Merge pull request #131 from authorizerdev/feat/open-id

Add open id authorization flow with PKCE

app/package-lock.json

@@ -24,9 +24,9 @@
 			}
 		},
 		"node_modules/@authorizerdev/authorizer-js": {
-			"version": "0.2.1",
+			"version": "0.4.0-beta.3",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.2.1.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.4.0-beta.3.tgz",
-			"integrity": "sha512-5lQlh+nc5xTsPongfTyCSX24A1WESu/BjhmZwUNuScEOGady0qPoDHE3RBf46dpi5v05wbHCDN1IFEalX5zssQ==",
+			"integrity": "sha512-OGZc6I6cnpi/WkSotkjVIc3LEzl8pFeiohr8+Db9xWd75/oTfOZqWRuIHTnTc1FC+6Sv2EjTJ9Aa6lrloWG+NQ==",
 			"dependencies": {
 				"node-fetch": "^2.6.1"
 			},
@@ -35,11 +35,11 @@
 			}
 		},
 		"node_modules/@authorizerdev/authorizer-react": {
-			"version": "0.4.3",
+			"version": "0.9.0-beta.7",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.4.3.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.9.0-beta.7.tgz",
-			"integrity": "sha512-o/wWe9zZ3ARYdjbDfhGfvOxe1YQrE1YQ+UN9pcq85YSDkbfBkOfcnJ4YxlxWdL0Obd/ErDIeQ3vskyrfvRf3sA==",
+			"integrity": "sha512-hCGsVionKMZNk+uD0CLtMIkUzhQqpHbVntko3rY+O7ouOrTrikY/WQVPbo1bqX1cu/6/cHE4RVU3cZ7V5xnxVg==",
 			"dependencies": {
-				"@authorizerdev/authorizer-js": "^0.2.1",
+				"@authorizerdev/authorizer-js": "^0.4.0-beta.3",
 				"final-form": "^4.20.2",
 				"react-final-form": "^6.5.3",
 				"styled-components": "^5.3.0"
@@ -829,19 +829,19 @@
 	},
 	"dependencies": {
 		"@authorizerdev/authorizer-js": {
-			"version": "0.2.1",
+			"version": "0.4.0-beta.3",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.2.1.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.4.0-beta.3.tgz",
-			"integrity": "sha512-5lQlh+nc5xTsPongfTyCSX24A1WESu/BjhmZwUNuScEOGady0qPoDHE3RBf46dpi5v05wbHCDN1IFEalX5zssQ==",
+			"integrity": "sha512-OGZc6I6cnpi/WkSotkjVIc3LEzl8pFeiohr8+Db9xWd75/oTfOZqWRuIHTnTc1FC+6Sv2EjTJ9Aa6lrloWG+NQ==",
 			"requires": {
 				"node-fetch": "^2.6.1"
 			}
 		},
 		"@authorizerdev/authorizer-react": {
-			"version": "0.4.3",
+			"version": "0.9.0-beta.7",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.4.3.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.9.0-beta.7.tgz",
-			"integrity": "sha512-o/wWe9zZ3ARYdjbDfhGfvOxe1YQrE1YQ+UN9pcq85YSDkbfBkOfcnJ4YxlxWdL0Obd/ErDIeQ3vskyrfvRf3sA==",
+			"integrity": "sha512-hCGsVionKMZNk+uD0CLtMIkUzhQqpHbVntko3rY+O7ouOrTrikY/WQVPbo1bqX1cu/6/cHE4RVU3cZ7V5xnxVg==",
 			"requires": {
-				"@authorizerdev/authorizer-js": "^0.2.1",
+				"@authorizerdev/authorizer-js": "^0.4.0-beta.3",
 				"final-form": "^4.20.2",
 				"react-final-form": "^6.5.3",
 				"styled-components": "^5.3.0"

app/src/App.tsx

@@ -2,10 +2,33 @@ import React from 'react';
 import { BrowserRouter } from 'react-router-dom';
 import { AuthorizerProvider } from '@authorizerdev/authorizer-react';
 import Root from './Root';
+import { createRandomString } from './utils/common';
 
 export default function App() {
-	// @ts-ignore
+	const searchParams = new URLSearchParams(window.location.search);
-	const globalState: Record<string, string> = window['__authorizer__'];
+	const state = searchParams.get('state') || createRandomString();
+	const scope = searchParams.get('scope')
+		? searchParams.get('scope')?.toString().split(' ')
+		: `openid profile email`;
+
+	const urlProps: Record<string, any> = {
+		state,
+		scope,
+	};
+
+	const redirectURL =
+		searchParams.get('redirect_uri') || searchParams.get('redirectURL');
+	if (redirectURL) {
+		urlProps.redirectURL = redirectURL;
+	} else {
+		urlProps.redirectURL = window.location.origin;
+	}
+	const globalState: Record<string, string> = {
+		// @ts-ignore
+		...window['__authorizer__'],
+		...urlProps,
+	};
+
 	return (
 		<div
 			style={{
@@ -30,15 +53,7 @@ export default function App() {
 				/>
 				<h1>{globalState.organizationName}</h1>
 			</div>
-			<div
+			<div className="container">
-				style={{
-					width: 400,
-					margin: `10px auto`,
-					border: `1px solid #D1D5DB`,
-					padding: `25px 20px`,
-					borderRadius: 5,
-				}}
-			>
 				<BrowserRouter>
 					<AuthorizerProvider
 						config={{
@@ -46,7 +61,7 @@ export default function App() {
 							redirectURL: globalState.redirectURL,
 						}}
 					>
-						<Root />
+						<Root globalState={globalState} />
 					</AuthorizerProvider>
 				</BrowserRouter>
 			</div>

app/src/Root.tsx

@@ -6,14 +6,30 @@ const ResetPassword = lazy(() => import('./pages/rest-password'));
 const Login = lazy(() => import('./pages/login'));
 const Dashboard = lazy(() => import('./pages/dashboard'));
 
-export default function Root() {
+export default function Root({
+	globalState,
+}: {
+	globalState: Record<string, string>;
+}) {
 	const { token, loading, config } = useAuthorizer();
 
 	useEffect(() => {
 		if (token) {
-			const url = new URL(config.redirectURL || '/app');
+			let redirectURL = config.redirectURL || '/app';
+			let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}`;
+			if (token.refresh_token) {
+				params += `&refresh_token=${token.refresh_token}`;
+			}
+			const url = new URL(redirectURL);
+			if (redirectURL.includes('?')) {
+				redirectURL = `${redirectURL}&${params}`;
+			} else {
+				redirectURL = `${redirectURL}?${params}`;
+			}
+
 			if (url.origin !== window.location.origin) {
-				window.location.href = config.redirectURL || '/app';
+				sessionStorage.removeItem('authorizer_state');
+				window.location.replace(redirectURL);
 			}
 		}
 		return () => {};

app/src/index.css

@@ -1,5 +1,5 @@
 body {
-	margin: 0;
+	margin: 10;
 	font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen',
 		'Ubuntu', 'Cantarell', 'Fira Sans', 'Droid Sans', 'Helvetica Neue',
 		sans-serif;
@@ -14,3 +14,17 @@ body {
 *:after {
 	box-sizing: inherit;
 }
+
+.container {
+	box-sizing: content-box;
+	border: 1px solid #d1d5db;
+	padding: 25px 20px;
+	border-radius: 5px;
+}
+
+@media only screen and (min-width: 768px) {
+	.container {
+		width: 400px;
+		margin: 0 auto;
+	}
+}

app/src/utils/common.ts

@@ -0,0 +1,22 @@
+export const getCrypto = () => {
+	//ie 11.x uses msCrypto
+	return (window.crypto || (window as any).msCrypto) as Crypto;
+};
+
+export const createRandomString = () => {
+	const charset =
+		'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.';
+	let random = '';
+	const randomValues = Array.from(
+		getCrypto().getRandomValues(new Uint8Array(43))
+	);
+	randomValues.forEach((v) => (random += charset[v % charset.length]));
+	return random;
+};
+
+export const createQueryParams = (params: any) => {
+	return Object.keys(params)
+		.filter((k) => typeof params[k] !== 'undefined')
+		.map((k) => encodeURIComponent(k) + '=' + encodeURIComponent(params[k]))
+		.join('&');
+};

