValidateSessionInput) (*model.ValidateSessionResponse, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug("Failed to get GinContext: ", err)
+		return nil, err
+	}
+	sessionToken := params.Cookie
+	if sessionToken == "" {
+		sessionToken, err = cookie.GetSession(gc)
+		if err != nil {
+			log.Debug("Failed to get session token: ", err)
+			return nil, errors.New("unauthorized")
+		}
+	}
+	claims, err := token.ValidateBrowserSession(gc, sessionToken)
+	if err != nil {
+		log.Debug("Failed to validate session token", err)
+		return nil, errors.New("unauthorized")
+	}
+	userID := claims.Subject
+	log := log.WithFields(log.Fields{
+		"user_id": userID,
+	})
+	_, err = db.Provider.GetUserByID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+	// refresh token has "roles" as claim
+	claimRoleInterface := claims.Roles
+	claimRoles := []string{}
+	claimRoles = append(claimRoles, claimRoleInterface...)
+	if params != nil && params.Roles != nil && len(params.Roles) > 0 {
+		for _, v := range params.Roles {
+			if !utils.StringSliceContains(claimRoles, v) {
+				log.Debug("User does not have required role: ", claimRoles, v)
+				return nil, fmt.Errorf(`unauthorized`)
+			}
+		}
+	}
+	return &model.ValidateSessionResponse{
+		IsValid: true,
+	}, nil
+}