devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

fix: user session access

Browse Source
This commit is contained in:
Lakhan Samani
2022-06-12 00:27:21 +05:30
parent ac49b5bb70
commit 82a2a42f84
22 changed files with 172 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
server/token/auth_token.go
View File

@@ -204,11 +204,16 @@ func ValidateAccessToken(gc *gin.Context, accessToken string) (map[string]interf
}
userID := res["sub"].(string)
nonce, err := memorystore.Provider.GetUserSession(userID, accessToken)
nonce := res["nonce"].(string)
token, err := memorystore.Provider.GetUserSession(userID, constants.TokenTypeAccessToken+"_"+nonce)
if nonce == "" || err != nil {
return res, fmt.Errorf(`unauthorized`)
}
if token != accessToken {
return res, fmt.Errorf(`unauthorized`)
}
hostname := parsers.GetHost(gc)
if ok, err := ValidateJWTClaims(res, hostname, nonce, userID); !ok || err != nil {
return res, err
@@ -235,11 +240,16 @@ func ValidateRefreshToken(gc *gin.Context, refreshToken string) (map[string]inte
}
userID := res["sub"].(string)
nonce, err := memorystore.Provider.GetUserSession(userID, refreshToken)
nonce := res["nonce"].(string)
token, err := memorystore.Provider.GetUserSession(userID, constants.TokenTypeRefreshToken+"_"+nonce)
if nonce == "" || err != nil {
return res, fmt.Errorf(`unauthorized`)
}
if token != refreshToken {
return res, fmt.Errorf(`unauthorized`)
}
hostname := parsers.GetHost(gc)
if ok, err := ValidateJWTClaims(res, hostname, nonce, userID); !ok || err != nil {
return res, err
@@ -268,13 +278,13 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD
return nil, err
}
nonce, err := memorystore.Provider.GetUserSession(res.Subject, encryptedSession)
if nonce == "" || err != nil {
token, err := memorystore.Provider.GetUserSession(res.Subject, constants.TokenTypeSessionToken+"_"+res.Nonce)
if token == "" || err != nil {
log.Debug("invalid browser session:", err)
return nil, fmt.Errorf(`unauthorized`)
}
if res.Nonce != nonce {
if encryptedSession != token {
return nil, fmt.Errorf(`unauthorized: invalid nonce`)
}

7
server/token/jwt.go
View File

@@ -145,8 +145,8 @@ func ValidateJWTClaims(claims jwt.MapClaims, hostname, nonce, subject string) (b
return true, nil
}
// ValidateJWTClaimsWithoutNonce common util to validate claims without nonce
func ValidateJWTTokenWithoutNonce(claims jwt.MapClaims, hostname string) (bool, error) {
// ValidateJWTTokenWithoutNonce common util to validate claims without nonce
func ValidateJWTTokenWithoutNonce(claims jwt.MapClaims, hostname, subject string) (bool, error) {
clientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID)
if err != nil {
return false, err
@@ -159,5 +159,8 @@ func ValidateJWTTokenWithoutNonce(claims jwt.MapClaims, hostname string) (bool,
return false, errors.New("invalid issuer")
}
if claims["sub"] != subject {
return false, errors.New("invalid subject")
}
return true, nil
}