dashboard/src/components/Menu.tsx

@@ -29,10 +29,11 @@ import {
 } from 'react-icons/fi';
 import { IconType } from 'react-icons';
 import { ReactText } from 'react';
-import { useMutation } from 'urql';
+import { useMutation, useQuery } from 'urql';
 import { NavLink, useNavigate, useLocation } from 'react-router-dom';
 import { useAuthContext } from '../contexts/AuthContext';
 import { AdminLogout } from '../graphql/mutation';
+import { MetaQuery } from '../graphql/queries';
 
 interface LinkItemProps {
 	name: string;
@@ -51,6 +52,7 @@ interface SidebarProps extends BoxProps {
 
 export const Sidebar = ({ onClose, ...rest }: SidebarProps) => {
 	const { pathname } = useLocation();
+	const [{ fetching, data }] = useQuery({ query: MetaQuery });
 	return (
 		<Box
 			transition="3s ease"
@@ -98,6 +100,19 @@ export const Sidebar = ({ onClose, ...rest }: SidebarProps) => {
 			>
 				<NavItem icon={FiCode}>API Playground</NavItem>
 			</Link>
+
+			{data?.meta?.version && (
+				<Text
+					color="gray.600"
+					fontSize="sm"
+					textAlign="center"
+					position="absolute"
+					bottom="5"
+					left="7"
+				>
+					Current Version: {data.meta.version}
+				</Text>
+			)}
 		</Box>
 	);
 };

dashboard/src/constants.ts

@@ -2,6 +2,7 @@ export const LOGO_URL =
 	'https://user-images.githubusercontent.com/6964334/147834043-fc384cab-e7ca-40f8-9663-38fc25fd5f3a.png';
 
 export const TextInputType = {
+	CLIENT_ID: 'CLIENT_ID',
 	GOOGLE_CLIENT_ID: 'GOOGLE_CLIENT_ID',
 	GITHUB_CLIENT_ID: 'GITHUB_CLIENT_ID',
 	FACEBOOK_CLIENT_ID: 'FACEBOOK_CLIENT_ID',
@@ -25,6 +26,7 @@ export const TextInputType = {
 };
 
 export const HiddenInputType = {
+	CLIENT_SECRET: 'CLIENT_SECRET',
 	GOOGLE_CLIENT_SECRET: 'GOOGLE_CLIENT_SECRET',
 	GITHUB_CLIENT_SECRET: 'GITHUB_CLIENT_SECRET',
 	FACEBOOK_CLIENT_SECRET: 'FACEBOOK_CLIENT_SECRET',

dashboard/src/graphql/queries/index.ts

@@ -1,3 +1,12 @@
+export const MetaQuery = `
+  query MetaQuery {
+    meta {
+      version
+      client_id
+    }
+  }
+`;
+
 export const AdminSessionQuery = `
   query {
     _admin_session{
@@ -9,6 +18,8 @@ export const AdminSessionQuery = `
 export const EnvVariablesQuery = `
   query {
     _env{
+      CLIENT_ID,
+      CLIENT_SECRET,
 	    GOOGLE_CLIENT_ID,
       GOOGLE_CLIENT_SECRET,
       GITHUB_CLIENT_ID,

dashboard/src/layouts/AuthLayout.tsx

@@ -1,8 +1,10 @@
-import { Box, Center, Flex, Image, Text } from '@chakra-ui/react';
+import { Box, Flex, Image, Text, Spinner } from '@chakra-ui/react';
 import React from 'react';
-import { LOGO_URL } from '../constants';
+import { useQuery } from 'urql';
+import { MetaQuery } from '../graphql/queries';
 
 export function AuthLayout({ children }: { children: React.ReactNode }) {
+	const [{ fetching, data }] = useQuery({ query: MetaQuery });
 	return (
 		<Flex
 			flexWrap="wrap"
@@ -23,9 +25,18 @@ export function AuthLayout({ children }: { children: React.ReactNode }) {
 				</Text>
 			</Flex>
 
-			<Box p="6" m="5" rounded="5" bg="white" w="500px" shadow="xl">
+			{fetching ? (
-				{children}
+				<Spinner />
-			</Box>
+			) : (
+				<>
+					<Box p="6" m="5" rounded="5" bg="white" w="500px" shadow="xl">
+						{children}
+					</Box>
+					<Text color="gray.600" fontSize="sm">
+						Current Version: {data.meta.version}
+					</Text>
+				</>
+			)}
 		</Flex>
 	);
 }

dashboard/src/pages/Auth.tsx

@@ -6,7 +6,6 @@ import {
 	useToast,
 	VStack,
 	Text,
-	Divider,
 } from '@chakra-ui/react';
 import React, { useEffect } from 'react';
 import { useMutation } from 'urql';

dashboard/src/pages/Environment.tsx

@@ -240,6 +240,42 @@ export default function Environment() {
 
 	return (
 		<Box m="5" py="5" px="10" bg="white" rounded="md">
+			<Text fontSize="md" paddingTop="2%" fontWeight="bold">
+				Your instance information
+			</Text>
+			<Stack spacing={6} padding="2% 0%">
+				<Flex>
+					<Flex w="30%" justifyContent="start" alignItems="center">
+						<Text fontSize="sm">Client ID</Text>
+					</Flex>
+					<Center w="70%">
+						<InputField
+							variables={envVariables}
+							setVariables={() => {}}
+							inputType={TextInputType.CLIENT_ID}
+							placeholder="Client ID"
+							isDisabled={true}
+						/>
+					</Center>
+				</Flex>
+				<Flex>
+					<Flex w="30%" justifyContent="start" alignItems="center">
+						<Text fontSize="sm">Client Secret</Text>
+					</Flex>
+					<Center w="70%">
+						<InputField
+							variables={envVariables}
+							setVariables={setEnvVariables}
+							fieldVisibility={fieldVisibility}
+							setFieldVisibility={setFieldVisibility}
+							inputType={HiddenInputType.CLIENT_SECRET}
+							placeholder="Client Secret"
+							isDisabled={true}
+						/>
+					</Center>
+				</Flex>
+			</Stack>
+			<Divider marginTop="2%" marginBottom="2%" />
 			<Text fontSize="md" paddingTop="2%" fontWeight="bold">
 				Social Media Logins
 			</Text>

server/constants/env.go

@@ -59,8 +59,6 @@ const (
 	EnvKeyAdminCookieName = "ADMIN_COOKIE_NAME"
 	// EnvKeyResetPasswordURL key for env variable RESET_PASSWORD_URL
 	EnvKeyResetPasswordURL = "RESET_PASSWORD_URL"
-	// EnvKeyEncryptionKey key for env variable ENCRYPTION_KEY
-	EnvKeyEncryptionKey = "ENCRYPTION_KEY"
 	// EnvKeyDisableEmailVerification key for env variable DISABLE_EMAIL_VERIFICATION
 	EnvKeyDisableEmailVerification = "DISABLE_EMAIL_VERIFICATION"
 	// EnvKeyDisableBasicAuthentication key for env variable DISABLE_BASIC_AUTH
@@ -93,8 +91,18 @@ const (
 	EnvKeyOrganizationName = "ORGANIZATION_NAME"
 	// EnvKeyOrganizationLogo key for env variable ORGANIZATION_LOGO
 	EnvKeyOrganizationLogo = "ORGANIZATION_LOGO"
-	// EnvKeyIsProd key for env variable IS_PROD
-	EnvKeyIsProd = "IS_PROD"
 	// EnvKeyCustomAccessTokenScript key for env variable CUSTOM_ACCESS_TOKEN_SCRIPT
 	EnvKeyCustomAccessTokenScript = "CUSTOM_ACCESS_TOKEN_SCRIPT"
+
+	// Not Exposed Keys
+	// EnvKeyClientID key for env variable CLIENT_ID
+	EnvKeyClientID = "CLIENT_ID"
+	// EnvKeyClientSecret key for env variable CLIENT_SECRET
+	EnvKeyClientSecret = "CLIENT_SECRET"
+	// EnvKeyEncryptionKey key for env variable ENCRYPTION_KEY
+	EnvKeyEncryptionKey = "ENCRYPTION_KEY"
+	// EnvKeyJWK key for env variable JWK
+	EnvKeyJWK = "JWK"
+	// EnvKeyIsProd key for env variable IS_PROD
+	EnvKeyIsProd = "IS_PROD"
 )

server/constants/token_types.go

@@ -5,4 +5,6 @@ const (
 	TokenTypeRefreshToken = "refresh_token"
 	// TokenTypeAccessToken is the access_token token type
 	TokenTypeAccessToken = "access_token"
+	// TokenTypeIdentityToken is the identity_token token type
+	TokenTypeIdentityToken = "id_token"
 )

server/cookie/admin_cookie.go

@@ -16,12 +16,12 @@ func SetAdminCookie(gc *gin.Context, token string) {
 	hostname := utils.GetHost(gc)
 	host, _ := utils.GetHostParts(hostname)
 
