Implement refresh token logic with fingerprint + rotation
This commit is contained in:
Lakhan Samani
@@ -11,11 +11,13 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/authorizerdev/authorizer/server/constants"
|
||||
"github.com/authorizerdev/authorizer/server/cookie"
|
||||
"github.com/authorizerdev/authorizer/server/db"
|
||||
"github.com/authorizerdev/authorizer/server/db/models"
|
||||
"github.com/authorizerdev/authorizer/server/envstore"
|
||||
"github.com/authorizerdev/authorizer/server/oauth"
|
||||
"github.com/authorizerdev/authorizer/server/session"
|
||||
"github.com/authorizerdev/authorizer/server/sessionstore"
|
||||
"github.com/authorizerdev/authorizer/server/token"
|
||||
"github.com/authorizerdev/authorizer/server/utils"
|
||||
"github.com/coreos/go-oidc/v3/oidc"
|
||||
"github.com/gin-gonic/gin"
|
||||
@@ -28,11 +30,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
|
||||
provider := c.Param("oauth_provider")
|
||||
state := c.Request.FormValue("state")
|
||||
|
||||
sessionState := session.GetSocailLoginState(state)
|
||||
sessionState := sessionstore.GetSocailLoginState(state)
|
||||
if sessionState == "" {
|
||||
c.JSON(400, gin.H{"error": "invalid oauth state"})
|
||||
}
|
||||
session.RemoveSocialLoginState(state)
|
||||
sessionstore.RemoveSocialLoginState(state)
|
||||
// contains random token, redirect url, role
|
||||
sessionSplit := strings.Split(state, "___")
|
||||
|
||||
@@ -135,12 +137,10 @@ func OAuthCallbackHandler() gin.HandlerFunc {
|
||||
}
|
||||
|
||||
user, _ = db.Provider.GetUserByEmail(user.Email)
|
||||
userIdStr := fmt.Sprintf("%v", user.ID)
|
||||
refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, inputRoles)
|
||||
|
||||
accessToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, inputRoles)
|
||||
utils.SetCookie(c, accessToken)
|
||||
session.SetUserSession(userIdStr, accessToken, refreshToken)
|
||||
authToken, _ := token.CreateAuthToken(user, inputRoles)
|
||||
sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
cookie.SetCookie(c, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
|
||||
utils.SaveSessionInDB(user.ID, c)
|
||||
|
||||
c.Redirect(http.StatusTemporaryRedirect, redirectURL)
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"github.com/authorizerdev/authorizer/server/constants"
|
||||
"github.com/authorizerdev/authorizer/server/envstore"
|
||||
"github.com/authorizerdev/authorizer/server/oauth"
|
||||
"github.com/authorizerdev/authorizer/server/session"
|
||||
"github.com/authorizerdev/authorizer/server/sessionstore"
|
||||
"github.com/authorizerdev/authorizer/server/utils"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/google/uuid"
|
||||
@@ -54,7 +54,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
|
||||
isProviderConfigured = false
|
||||
break
|
||||
}
|
||||
session.SetSocailLoginState(oauthStateString, constants.SignupMethodGoogle)
|
||||
sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodGoogle)
|
||||
// during the init of OAuthProvider authorizer url might be empty
|
||||
oauth.OAuthProviders.GoogleConfig.RedirectURL = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL) + "/oauth_callback/google"
|
||||
url := oauth.OAuthProviders.GoogleConfig.AuthCodeURL(oauthStateString)
|
||||
@@ -64,7 +64,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
|
||||
isProviderConfigured = false
|
||||
break
|
||||
}
|
||||
session.SetSocailLoginState(oauthStateString, constants.SignupMethodGithub)
|
||||
sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodGithub)
|
||||
oauth.OAuthProviders.GithubConfig.RedirectURL = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL) + "/oauth_callback/github"
|
||||
url := oauth.OAuthProviders.GithubConfig.AuthCodeURL(oauthStateString)
|
||||
c.Redirect(http.StatusTemporaryRedirect, url)
|
||||
@@ -73,7 +73,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
|
||||
isProviderConfigured = false
|
||||
break
|
||||
}
|
||||
session.SetSocailLoginState(oauthStateString, constants.SignupMethodFacebook)
|
||||
sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodFacebook)
|
||||
oauth.OAuthProviders.FacebookConfig.RedirectURL = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL) + "/oauth_callback/facebook"
|
||||
url := oauth.OAuthProviders.FacebookConfig.AuthCodeURL(oauthStateString)
|
||||
c.Redirect(http.StatusTemporaryRedirect, url)
|
||||
|
||||
@@ -5,9 +5,10 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/authorizerdev/authorizer/server/constants"
|
||||
"github.com/authorizerdev/authorizer/server/cookie"
|
||||
"github.com/authorizerdev/authorizer/server/db"
|
||||
"github.com/authorizerdev/authorizer/server/session"
|
||||
"github.com/authorizerdev/authorizer/server/sessionstore"
|
||||
"github.com/authorizerdev/authorizer/server/token"
|
||||
"github.com/authorizerdev/authorizer/server/utils"
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
@@ -19,20 +20,20 @@ func VerifyEmailHandler() gin.HandlerFunc {
|
||||
errorRes := gin.H{
|
||||
"message": "invalid token",
|
||||
}
|
||||
token := c.Query("token")
|
||||
if token == "" {
|
||||
tokenInQuery := c.Query("token")
|
||||
if tokenInQuery == "" {
|
||||
c.JSON(400, errorRes)
|
||||
return
|
||||
}
|
||||
|
||||
verificationRequest, err := db.Provider.GetVerificationRequestByToken(token)
|
||||
verificationRequest, err := db.Provider.GetVerificationRequestByToken(tokenInQuery)
|
||||
if err != nil {
|
||||
c.JSON(400, errorRes)
|
||||
return
|
||||
}
|
||||
|
||||
// verify if token exists in db
|
||||
claim, err := utils.VerifyVerificationToken(token)
|
||||
claim, err := token.VerifyVerificationToken(tokenInQuery)
|
||||
if err != nil {
|
||||
c.JSON(400, errorRes)
|
||||
return
|
||||
@@ -56,13 +57,17 @@ func VerifyEmailHandler() gin.HandlerFunc {
|
||||
db.Provider.DeleteVerificationRequest(verificationRequest)
|
||||
|
||||
roles := strings.Split(user.Roles, ",")
|
||||
refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)
|
||||
|
||||
accessToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
|
||||
|
||||
session.SetUserSession(user.ID, accessToken, refreshToken)
|
||||
authToken, err := token.CreateAuthToken(user, roles)
|
||||
if err != nil {
|
||||
c.JSON(400, gin.H{
|
||||
"message": err.Error(),
|
||||
})
|
||||
return
|
||||
}
|
||||
sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
|
||||
cookie.SetCookie(c, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
|
||||
utils.SaveSessionInDB(user.ID, c)
|
||||
utils.SetCookie(c, accessToken)
|
||||
|
||||
c.Redirect(http.StatusTemporaryRedirect, claim.RedirectURL)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user