Implement refresh token logic with fingerprint + rotation

2022-01-23 01:24:41 +05:30
parent 0511e737ae
commit 7f18a3f634
50 changed files with 802 additions and 560 deletions
--- a/server/cookie/admin_cookie.go
+++ b/server/cookie/admin_cookie.go
@@ -0,0 +1,44 @@
+package cookie
+
+import (
+	"net/url"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/gin-gonic/gin"
+)
+
+// SetAdminCookie sets the admin cookie in the response
+func SetAdminCookie(gc *gin.Context, token string) {
+	secure := true
+	httpOnly := true
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), token, 3600, "/", host, secure, httpOnly)
+}
+
+// GetAdminCookie gets the admin cookie from the request
+func GetAdminCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName))
+	if err != nil {
+		return "", err
+	}
+
+	// cookie escapes special characters like $
+	// hence we need to unescape before comparing
+	decodedValue, err := url.QueryUnescape(cookie.Value)
+	if err != nil {
+		return "", err
+	}
+	return decodedValue, nil
+}
+
+// DeleteAdminCookie sets the response cookie to empty
+func DeleteAdminCookie(gc *gin.Context) {
+	secure := true
+	httpOnly := true
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), "", -1, "/", host, secure, httpOnly)
+}
--- a/server/cookie/cookie.go
+++ b/server/cookie/cookie.go
@@ -0,0 +1,101 @@
+package cookie
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/gin-gonic/gin"
+)
+
+// SetCookie sets the cookie in the response. It sets 4 cookies
+// 1 COOKIE_NAME.access_token jwt token for the host (temp.abc.com)
+// 2 COOKIE_NAME.access_token.domain jwt token for the domain (abc.com).
+// 3 COOKIE_NAME.fingerprint fingerprint hash for the refresh token verification.
+// 4 COOKIE_NAME.refresh_token refresh token
+// Note all sites don't allow 2nd type of cookie
+func SetCookie(gc *gin.Context, accessToken, refreshToken, fingerprintHash string) {
+	secure := true
+	httpOnly := true
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	domain := utils.GetDomainName(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	if domain != "localhost" {
+		domain = "." + domain
+	}
+
+	year := 60 * 60 * 24 * 365
+	thirtyMin := 60 * 30
+
+	gc.SetSameSite(http.SameSiteNoneMode)
+	// set cookie for host
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", accessToken, thirtyMin, "/", host, secure, httpOnly)
+
+	// in case of subdomain, set cookie for domain
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token.domain", accessToken, thirtyMin, "/", domain, secure, httpOnly)
+
+	// set finger print cookie (this should be accessed via cookie only)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", fingerprintHash, year, "/", host, secure, httpOnly)
+
+	// set refresh token cookie (this should be accessed via cookie only)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", refreshToken, year, "/", host, secure, httpOnly)
+}
+
+// GetAccessTokenCookie to get access token cookie from the request
+func GetAccessTokenCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".access_token")
+	if err != nil {
+		cookie, err = gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".access_token.domain")
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return cookie.Value, nil
+}
+
+// GetRefreshTokenCookie to get refresh token cookie
+func GetRefreshTokenCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".refresh_token")
+	if err != nil {
+		return "", err
+	}
+
+	return cookie.Value, nil
+}
+
+// GetFingerPrintCookie to get fingerprint cookie
+func GetFingerPrintCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".fingerprint")
+	if err != nil {
+		return "", err
+	}
+
+	// cookie escapes special characters like $
+	// hence we need to unescape before comparing
+	decodedValue, err := url.QueryUnescape(cookie.Value)
+	if err != nil {
+		return "", err
+	}
+
+	return decodedValue, nil
+}
+
+// DeleteCookie sets response cookies to expire
+func DeleteCookie(gc *gin.Context) {
+	secure := true
+	httpOnly := true
+
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	domain := utils.GetDomainName(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	if domain != "localhost" {
+		domain = "." + domain
+	}
+
+	gc.SetSameSite(http.SameSiteNoneMode)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", "", -1, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token.domain", "", -1, "/", domain, secure, httpOnly)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", "", -1, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", "", -1, "/", host, secure, httpOnly)
+}