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), token, 3600, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), token, 3600, "/", host, secure, httpOnly)
 }
 
 // GetAdminCookie gets the admin cookie from the request
 func GetAdminCookie(gc *gin.Context) (string, error) {
-	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName))
+	cookie, err := gc.Request.Cookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName))
 	if err != nil {
 		return "", err
 	}
@@ -42,5 +42,5 @@ func DeleteAdminCookie(gc *gin.Context) {
 	hostname := utils.GetHost(gc)
 	host, _ := utils.GetHostParts(hostname)
 
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), "", -1, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), "", -1, "/", host, secure, httpOnly)
 }

server/cookie/cookie.go

@@ -10,13 +10,8 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-// SetCookie sets the cookie in the response. It sets 4 cookies
+// SetSession sets the session cookie in the response
-// 1 COOKIE_NAME.access_token jwt token for the host (temp.abc.com)
+func SetSession(gc *gin.Context, sessionID string) {
-// 2 COOKIE_NAME.access_token.domain jwt token for the domain (abc.com).
-// 3 COOKIE_NAME.fingerprint fingerprint hash for the refresh token verification.
-// 4 COOKIE_NAME.refresh_token refresh token
-// Note all sites don't allow 2nd type of cookie
-func SetCookie(gc *gin.Context, accessToken, refreshToken, fingerprintHash string) {
 	secure := true
 	httpOnly := true
 	hostname := utils.GetHost(gc)
@@ -26,77 +21,45 @@ func SetCookie(gc *gin.Context, accessToken, refreshToken, fingerprintHash strin
 		domain = "." + domain
 	}
 
+	// TODO allow configuring from dashboard
 	year := 60 * 60 * 24 * 365
-	thirtyMin := 60 * 30
 
 	gc.SetSameSite(http.SameSiteNoneMode)
-	// set cookie for host
+	gc.SetCookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"_session", sessionID, year, "/", host, secure, httpOnly)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", accessToken, thirtyMin, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"_session_domain", sessionID, year, "/", domain, secure, httpOnly)
-
-	// in case of subdomain, set cookie for domain
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token.domain", accessToken, thirtyMin, "/", domain, secure, httpOnly)
-
-	// set finger print cookie (this should be accessed via cookie only)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", fingerprintHash, year, "/", host, secure, httpOnly)
-
-	// set refresh token cookie (this should be accessed via cookie only)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", refreshToken, year, "/", host, secure, httpOnly)
 }
 
-// GetAccessTokenCookie to get access token cookie from the request
+// DeleteSession sets session cookies to expire
-func GetAccessTokenCookie(gc *gin.Context) (string, error) {
+func DeleteSession(gc *gin.Context) {
-	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".access_token")
+	secure := true
+	httpOnly := true
+	hostname := utils.GetHost(gc)
+	host, _ := utils.GetHostParts(hostname)
+	domain := utils.GetDomainName(hostname)
+	if domain != "localhost" {
+		domain = "." + domain
+	}
+
+	gc.SetSameSite(http.SameSiteNoneMode)
+	gc.SetCookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"_session", "", -1, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"_session_domain", "", -1, "/", domain, secure, httpOnly)
+}
+
+// GetSession gets the session cookie from context
+func GetSession(gc *gin.Context) (string, error) {
+	var cookie *http.Cookie
+	var err error
+	cookie, err = gc.Request.Cookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + "_session")
 	if err != nil {
-		cookie, err = gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".access_token.domain")
+		cookie, err = gc.Request.Cookie(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + "_session_domain")
 		if err != nil {
 			return "", err
 		}
 	}
 
-	return cookie.Value, nil
+	decodedValue, err := url.PathUnescape(cookie.Value)
-}
-
-// GetRefreshTokenCookie to get refresh token cookie
-func GetRefreshTokenCookie(gc *gin.Context) (string, error) {
-	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".refresh_token")
 	if err != nil {
 		return "", err
 	}
-
-	return cookie.Value, nil
-}
-
-// GetFingerPrintCookie to get fingerprint cookie
-func GetFingerPrintCookie(gc *gin.Context) (string, error) {
-	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".fingerprint")
-	if err != nil {
-		return "", err
-	}
-
-	// cookie escapes special characters like $
-	// hence we need to unescape before comparing
-	decodedValue, err := url.QueryUnescape(cookie.Value)
-	if err != nil {
-		return "", err
-	}
-
 	return decodedValue, nil
 }
-
-// DeleteCookie sets response cookies to expire
-func DeleteCookie(gc *gin.Context) {
-	secure := true
-	httpOnly := true
-	hostname := utils.GetHost(gc)
-	host, _ := utils.GetHostParts(hostname)
-	domain := utils.GetDomainName(hostname)
-	if domain != "localhost" {
-		domain = "." + domain
-	}
-
-	gc.SetSameSite(http.SameSiteNoneMode)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", "", -1, "/", host, secure, httpOnly)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token.domain", "", -1, "/", domain, secure, httpOnly)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", "", -1, "/", host, secure, httpOnly)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", "", -1, "/", host, secure, httpOnly)
-}

server/crypto/aes.go

@@ -1,35 +1,52 @@
-package utils
+package crypto
 
 import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
-	"encoding/base64"
-	"encoding/json"
 	"io"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
-	"golang.org/x/crypto/bcrypt"
 )
 
-// EncryptB64 encrypts data into base64 string
+var bytes = []byte{35, 46, 57, 24, 85, 35, 24, 74, 87, 35, 88, 98, 66, 32, 14, 0o5}
-func EncryptB64(text string) string {
-	return base64.StdEncoding.EncodeToString([]byte(text))
-}
 
-// DecryptB64 decrypts from base64 string to readable string
+// EncryptAES method is to encrypt or hide any classified text
-func DecryptB64(s string) (string, error) {
+func EncryptAES(text string) (string, error) {
-	data, err := base64.StdEncoding.DecodeString(s)
+	key := []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey))
+	block, err := aes.NewCipher(key)
 	if err != nil {
 		return "", err
 	}
-	return string(data), nil
+	plainText := []byte(text)
+	cfb := cipher.NewCFBEncrypter(block, bytes)
+	cipherText := make([]byte, len(plainText))
+	cfb.XORKeyStream(cipherText, plainText)
+	return EncryptB64(string(cipherText)), nil
 }
 
-// EncryptAES encrypts data using AES algorithm
+// DecryptAES method is to extract back the encrypted text
-func EncryptAES(text []byte) ([]byte, error) {
+func DecryptAES(text string) (string, error) {
-	key := []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey))
+	key := []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey))
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+	cipherText, err := DecryptB64(text)
+	if err != nil {
+		return "", err
+	}
+	cfb := cipher.NewCFBDecrypter(block, bytes)
+	plainText := make([]byte, len(cipherText))
+	cfb.XORKeyStream(plainText, []byte(cipherText))
+	return string(plainText), nil
+}
+
+// EncryptAESEnv encrypts data using AES algorithm
+// kept for the backward compatibility of env data encryption
+func EncryptAESEnv(text []byte) ([]byte, error) {
+	key := []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey))
 	c, err := aes.NewCipher(key)
 	var res []byte
 	if err != nil {
@@ -62,8 +79,9 @@ func EncryptAES(text []byte) ([]byte, error) {
 }
 
