Implement refresh token logic with fingerprint + rotation

server/resolvers/admin_login.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/utils"
@@ -28,7 +29,7 @@ func AdminLoginResolver(ctx context.Context, params model.AdminLoginInput) (*mod
 	if err != nil {
 		return res, err
 	}
-	utils.SetAdminCookie(gc, hashedKey)
+	cookie.SetAdminCookie(gc, hashedKey)
 
 	res = &model.Response{
 		Message: "admin logged in successfully",

server/resolvers/admin_logout.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -17,11 +19,11 @@ func AdminLogoutResolver(ctx context.Context) (*model.Response, error) {
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 
-	utils.DeleteAdminCookie(gc)
+	cookie.DeleteAdminCookie(gc)
 
 	res = &model.Response{
 		Message: "admin logged out successfully",

server/resolvers/admin_session.go

@@ -5,8 +5,10 @@ import (
 	"fmt"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -19,7 +21,7 @@ func AdminSessionResolver(ctx context.Context) (*model.Response, error) {
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 
@@ -27,7 +29,7 @@ func AdminSessionResolver(ctx context.Context) (*model.Response, error) {
 	if err != nil {
 		return res, err
 	}
-	utils.SetAdminCookie(gc, hashedKey)
+	cookie.SetAdminCookie(gc, hashedKey)
 
 	res = &model.Response{
 		Message: "admin logged in successfully",

server/resolvers/admin_signup.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -71,7 +72,7 @@ func AdminSignupResolver(ctx context.Context, params model.AdminSignupInput) (*m
 	if err != nil {
 		return res, err
 	}
-	utils.SetAdminCookie(gc, hashedKey)
+	cookie.SetAdminCookie(gc, hashedKey)
 
 	res = &model.Response{
 		Message: "admin signed up successfully",

server/resolvers/delete_user.go

@@ -7,7 +7,8 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -19,7 +20,7 @@ func DeleteUserResolver(ctx context.Context, params model.DeleteUserInput) (*mod
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 
@@ -28,7 +29,7 @@ func DeleteUserResolver(ctx context.Context, params model.DeleteUserInput) (*mod
 		return res, err
 	}
 
-	session.DeleteAllUserSession(fmt.Sprintf("%x", user.ID))
+	sessionstore.DeleteAllUserSession(fmt.Sprintf("%x", user.ID))
 
 	err = db.Provider.DeleteUser(user)
 	if err != nil {

server/resolvers/env.go

@@ -7,6 +7,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -20,7 +21,7 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 

server/resolvers/forgot_password.go

@@ -13,6 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -38,12 +39,12 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 		return res, fmt.Errorf(`user with this email not found`)
 	}
 
-	token, err := utils.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword)
+	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
 	db.Provider.AddVerificationRequest(models.VerificationRequest{
-		Token:      token,
+		Token:      verificationToken,
 		Identifier: constants.VerificationTypeForgotPassword,
 		ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 		Email:      params.Email,
@@ -51,7 +52,7 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 
 	// exec it as go routin so that we can reduce the api latency
 	go func() {
-		email.SendForgotPasswordMail(params.Email, token, host)
+		email.SendForgotPasswordMail(params.Email, verificationToken, host)
 	}()
 
 	res = &model.Response{

server/resolvers/login.go

@@ -7,10 +7,12 @@ import (
 	"strings"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -56,21 +58,21 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 
 		roles = params.Roles
 	}
-	refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)
 
-	accessToken, expiresAt, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
-
-	session.SetUserSession(user.ID, accessToken, refreshToken)
+	authToken, err := token.CreateAuthToken(user, roles)
+	if err != nil {
+		return res, err
+	}
+	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 	utils.SaveSessionInDB(user.ID, gc)
 
 	res = &model.AuthResponse{
 		Message:     `Logged in successfully`,
-		AccessToken: &accessToken,
-		ExpiresAt:   &expiresAt,
-		User:        utils.GetResponseUserData(user),
+		AccessToken: &authToken.AccessToken.Token,
+		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		User:        user.AsAPIUser(),
 	}
 