 // DecryptAES decrypts data using AES algorithm
-func DecryptAES(ciphertext []byte) ([]byte, error) {
+// Kept for the backward compatibility of env data decryption
-	key := []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey))
+func DecryptAESEnv(ciphertext []byte) ([]byte, error) {
+	key := []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey))
 	c, err := aes.NewCipher(key)
 	var res []byte
 	if err != nil {
@@ -88,39 +106,3 @@ func DecryptAES(ciphertext []byte) ([]byte, error) {
 
 	return plaintext, nil
 }
-
-// EncryptEnvData is used to encrypt the env data
-func EncryptEnvData(data envstore.Store) (string, error) {
-	jsonBytes, err := json.Marshal(data)
-	if err != nil {
-		return "", err
-	}
-
-	envStoreObj := envstore.EnvInMemoryStoreObj.GetEnvStoreClone()
-
-	err = json.Unmarshal(jsonBytes, &envStoreObj)
-	if err != nil {
-		return "", err
-	}
-
-	configData, err := json.Marshal(envStoreObj)
-	if err != nil {
-		return "", err
-	}
-	encryptedConfig, err := EncryptAES(configData)
-	if err != nil {
-		return "", err
-	}
-
-	return EncryptB64(string(encryptedConfig)), nil
-}
-
-// EncryptPassword is used for encrypting password
-func EncryptPassword(password string) (string, error) {
-	pw, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
-	if err != nil {
-		return "", err
-	}
-
-	return string(pw), nil
-}

server/crypto/b64.go

@@ -0,0 +1,17 @@
+package crypto
+
+import "encoding/base64"
+
+// EncryptB64 encrypts data into base64 string
+func EncryptB64(text string) string {
+	return base64.StdEncoding.EncodeToString([]byte(text))
+}
+
+// DecryptB64 decrypts from base64 string to readable string
+func DecryptB64(s string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return "", err
+	}
+	return string(data), nil
+}

server/crypto/common.go

@@ -0,0 +1,114 @@
+package crypto
+
+import (
+	"crypto/x509"
+	"encoding/json"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"golang.org/x/crypto/bcrypt"
+	"gopkg.in/square/go-jose.v2"
+)
+
+// GetPubJWK returns JWK for given keys
+func GetPubJWK(algo, keyID string, publicKey interface{}) (string, error) {
+	jwk := &jose.JSONWebKeySet{
+		Keys: []jose.JSONWebKey{
+			{
+				Algorithm:                   algo,
+				Key:                         publicKey,
+				Use:                         "sig",
+				KeyID:                       keyID,
+				Certificates:                []*x509.Certificate{},
+				CertificateThumbprintSHA1:   []uint8{},
+				CertificateThumbprintSHA256: []uint8{},
+			},
+		},
+	}
+	jwkPublicKey, err := jwk.Keys[0].MarshalJSON()
+	if err != nil {
+		return "", err
+	}
+	return string(jwkPublicKey), nil
+}
+
+// GenerateJWKBasedOnEnv generates JWK based on env
+// make sure clientID, jwtType, jwtSecret / public & private key pair is set
+// this is called while initializing app / when env is updated
+func GenerateJWKBasedOnEnv() (string, error) {
+	jwk := ""
+	algo := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)
+	clientID := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID)
+
+	var err error
+	// check if jwt secret is provided
+	if IsHMACA(algo) {
+		jwk, err = GetPubJWK(algo, clientID, []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)))
+		if err != nil {
+			return "", err
+		}
+	}
+
+	if IsRSA(algo) {
+		publicKeyInstance, err := ParseRsaPublicKeyFromPemStr(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey))
+		if err != nil {
+			return "", err
+		}
+
+		jwk, err = GetPubJWK(algo, clientID, publicKeyInstance)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	if IsECDSA(algo) {
+		publicKeyInstance, err := ParseEcdsaPublicKeyFromPemStr(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey))
+		if err != nil {
+			return "", err
+		}
+
+		jwk, err = GetPubJWK(algo, clientID, publicKeyInstance)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return jwk, nil
+}
+
+// EncryptEnvData is used to encrypt the env data
+func EncryptEnvData(data envstore.Store) (string, error) {
+	jsonBytes, err := json.Marshal(data)
+	if err != nil {
+		return "", err
+	}
+
+	storeData := envstore.EnvStoreObj.GetEnvStoreClone()
+
+	err = json.Unmarshal(jsonBytes, &storeData)
+	if err != nil {
+		return "", err
+	}
+
+	configData, err := json.Marshal(storeData)
+	if err != nil {
+		return "", err
+	}
+
+	encryptedConfig, err := EncryptAESEnv(configData)
+	if err != nil {
+		return "", err
+	}
+
+	return EncryptB64(string(encryptedConfig)), nil
+}
+
+// EncryptPassword is used for encrypting password
+func EncryptPassword(password string) (string, error) {
+	pw, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+
+	return string(pw), nil
+}

server/crypto/ecdsa.go

@@ -0,0 +1,154 @@
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+)
+
+// NewECDSAKey to generate new ECDSA Key if env is not set
+// returns key instance, private key string, public key string, jwk string, error
+func NewECDSAKey(algo, keyID string) (*ecdsa.PrivateKey, string, string, string, error) {
+	var curve elliptic.Curve
+	switch algo {
+	case "ES256":
+		curve = elliptic.P256()
+	case "ES384":
+		curve = elliptic.P384()
+	case "ES512":
+		curve = elliptic.P521()
+	default:
+		return nil, "", "", "", errors.New("Invalid algo")
+	}
+	key, err := ecdsa.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+
+	privateKey, publicKey, err := AsECDSAStr(key, &key.PublicKey)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+
+	jwkPublicKey, err := GetPubJWK(algo, keyID, &key.PublicKey)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+
+	return key, privateKey, publicKey, string(jwkPublicKey), err
+}
+
+// IsECDSA checks if given string is valid ECDSA algo
+func IsECDSA(algo string) bool {
+	switch algo {
+	case "ES256", "ES384", "ES512":
+		return true
+	default:
+		return false
+	}
+}
+
+// ExportEcdsaPrivateKeyAsPemStr to get ECDSA private key as pem string
+func ExportEcdsaPrivateKeyAsPemStr(privkey *ecdsa.PrivateKey) (string, error) {
+	privkeyBytes, err := x509.MarshalECPrivateKey(privkey)
+	if err != nil {
+		return "", err
+	}
+	privkeyPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "ECDSA PRIVATE KEY",
+			Bytes: privkeyBytes,
+		},
+	)
+	return string(privkeyPem), nil
+}
+
+// ExportEcdsaPublicKeyAsPemStr to get ECDSA public key as pem string
+func ExportEcdsaPublicKeyAsPemStr(pubkey *ecdsa.PublicKey) (string, error) {
+	pubkeyBytes, err := x509.MarshalPKIXPublicKey(pubkey)
+	if err != nil {
+		return "", err
+	}
+	pubkeyPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "ECDSA PUBLIC KEY",
+			Bytes: pubkeyBytes,
+		},
+	)
+
+	return string(pubkeyPem), nil
+}
+
+// ParseEcdsaPrivateKeyFromPemStr to parse ECDSA private key from pem string
+func ParseEcdsaPrivateKeyFromPemStr(privPEM string) (*ecdsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(privPEM))
+	if block == nil {
+		return nil, errors.New("failed to parse PEM block containing the key")
+	}
+
+	priv, err := x509.ParseECPrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return priv, nil
+}
+
+// ParseEcdsaPublicKeyFromPemStr to parse ECDSA public key from pem string
+func ParseEcdsaPublicKeyFromPemStr(pubPEM string) (*ecdsa.PublicKey, error) {
+	block, _ := pem.Decode([]byte(pubPEM))
+	if block == nil {
+		return nil, errors.New("failed to parse PEM block containing the key")
+	}
+
+	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	switch pub := pub.(type) {
+	case *ecdsa.PublicKey:
+		return pub, nil
+	default:
+		break // fall through
+	}
+	return nil, errors.New("Key type is not ECDSA")
+}
+
+// AsECDSAStr returns private, public key string or error
+func AsECDSAStr(privateKey *ecdsa.PrivateKey, publicKey *ecdsa.PublicKey) (string, string, error) {
+	// Export the keys to pem string
+	privPem, err := ExportEcdsaPrivateKeyAsPemStr(privateKey)
+	if err != nil {
+		return "", "", err
+	}
+	pubPem, err := ExportEcdsaPublicKeyAsPemStr(publicKey)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Import the keys from pem string
+	privParsed, err := ParseEcdsaPrivateKeyFromPemStr(privPem)
+	if err != nil {
+		return "", "", err
+	}
+	pubParsed, err := ParseEcdsaPublicKeyFromPemStr(pubPem)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Export the newly imported keys
+	privParsedPem, err := ExportEcdsaPrivateKeyAsPemStr(privParsed)
+	if err != nil {
+		return "", "", err
+	}
+	pubParsedPem, err := ExportEcdsaPublicKeyAsPemStr(pubParsed)
+	if err != nil {
+		return "", "", err
+	}
+
+	return privParsedPem, pubParsedPem, nil
+}

server/crypto/hmac.go

@@ -0,0 +1,26 @@
+package crypto
+
+import (
+	"github.com/google/uuid"
+)
+
+// NewHMAC key returns new key that can be used to ecnrypt data using HMAC algo
+// returns key, string, error
+func NewHMACKey(algo, keyID string) (string, string, error) {
+	key := uuid.New().String()
+	jwkPublicKey, err := GetPubJWK(algo, keyID, []byte(key))
+	if err != nil {
+		return "", "", err
+	}
+	return key, string(jwkPublicKey), nil
+}
+
+// IsHMACValid checks if given string is valid HMCA algo
+func IsHMACA(algo string) bool {
+	switch algo {
+	case "HS256", "HS384", "HS512":
+		return true
+	default:
+		return false
+	}
+}

server/crypto/rsa.go

@@ -0,0 +1,118 @@
+package crypto
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+)
+
+// NewRSAKey to generate new RSA Key if env is not set
+// returns key instance, private key string, public key string, jwk string, error
+func NewRSAKey(algo, keyID string) (*rsa.PrivateKey, string, string, string, error) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+
+	privateKey, publicKey, err := AsRSAStr(key, &key.PublicKey)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+
+	jwkPublicKey, err := GetPubJWK(algo, keyID, &key.PublicKey)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+
+	return key, privateKey, publicKey, string(jwkPublicKey), err
+}
+
+// IsRSA checks if given string is valid RSA algo
+func IsRSA(algo string) bool {
+	switch algo {
+	case "RS256", "RS384", "RS512":
+		return true
+	default:
+		return false
+	}
+}
+
+// ExportRsaPrivateKeyAsPemStr to get RSA private key as pem string
+func ExportRsaPrivateKeyAsPemStr(privkey *rsa.PrivateKey) string {
+	privkeyBytes := x509.MarshalPKCS1PrivateKey(privkey)
+	privkeyPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: privkeyBytes,
+		},
+	)
+	return string(privkeyPem)
+}
+
+// ExportRsaPublicKeyAsPemStr to get RSA public key as pem string
+func ExportRsaPublicKeyAsPemStr(pubkey *rsa.PublicKey) string {
+	pubkeyBytes := x509.MarshalPKCS1PublicKey(pubkey)
+	pubkeyPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "RSA PUBLIC KEY",
+			Bytes: pubkeyBytes,
+		},
+	)
+
+	return string(pubkeyPem)
+}
+
+// ParseRsaPrivateKeyFromPemStr to parse RSA private key from pem string
+func ParseRsaPrivateKeyFromPemStr(privPEM string) (*rsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(privPEM))
+	if block == nil {
+		return nil, errors.New("failed to parse PEM block containing the key")
+	}
+
+	priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return priv, nil
+}
+
+// ParseRsaPublicKeyFromPemStr to parse RSA public key from pem string
+func ParseRsaPublicKeyFromPemStr(pubPEM string) (*rsa.PublicKey, error) {
+	block, _ := pem.Decode([]byte(pubPEM))
+	if block == nil {
+		return nil, errors.New("failed to parse PEM block containing the key")
+	}
+
+	pub, err := x509.ParsePKCS1PublicKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return pub, nil
+}
+
+// AsRSAStr returns private, public key string or error
+func AsRSAStr(privateKey *rsa.PrivateKey, publickKey *rsa.PublicKey) (string, string, error) {
+	// Export the keys to pem string
+	privPem := ExportRsaPrivateKeyAsPemStr(privateKey)
+	pubPem := ExportRsaPublicKeyAsPemStr(publickKey)
+
+	// Import the keys from pem string
+	privParsed, err := ParseRsaPrivateKeyFromPemStr(privPem)
+	if err != nil {
+		return "", "", err
+	}
+	pubParsed, err := ParseRsaPublicKeyFromPemStr(pubPem)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Export the newly imported keys
+	privParsedPem := ExportRsaPrivateKeyAsPemStr(privParsed)
+	pubParsedPem := ExportRsaPublicKeyAsPemStr(pubParsed)
+
+	return privParsedPem, pubParsedPem, nil
+}

server/db/db.go

@@ -1,8 +1,6 @@
 package db
 
 import (
-	"log"
-
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db/providers"
 	"github.com/authorizerdev/authorizer/server/db/providers/arangodb"
@@ -14,31 +12,33 @@ import (
 // Provider returns the current database provider
 var Provider providers.Provider
 
-func InitDB() {
+func InitDB() error {
 	var err error
 
-	isSQL := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeArangodb && envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeMongodb
+	isSQL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeArangodb && envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeMongodb
-	isArangoDB := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) == constants.DbTypeArangodb
+	isArangoDB := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) == constants.DbTypeArangodb
-	isMongoDB := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) == constants.DbTypeMongodb
+	isMongoDB := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) == constants.DbTypeMongodb
 
 	if isSQL {
 		Provider, err = sql.NewProvider()
 		if err != nil {
-			log.Fatal("=> error setting sql provider:", err)
+			return err
 		}
 	}
 
 	if isArangoDB {
 		Provider, err = arangodb.NewProvider()
 		if err != nil {
-			log.Fatal("=> error setting arangodb provider:", err)
+			return err
 		}
 	}
 
 	if isMongoDB {
 		Provider, err = mongodb.NewProvider()
 		if err != nil {
-			log.Fatal("=> error setting arangodb provider:", err)
+			return err
 		}
 	}
+
+	return nil
 }

server/db/models/verification_requests.go

@@ -4,24 +4,28 @@ import "github.com/authorizerdev/authorizer/server/graph/model"
 
 // VerificationRequest model for db
 type VerificationRequest struct {
-	Key        string `json:"_key,omitempty" bson:"_key"` // for arangodb
+	Key         string `json:"_key,omitempty" bson:"_key"` // for arangodb
-	ID         string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id"`
+	ID          string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id"`
-	Token      string `gorm:"type:text" json:"token" bson:"token"`
+	Token       string `gorm:"type:text" json:"token" bson:"token"`
-	Identifier string `gorm:"uniqueIndex:idx_email_identifier" json:"identifier" bson:"identifier"`
+	Identifier  string `gorm:"uniqueIndex:idx_email_identifier" json:"identifier" bson:"identifier"`
-	ExpiresAt  int64  `json:"expires_at" bson:"expires_at"`
+	ExpiresAt   int64  `json:"expires_at" bson:"expires_at"`
-	CreatedAt  int64  `json:"created_at" bson:"created_at"`
+	CreatedAt   int64  `json:"created_at" bson:"created_at"`
-	UpdatedAt  int64  `json:"updated_at" bson:"updated_at"`
+	UpdatedAt   int64  `json:"updated_at" bson:"updated_at"`
-	Email      string `gorm:"uniqueIndex:idx_email_identifier" json:"email" bson:"email"`
+	Email       string `gorm:"uniqueIndex:idx_email_identifier" json:"email" bson:"email"`
+	Nonce       string `gorm:"type:text" json:"nonce" bson:"nonce"`
+	RedirectURI string `gorm:"type:text" json:"redirect_uri" bson:"redirect_uri"`
 }
 