-	utils.SetCookie(gc, accessToken)
-
 	return res, nil
 }

server/resolvers/logout.go

@@ -2,10 +2,11 @@ package resolvers
 
 import (
 	"context"
-	"fmt"
 
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -17,22 +18,38 @@ func LogoutResolver(ctx context.Context) (*model.Response, error) {
 		return res, err
 	}
 
-	token, err := utils.GetAuthToken(gc)
+	// get refresh token
+	refreshToken, err := token.GetRefreshToken(gc)
 	if err != nil {
 		return res, err
 	}
 
-	claim, err := utils.VerifyAuthToken(token)
+	// get fingerprint hash
+	fingerprintHash, err := token.GetFingerPrint(gc)
 	if err != nil {
 		return res, err
 	}
 
-	userId := fmt.Sprintf("%v", claim["id"])
-	session.DeleteUserSession(userId, token)
+	decryptedFingerPrint, err := utils.DecryptAES([]byte(fingerprintHash))
+	if err != nil {
+		return res, err
+	}
+
+	fingerPrint := string(decryptedFingerPrint)
+
+	// verify refresh token and fingerprint
+	claims, err := token.VerifyJWTToken(refreshToken)
+	if err != nil {
+		return res, err
+	}
+
+	userID := claims["id"].(string)
+	sessionstore.DeleteUserSession(userID, fingerPrint)
+	cookie.DeleteCookie(gc)
+
 	res = &model.Response{
 		Message: "Logged out successfully",
 	}
 
-	utils.DeleteCookie(gc)
 	return res, nil
 }

server/resolvers/magic_link_login.go

@@ -13,6 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -104,12 +105,12 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 	if !envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
 		verificationType := constants.VerificationTypeMagicLinkLogin
-		token, err := utils.CreateVerificationToken(params.Email, verificationType)
+		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      params.Email,
@@ -117,7 +118,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 
 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(params.Email, token)
+			email.SendVerificationMail(params.Email, verificationToken)
 		}()
 	}
 

server/resolvers/profile.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -18,30 +18,17 @@ func ProfileResolver(ctx context.Context) (*model.User, error) {
 		return res, err
 	}
 
-	token, err := utils.GetAuthToken(gc)
+	claims, err := token.ValidateAccessToken(gc)
 	if err != nil {
 		return res, err
 	}
 
-	claim, err := utils.VerifyAuthToken(token)
+	userID := fmt.Sprintf("%v", claims["id"])
+
+	user, err := db.Provider.GetUserByID(userID)
 	if err != nil {
 		return res, err
 	}
 
-	userID := fmt.Sprintf("%v", claim["id"])
-	email := fmt.Sprintf("%v", claim["email"])
-	sessionToken := session.GetUserSession(userID, token)
-
-	if sessionToken == "" {
-		return res, fmt.Errorf(`unauthorized`)
-	}
-
-	user, err := db.Provider.GetUserByEmail(email)
-	if err != nil {
-		return res, err
-	}
-
-	res = utils.GetResponseUserData(user)
-
-	return res, nil
+	return user.AsAPIUser(), nil
 }

server/resolvers/resend_verify_email.go

@@ -11,6 +11,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -38,12 +39,12 @@ func ResendVerifyEmailResolver(ctx context.Context, params model.ResendVerifyEma
 		log.Println("error deleting verification request:", err)
 	}
 
-	token, err := utils.CreateVerificationToken(params.Email, params.Identifier)
+	verificationToken, err := token.CreateVerificationToken(params.Email, params.Identifier)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
 	db.Provider.AddVerificationRequest(models.VerificationRequest{
-		Token:      token,
+		Token:      verificationToken,
 		Identifier: params.Identifier,
 		ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 		Email:      params.Email,
@@ -51,7 +52,7 @@ func ResendVerifyEmailResolver(ctx context.Context, params model.ResendVerifyEma
 