 func (v *VerificationRequest) AsAPIVerificationRequest() *model.VerificationRequest {
 	return &model.VerificationRequest{
-		ID:         v.ID,
+		ID:          v.ID,
-		Token:      &v.Token,
+		Token:       &v.Token,
-		Identifier: &v.Identifier,
+		Identifier:  &v.Identifier,
-		Expires:    &v.ExpiresAt,
+		Expires:     &v.ExpiresAt,
-		CreatedAt:  &v.CreatedAt,
+		CreatedAt:   &v.CreatedAt,
-		UpdatedAt:  &v.UpdatedAt,
+		UpdatedAt:   &v.UpdatedAt,
-		Email:      &v.Email,
+		Email:       &v.Email,
+		Nonce:       &v.Nonce,
+		RedirectURI: &v.RedirectURI,
 	}
 }

server/db/providers/arangodb/arangodb.go

@@ -24,7 +24,7 @@ type provider struct {
 func NewProvider() (*provider, error) {
 	ctx := context.Background()
 	conn, err := http.NewConnection(http.ConnectionConfig{
-		Endpoints: []string{envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)},
+		Endpoints: []string{envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)},
 	})
 	if err != nil {
 		return nil, err
@@ -39,16 +39,16 @@ func NewProvider() (*provider, error) {
 
 	var arangodb driver.Database
 
-	arangodb_exists, err := arangoClient.DatabaseExists(nil, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName))
+	arangodb_exists, err := arangoClient.DatabaseExists(nil, envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName))
 
 	if arangodb_exists {
-		log.Println(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName) + " db exists already")
+		log.Println(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName) + " db exists already")
-		arangodb, err = arangoClient.Database(nil, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName))
+		arangodb, err = arangoClient.Database(nil, envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName))
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		arangodb, err = arangoClient.CreateDatabase(nil, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName), nil)
+		arangodb, err = arangoClient.CreateDatabase(nil, envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName), nil)
 		if err != nil {
 			return nil, err
 		}

server/db/providers/arangodb/session.go

@@ -34,7 +34,6 @@ func (p *provider) DeleteSession(userId string) error {
 	}
 	cursor, err := p.db.Query(nil, query, bindVars)
 	if err != nil {
-		log.Println("=> error deleting arangodb session:", err)
 		return err
 	}
 	defer cursor.Close()

server/db/providers/arangodb/user.go

@@ -23,7 +23,7 @@ func (p *provider) AddUser(user models.User) (models.User, error) {
 	}
 
 	if user.Roles == "" {
-		user.Roles = strings.Join(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
+		user.Roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
 	}
 
 	user.CreatedAt = time.Now().Unix()

server/db/providers/mongodb/mongodb.go

@@ -19,7 +19,7 @@ type provider struct {
 
 // NewProvider to initialize mongodb connection
 func NewProvider() (*provider, error) {
-	mongodbOptions := options.Client().ApplyURI(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL))
+	mongodbOptions := options.Client().ApplyURI(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL))
 	maxWait := time.Duration(5 * time.Second)
 	mongodbOptions.ConnectTimeout = &maxWait
 	mongoClient, err := mongo.NewClient(mongodbOptions)
@@ -37,7 +37,7 @@ func NewProvider() (*provider, error) {
 		return nil, err
 	}
 
-	mongodb := mongoClient.Database(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName), options.Database())
+	mongodb := mongoClient.Database(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName), options.Database())
 
 	mongodb.CreateCollection(ctx, models.Collections.User, options.CreateCollection())
 	userCollection := mongodb.Collection(models.Collections.User, options.Collection())

server/db/providers/mongodb/user.go

@@ -21,7 +21,7 @@ func (p *provider) AddUser(user models.User) (models.User, error) {
 	}
 
 	if user.Roles == "" {
-		user.Roles = strings.Join(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
+		user.Roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
 	}
 	user.CreatedAt = time.Now().Unix()
 	user.UpdatedAt = time.Now().Unix()

server/db/providers/sql/sql.go

@@ -41,22 +41,25 @@ func NewProvider() (*provider, error) {
 			TablePrefix: models.Prefix,
 		},
 	}
-	switch envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) {
+	switch envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) {
 	case constants.DbTypePostgres, constants.DbTypeYugabyte:
-		sqlDB, err = gorm.Open(postgres.Open(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
+		sqlDB, err = gorm.Open(postgres.Open(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
 	case constants.DbTypeSqlite:
-		sqlDB, err = gorm.Open(sqlite.Open(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
+		sqlDB, err = gorm.Open(sqlite.Open(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
 	case constants.DbTypeMysql, constants.DbTypeMariaDB:
-		sqlDB, err = gorm.Open(mysql.Open(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
+		sqlDB, err = gorm.Open(mysql.Open(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
 	case constants.DbTypeSqlserver:
-		sqlDB, err = gorm.Open(sqlserver.Open(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
+		sqlDB, err = gorm.Open(sqlserver.Open(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)), ormConfig)
 	}
 
 	if err != nil {
 		return nil, err
 	}
 
-	sqlDB.AutoMigrate(&models.User{}, &models.VerificationRequest{}, &models.Session{}, &models.Env{})
+	err = sqlDB.AutoMigrate(&models.User{}, &models.VerificationRequest{}, &models.Session{}, &models.Env{})
+	if err != nil {
+		return nil, err
+	}
 	return &provider{
 		db: sqlDB,
 	}, nil

server/db/providers/sql/user.go

@@ -20,7 +20,7 @@ func (p *provider) AddUser(user models.User) (models.User, error) {
 	}
 
 	if user.Roles == "" {
-		user.Roles = strings.Join(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
+		user.Roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
 	}
 
 	user.CreatedAt = time.Now().Unix()

server/db/providers/sql/verification_requests.go

@@ -21,7 +21,7 @@ func (p *provider) AddVerificationRequest(verificationRequest models.Verificatio
 	verificationRequest.UpdatedAt = time.Now().Unix()
 	result := p.db.Clauses(clause.OnConflict{
 		Columns:   []clause.Column{{Name: "email"}, {Name: "identifier"}},
-		DoUpdates: clause.AssignmentColumns([]string{"token", "expires_at"}),
+		DoUpdates: clause.AssignmentColumns([]string{"token", "expires_at", "nonce", "redirect_uri"}),
 	}).Create(&verificationRequest)
 
 	if result.Error != nil {

server/email/email.go

@@ -31,14 +31,18 @@ func addEmailTemplate(a string, b map[string]interface{}, templateName string) s
 
 // SendMail function to send mail
 func SendMail(to []string, Subject, bodyMessage string) error {
+	// dont trigger email sending in case of test
+	if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEnv) == "test" {
+		return nil
+	}
 	m := gomail.NewMessage()
-	m.SetHeader("From", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeySenderEmail))
+	m.SetHeader("From", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeySenderEmail))
 	m.SetHeader("To", to...)
 	m.SetHeader("Subject", Subject)
 	m.SetBody("text/html", bodyMessage)
-	port, _ := strconv.Atoi(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpPort))
+	port, _ := strconv.Atoi(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpPort))
-	d := gomail.NewDialer(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpHost), port, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpUsername), envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpPassword))
+	d := gomail.NewDialer(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpHost), port, envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpUsername), envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeySmtpPassword))
-	if envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEnv) == "development" {
+	if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEnv) == "development" {
 		d.TLSConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	if err := d.DialAndSend(m); err != nil {

server/email/forgot_password_email.go

@@ -7,9 +7,9 @@ import (
 
 // SendForgotPasswordMail to send forgot password email
 func SendForgotPasswordMail(toEmail, token, hostname string) error {
-	resetPasswordUrl := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)
+	resetPasswordUrl := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)
 	if resetPasswordUrl == "" {
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyResetPasswordURL, hostname+"/app/reset-password")
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyResetPasswordURL, hostname+"/app/reset-password")
 	}
 
 	// The receiver needs to be in slice as the receive supports multiple receiver
@@ -103,8 +103,8 @@ func SendForgotPasswordMail(toEmail, token, hostname string) error {
 	`
 
 	data := make(map[string]interface{}, 3)
-	data["org_logo"] = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationLogo)
+	data["org_logo"] = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationLogo)
-	data["org_name"] = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationName)
+	data["org_name"] = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationName)
 	data["verification_url"] = resetPasswordUrl + "?token=" + token
 	message = addEmailTemplate(message, data, "reset_password_email.tmpl")
 

server/email/verification_email.go

@@ -1,6 +1,8 @@
 package email
 
 import (
+	"log"
+
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
 )
@@ -97,11 +99,15 @@ func SendVerificationMail(toEmail, token, hostname string) error {
     </html>
 	`
 	data := make(map[string]interface{}, 3)
-	data["org_logo"] = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationLogo)
+	data["org_logo"] = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationLogo)
-	data["org_name"] = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationName)
+	data["org_name"] = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationName)
 	data["verification_url"] = hostname + "/verify_email?token=" + token
 	message = addEmailTemplate(message, data, "verify_email.tmpl")
 	// bodyMessage := sender.WriteHTMLEmail(Receiver, Subject, message)
 
-	return SendMail(Receiver, Subject, message)
+	err := SendMail(Receiver, Subject, message)
+	if err != nil {
+		log.Println("=> error sending email:", err)
+	}
+	return err
 }

server/env/env.go

@@ -1,11 +1,13 @@
 package env
 
 import (
+	"errors"
 	"log"
 	"os"
 	"strings"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
@@ -13,10 +15,85 @@ import (
 	"github.com/joho/godotenv"
 )
 
+// InitRequiredEnv to initialize EnvData and through error if required env are not present
+func InitRequiredEnv() error {
+	envPath := os.Getenv(constants.EnvKeyEnvPath)
+
+	if envPath == "" {
+		envPath = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEnvPath)
+		if envPath == "" {
+			envPath = `.env`
+		}
+	}
+
+	if envstore.ARG_ENV_FILE != nil && *envstore.ARG_ENV_FILE != "" {
+		envPath = *envstore.ARG_ENV_FILE
+	}
+
+	err := godotenv.Load(envPath)
+	if err != nil {
+		log.Printf("using OS env instead of %s file", envPath)
+	}
+
+	dbURL := os.Getenv(constants.EnvKeyDatabaseURL)
+	dbType := os.Getenv(constants.EnvKeyDatabaseType)
+	dbName := os.Getenv(constants.EnvKeyDatabaseName)
+
+	if strings.TrimSpace(dbType) == "" {
+		if envstore.ARG_DB_TYPE != nil && *envstore.ARG_DB_TYPE != "" {
+			dbType = strings.TrimSpace(*envstore.ARG_DB_TYPE)
+		}
+
+		if dbType == "" {
+			return errors.New("invalid database type. DATABASE_TYPE is empty")
+		}
+	}
+
+	if strings.TrimSpace(dbURL) == "" && envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL) == "" {
+		if envstore.ARG_DB_URL != nil && *envstore.ARG_DB_URL != "" {
+			dbURL = strings.TrimSpace(*envstore.ARG_DB_URL)
+		}
+
+		if dbURL == "" {
+			return errors.New("invalid database url. DATABASE_URL is required")
+		}
+	}
+
+	if dbName == "" {
+		if dbName == "" {
+			dbName = "authorizer"
+		}
+	}
+
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEnvPath, envPath)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseURL, dbURL)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseType, dbType)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseName, dbName)
+	return nil
+}
+
 // InitEnv to initialize EnvData and through error if required env are not present
-func InitEnv() {
+func InitAllEnv() error {
-	// get clone of current store
+	envData, err := GetEnvData()
-	envData := envstore.EnvInMemoryStoreObj.GetEnvStoreClone()
+	if err != nil {
+		log.Println("No env data found in db, using local clone of env data")
+		// get clone of current store
+		envData = envstore.EnvStoreObj.GetEnvStoreClone()
+	}
+
+	clientID := envData.StringEnv[constants.EnvKeyClientID]
+	// unique client id for each instance
+	if clientID == "" {
+		clientID = uuid.New().String()
+		envData.StringEnv[constants.EnvKeyClientID] = clientID
+	}
+
+	clientSecret := envData.StringEnv[constants.EnvKeyClientSecret]
+	// unique client id for each instance
+	if clientSecret == "" {
+		clientSecret = uuid.New().String()
+		envData.StringEnv[constants.EnvKeyClientSecret] = clientSecret
+	}
 
 	if envData.StringEnv[constants.EnvKeyEnv] == "" {
 		envData.StringEnv[constants.EnvKeyEnv] = os.Getenv(constants.EnvKeyEnv)
@@ -36,19 +113,6 @@ func InitEnv() {
 		envData.StringEnv[constants.EnvKeyAppURL] = os.Getenv(constants.EnvKeyAppURL)
 	}
 
-	if envData.StringEnv[constants.EnvKeyEnvPath] == "" {
-		envData.StringEnv[constants.EnvKeyEnvPath] = `.env`
-	}
-
-	if envstore.ARG_ENV_FILE != nil && *envstore.ARG_ENV_FILE != "" {
-		envData.StringEnv[constants.EnvKeyEnvPath] = *envstore.ARG_ENV_FILE
-	}
-
-	err := godotenv.Load(envData.StringEnv[constants.EnvKeyEnvPath])
-	if err != nil {
-		log.Printf("using OS env instead of %s file", envData.StringEnv[constants.EnvKeyEnvPath])
-	}
-
 	if envData.StringEnv[constants.EnvKeyPort] == "" {
 		envData.StringEnv[constants.EnvKeyPort] = os.Getenv(constants.EnvKeyPort)
 		if envData.StringEnv[constants.EnvKeyPort] == "" {
@@ -60,37 +124,6 @@ func InitEnv() {
 		envData.StringEnv[constants.EnvKeyAdminSecret] = os.Getenv(constants.EnvKeyAdminSecret)
 	}
 
-	if envData.StringEnv[constants.EnvKeyDatabaseType] == "" {
-		envData.StringEnv[constants.EnvKeyDatabaseType] = os.Getenv(constants.EnvKeyDatabaseType)
-
-		if envstore.ARG_DB_TYPE != nil && *envstore.ARG_DB_TYPE != "" {
-			envData.StringEnv[constants.EnvKeyDatabaseType] = *envstore.ARG_DB_TYPE
-		}
-
-		if envData.StringEnv[constants.EnvKeyDatabaseType] == "" {
-			panic("DATABASE_TYPE is required")
-		}
-	}
-
-	if envData.StringEnv[constants.EnvKeyDatabaseURL] == "" {
-		envData.StringEnv[constants.EnvKeyDatabaseURL] = os.Getenv(constants.EnvKeyDatabaseURL)
-
-		if envstore.ARG_DB_URL != nil && *envstore.ARG_DB_URL != "" {
-			envData.StringEnv[constants.EnvKeyDatabaseURL] = *envstore.ARG_DB_URL
-		}
-
-		if envData.StringEnv[constants.EnvKeyDatabaseURL] == "" {
-			panic("DATABASE_URL is required")
-		}
-	}
-
-	if envData.StringEnv[constants.EnvKeyDatabaseName] == "" {
-		envData.StringEnv[constants.EnvKeyDatabaseName] = os.Getenv(constants.EnvKeyDatabaseName)
-		if envData.StringEnv[constants.EnvKeyDatabaseName] == "" {
-			envData.StringEnv[constants.EnvKeyDatabaseName] = "authorizer"
-		}
-	}
-
 	if envData.StringEnv[constants.EnvKeySmtpHost] == "" {
 		envData.StringEnv[constants.EnvKeySmtpHost] = os.Getenv(constants.EnvKeySmtpHost)
 	}
@@ -111,32 +144,88 @@ func InitEnv() {
 		envData.StringEnv[constants.EnvKeySenderEmail] = os.Getenv(constants.EnvKeySenderEmail)
 	}
 