 	// exec it as go routin so that we can reduce the api latency
 	go func() {
-		email.SendVerificationMail(params.Email, token)
+		email.SendVerificationMail(params.Email, verificationToken)
 	}()
 
 	res = &model.Response{

server/resolvers/reset_password.go

@@ -10,6 +10,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -30,7 +31,7 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
 	}
 
 	// verify if token exists in db
-	claim, err := utils.VerifyVerificationToken(params.Token)
+	claim, err := token.VerifyVerificationToken(params.Token)
 	if err != nil {
 		return res, fmt.Errorf(`invalid token`)
 	}

server/resolvers/session.go

@@ -3,13 +3,12 @@ package resolvers
 import (
 	"context"
 	"fmt"
-	"time"
 
-	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
-	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -21,35 +20,49 @@ func SessionResolver(ctx context.Context, roles []string) (*model.AuthResponse,
 	if err != nil {
 		return res, err
 	}
-	token, err := utils.GetAuthToken(gc)
+
+	// get refresh token
+	refreshToken, err := token.GetRefreshToken(gc)
 	if err != nil {
 		return res, err
 	}
 
-	claim, accessTokenErr := utils.VerifyAuthToken(token)
-	expiresAt := claim["exp"].(int64)
-	email := fmt.Sprintf("%v", claim["email"])
-
-	user, err := db.Provider.GetUserByEmail(email)
+	// get fingerprint hash
+	fingerprintHash, err := token.GetFingerPrint(gc)
 	if err != nil {
 		return res, err
 	}
 
-	userIdStr := fmt.Sprintf("%v", user.ID)
+	decryptedFingerPrint, err := utils.DecryptAES([]byte(fingerprintHash))
+	if err != nil {
+		return res, err
+	}
 
-	sessionToken := session.GetUserSession(userIdStr, token)
+	fingerPrint := string(decryptedFingerPrint)
 
-	if sessionToken == "" {
+	// verify refresh token and fingerprint
+	claims, err := token.VerifyJWTToken(refreshToken)
+	if err != nil {
+		return res, err
+	}
+
+	userID := claims["id"].(string)
+
+	persistedRefresh := sessionstore.GetUserSession(userID, fingerPrint)
+	if refreshToken != persistedRefresh {
 		return res, fmt.Errorf(`unauthorized`)
 	}
 
-	expiresTimeObj := time.Unix(expiresAt, 0)
-	currentTimeObj := time.Now()
+	user, err := db.Provider.GetUserByID(userID)
+	if err != nil {
+		return res, err
+	}
 
-	claimRoleInterface := claim[envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)].([]interface{})
-	claimRoles := make([]string, len(claimRoleInterface))
-	for i, v := range claimRoleInterface {
-		claimRoles[i] = v.(string)
+	// refresh token has "roles" as claim
+	claimRoleInterface := claims["roles"].([]interface{})
+	claimRoles := []string{}
+	for _, v := range claimRoleInterface {
+		claimRoles = append(claimRoles, v.(string))
 	}
 
 	if len(roles) > 0 {
@@ -60,23 +73,22 @@ func SessionResolver(ctx context.Context, roles []string) (*model.AuthResponse,
 		}
 	}
 
-	// TODO change this logic to make it more secure
-	if accessTokenErr != nil || expiresTimeObj.Sub(currentTimeObj).Minutes() <= 5 {
-		// if access token has expired and refresh/session token is valid
-		// generate new accessToken
-		currentRefreshToken := session.GetUserSession(userIdStr, token)
-		session.DeleteUserSession(userIdStr, token)
-		token, expiresAt, _ = utils.CreateAuthToken(user, constants.TokenTypeAccessToken, claimRoles)
-		session.SetUserSession(userIdStr, token, currentRefreshToken)
-		utils.SaveSessionInDB(user.ID, gc)
+	// delete older session
+	sessionstore.DeleteUserSession(userID, fingerPrint)
+
+	authToken, err := token.CreateAuthToken(user, claimRoles)
+	if err != nil {
+		return res, err
+	}
+	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
+
+	res = &model.AuthResponse{
+		Message:     `Session token refreshed`,
+		AccessToken: &authToken.AccessToken.Token,
+		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		User:        user.AsAPIUser(),
 	}
 
-	utils.SetCookie(gc, token)
-	res = &model.AuthResponse{
-		Message:     `Token verified`,
-		AccessToken: &token,
-		ExpiresAt:   &expiresAt,
-		User:        utils.GetResponseUserData(user),
-	}
 	return res, nil
 }

server/resolvers/signup.go

@@ -8,12 +8,14 @@ import (
 	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -114,19 +116,18 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 	if err != nil {
 		return res, err
 	}
-	userIdStr := fmt.Sprintf("%v", user.ID)
 	roles := strings.Split(user.Roles, ",")
-	userToReturn := utils.GetResponseUserData(user)
+	userToReturn := user.AsAPIUser()
 
 	if !envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
 		verificationType := constants.VerificationTypeBasicAuthSignup
-		token, err := utils.CreateVerificationToken(params.Email, verificationType)
+		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      params.Email,
@@ -134,7 +135,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 
 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(params.Email, token)
+			email.SendVerificationMail(params.Email, verificationToken)
 		}()
 
 		res = &model.AuthResponse{
@@ -143,20 +144,20 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		}
 	} else {
 
-		refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)
-
-		accessToken, expiresAt, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
-
-		session.SetUserSession(userIdStr, accessToken, refreshToken)
+		authToken, err := token.CreateAuthToken(user, roles)
+		if err != nil {
+			return res, err
+		}
+		sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+		cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 		utils.SaveSessionInDB(user.ID, gc)
+
 		res = &model.AuthResponse{
 			Message:     `Signed up successfully.`,
-			AccessToken: &accessToken,
-			ExpiresAt:   &expiresAt,
+			AccessToken: &authToken.AccessToken.Token,
+			ExpiresAt:   &authToken.AccessToken.ExpiresAt,
 			User:        userToReturn,
 		}
-
-		utils.SetCookie(gc, accessToken)
 	}
 
 	return res, nil

server/resolvers/update_env.go

@@ -9,9 +9,11 @@ import (
 	"reflect"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -26,7 +28,7 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 
@@ -124,7 +126,7 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		if err != nil {
 			return res, err
 		}
-		utils.SetAdminCookie(gc, hashedKey)
+		cookie.SetAdminCookie(gc, hashedKey)
 	}
 
 	env.EnvData = encryptedConfig

server/resolvers/update_profile.go

@@ -8,11 +8,13 @@ import (
 	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -25,29 +27,17 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 		return res, err
 	}
 
-	token, err := utils.GetAuthToken(gc)
+	claims, err := token.ValidateAccessToken(gc)
 	if err != nil {
 		return res, err
 	}
 
-	claim, err := utils.VerifyAuthToken(token)
-	if err != nil {
-		return res, err
-	}
-
-	id := fmt.Sprintf("%v", claim["id"])
-	sessionToken := session.GetUserSession(id, token)
-
-	if sessionToken == "" {
-		return res, fmt.Errorf(`unauthorized`)
-	}
-
 	// validate if all params are not empty
 	if params.GivenName == nil && params.FamilyName == nil && params.Picture == nil && params.MiddleName == nil && params.Nickname == nil && params.OldPassword == nil && params.Email == nil && params.Birthdate == nil && params.Gender == nil && params.PhoneNumber == nil {
-		return res, fmt.Errorf("please enter atleast one param to update")
+		return res, fmt.Errorf("please enter at least one param to update")
 	}
 
-	userEmail := fmt.Sprintf("%v", claim["email"])
+	userEmail := fmt.Sprintf("%v", claims["email"])
 	user, err := db.Provider.GetUserByEmail(userEmail)
 	if err != nil {
 		return res, err
@@ -123,20 +113,20 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 			return res, fmt.Errorf("user with this email address already exists")
 		}
 
-		session.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
-		utils.DeleteCookie(gc)
+		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		cookie.DeleteCookie(gc)
 
 		user.Email = newEmail
 		user.EmailVerifiedAt = nil
 		hasEmailChanged = true
 		// insert verification request
 		verificationType := constants.VerificationTypeUpdateEmail
-		token, err := utils.CreateVerificationToken(newEmail, verificationType)
+		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      newEmail,
@@ -144,7 +134,7 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 
 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(newEmail, token)
+			email.SendVerificationMail(newEmail, verificationToken)
 		}()
 	}
 

server/resolvers/update_user.go

@@ -8,12 +8,14 @@ import (
 	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -26,7 +28,7 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 
@@ -93,19 +95,19 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			return res, fmt.Errorf("user with this email address already exists")
 		}
 
-		session.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
-		utils.DeleteCookie(gc)
+		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		cookie.DeleteCookie(gc)
 
 		user.Email = newEmail
 		user.EmailVerifiedAt = nil
 		// insert verification request
 		verificationType := constants.VerificationTypeUpdateEmail
-		token, err := utils.CreateVerificationToken(newEmail, verificationType)
+		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      newEmail,
@@ -113,7 +115,7 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 
 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(newEmail, token)
+			email.SendVerificationMail(newEmail, verificationToken)
 		}()
 	}
 
@@ -133,8 +135,8 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			rolesToSave = strings.Join(inputRoles, ",")
 		}
 
-		session.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
-		utils.DeleteCookie(gc)
+		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		cookie.DeleteCookie(gc)
 	}
 
 	if rolesToSave != "" {

server/resolvers/users.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -18,7 +19,7 @@ func UsersResolver(ctx context.Context) ([]*model.User, error) {
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 
@@ -28,7 +29,7 @@ func UsersResolver(ctx context.Context) ([]*model.User, error) {
 	}
 
 	for i := 0; i < len(users); i++ {
-		res = append(res, utils.GetResponseUserData(users[i]))
+		res = append(res, users[i].AsAPIUser())
 	}
 
 	return res, nil

server/resolvers/verification_requests.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -18,7 +19,7 @@ func VerificationRequestsResolver(ctx context.Context) ([]*model.VerificationReq
 		return res, err
 	}
 
-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}
 

server/resolvers/verify_email.go

@@ -6,10 +6,11 @@ import (
 	"strings"
 	"time"
 
-	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -27,7 +28,7 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	}
 
 	// verify if token exists in db
-	claim, err := utils.VerifyVerificationToken(params.Token)
+	claim, err := token.VerifyVerificationToken(params.Token)
 	if err != nil {
 		return res, fmt.Errorf(`invalid token`)
 	}
@@ -45,20 +46,20 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	db.Provider.DeleteVerificationRequest(verificationRequest)
 
 	roles := strings.Split(user.Roles, ",")
-	refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)
-	accessToken, expiresAt, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
-
-	session.SetUserSession(user.ID, accessToken, refreshToken)
+	authToken, err := token.CreateAuthToken(user, roles)
+	if err != nil {
+		return res, err
+	}
+	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 	utils.SaveSessionInDB(user.ID, gc)
 
 	res = &model.AuthResponse{
 		Message:     `Email verified successfully.`,
-		AccessToken: &accessToken,
-		ExpiresAt:   &expiresAt,
-		User:        utils.GetResponseUserData(user),
+		AccessToken: &authToken.AccessToken.Token,
+		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		User:        user.AsAPIUser(),
 	}
 
-	utils.SetCookie(gc, accessToken)
-
 	return res, nil
 }