-	if envData.StringEnv[constants.EnvKeyJwtSecret] == "" {
+	algo := envData.StringEnv[constants.EnvKeyJwtType]
-		envData.StringEnv[constants.EnvKeyJwtSecret] = os.Getenv(constants.EnvKeyJwtSecret)
+	if algo == "" {
-		if envData.StringEnv[constants.EnvKeyJwtSecret] == "" {
-			envData.StringEnv[constants.EnvKeyJwtSecret] = uuid.New().String()
-		}
-	}
-
-	if envData.StringEnv[constants.EnvKeyCustomAccessTokenScript] == "" {
-		envData.StringEnv[constants.EnvKeyCustomAccessTokenScript] = os.Getenv(constants.EnvKeyCustomAccessTokenScript)
-	}
-
-	if envData.StringEnv[constants.EnvKeyJwtPrivateKey] == "" {
-		envData.StringEnv[constants.EnvKeyJwtPrivateKey] = os.Getenv(constants.EnvKeyJwtPrivateKey)
-	}
-
-	if envData.StringEnv[constants.EnvKeyJwtPublicKey] == "" {
-		envData.StringEnv[constants.EnvKeyJwtPublicKey] = os.Getenv(constants.EnvKeyJwtPublicKey)
-	}
-
-	if envData.StringEnv[constants.EnvKeyJwtType] == "" {
 		envData.StringEnv[constants.EnvKeyJwtType] = os.Getenv(constants.EnvKeyJwtType)
 		if envData.StringEnv[constants.EnvKeyJwtType] == "" {
-			envData.StringEnv[constants.EnvKeyJwtType] = "HS256"
+			envData.StringEnv[constants.EnvKeyJwtType] = "RS256"
+			algo = envData.StringEnv[constants.EnvKeyJwtType]
+		} else {
+			algo = envData.StringEnv[constants.EnvKeyJwtType]
+			if !crypto.IsHMACA(algo) && !crypto.IsRSA(algo) && !crypto.IsECDSA(algo) {
+				return errors.New("invalid JWT_TYPE")
+			}
 		}
 	}
 
+	if crypto.IsHMACA(algo) {
+		if envData.StringEnv[constants.EnvKeyJwtSecret] == "" {
+			envData.StringEnv[constants.EnvKeyJwtSecret] = os.Getenv(constants.EnvKeyJwtSecret)
+			if envData.StringEnv[constants.EnvKeyJwtSecret] == "" {
+				envData.StringEnv[constants.EnvKeyJwtSecret], _, err = crypto.NewHMACKey(algo, clientID)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	if crypto.IsRSA(algo) || crypto.IsECDSA(algo) {
+		privateKey, publicKey := "", ""
+
+		if envData.StringEnv[constants.EnvKeyJwtPrivateKey] == "" {
+			privateKey = os.Getenv(constants.EnvKeyJwtPrivateKey)
+		}
+
+		if envData.StringEnv[constants.EnvKeyJwtPublicKey] == "" {
+			publicKey = os.Getenv(constants.EnvKeyJwtPublicKey)
+		}
+
+		// if algo is RSA / ECDSA, then we need to have both private and public key
+		// if either of them is not present generate new keys
+		if privateKey == "" || publicKey == "" {
+			if crypto.IsRSA(algo) {
+				_, privateKey, publicKey, _, err = crypto.NewRSAKey(algo, clientID)
+				if err != nil {
+					return err
+				}
+			} else if crypto.IsECDSA(algo) {
+				_, privateKey, publicKey, _, err = crypto.NewECDSAKey(algo, clientID)
+				if err != nil {
+					return err
+				}
+			}
+		} else {
+			// parse keys to make sure they are valid
+			if crypto.IsRSA(algo) {
+				_, err = crypto.ParseRsaPrivateKeyFromPemStr(privateKey)
+				if err != nil {
+					return err
+				}
+
+				_, err := crypto.ParseRsaPublicKeyFromPemStr(publicKey)
+				if err != nil {
+					return err
+				}
+
+			} else if crypto.IsECDSA(algo) {
+				_, err = crypto.ParseEcdsaPrivateKeyFromPemStr(privateKey)
+				if err != nil {
+					return err
+				}
+
+				_, err := crypto.ParseEcdsaPublicKeyFromPemStr(publicKey)
+				if err != nil {
+					return err
+				}
+			}
+		}
+
+		envData.StringEnv[constants.EnvKeyJwtPrivateKey] = privateKey
+		envData.StringEnv[constants.EnvKeyJwtPublicKey] = publicKey
+
+	}
+
 	if envData.StringEnv[constants.EnvKeyJwtRoleClaim] == "" {
 		envData.StringEnv[constants.EnvKeyJwtRoleClaim] = os.Getenv(constants.EnvKeyJwtRoleClaim)
 
@@ -145,6 +234,10 @@ func InitEnv() {
 		}
 	}
 
+	if envData.StringEnv[constants.EnvKeyCustomAccessTokenScript] == "" {
+		envData.StringEnv[constants.EnvKeyCustomAccessTokenScript] = os.Getenv(constants.EnvKeyCustomAccessTokenScript)
+	}
+
 	if envData.StringEnv[constants.EnvKeyRedisURL] == "" {
 		envData.StringEnv[constants.EnvKeyRedisURL] = os.Getenv(constants.EnvKeyRedisURL)
 	}
@@ -264,7 +357,7 @@ func InitEnv() {
 	}
 
 	if len(roles) > 0 && len(defaultRoles) == 0 && len(defaultRolesEnv) > 0 {
-		panic(`Invalid DEFAULT_ROLE environment variable. It can be one from give ROLES environment variable value`)
+		return errors.New(`invalid DEFAULT_ROLE environment variable. It can be one from give ROLES environment variable value`)
 	}
 
 	envData.SliceEnv[constants.EnvKeyRoles] = roles
@@ -279,5 +372,6 @@ func InitEnv() {
 		envData.StringEnv[constants.EnvKeyOrganizationLogo] = os.Getenv(constants.EnvKeyOrganizationLogo)
 	}
 
-	envstore.EnvInMemoryStoreObj.UpdateEnvStore(envData)
+	envstore.EnvStoreObj.UpdateEnvStore(envData)
+	return nil
 }

server/env/persist_env.go

@@ -7,14 +7,51 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/google/uuid"
+
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/utils"
-	"github.com/google/uuid"
 )
 
+// GetEnvData returns the env data from database
+func GetEnvData() (envstore.Store, error) {
+	var result envstore.Store
+	env, err := db.Provider.GetEnv()
+	// config not found in db
+	if err != nil {
+		return result, err
+	}
+
+	encryptionKey := env.Hash
+	decryptedEncryptionKey, err := crypto.DecryptB64(encryptionKey)
+	if err != nil {
+		return result, err
+	}
+
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey)
+
+	b64DecryptedConfig, err := crypto.DecryptB64(env.EnvData)
+	if err != nil {
+		return result, err
+	}
+
+	decryptedConfigs, err := crypto.DecryptAESEnv([]byte(b64DecryptedConfig))
+	if err != nil {
+		return result, err
+	}
+
+	err = json.Unmarshal(decryptedConfigs, &result)
+	if err != nil {
+		return result, err
+	}
+
+	return result, err
+}
+
 // PersistEnv persists the environment variables to the database
 func PersistEnv() error {
 	env, err := db.Provider.GetEnv()
@@ -22,45 +59,40 @@ func PersistEnv() error {
 	if err != nil {
 		// AES encryption needs 32 bit key only, so we chop off last 4 characters from 36 bit uuid
 		hash := uuid.New().String()[:36-4]
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, hash)
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, hash)
-		encodedHash := utils.EncryptB64(hash)
+		encodedHash := crypto.EncryptB64(hash)
 
-		encryptedConfig, err := utils.EncryptEnvData(envstore.EnvInMemoryStoreObj.GetEnvStoreClone())
+		encryptedConfig, err := crypto.EncryptEnvData(envstore.EnvStoreObj.GetEnvStoreClone())
 		if err != nil {
 			return err
 		}
-		// configData, err := json.Marshal()
-		// if err != nil {
-		// 	return err
-		// }
-
-		// encryptedConfig, err := utils.EncryptAES(configData)
-		// if err != nil {
-		// 	return err
-		// }
 
 		env = models.Env{
 			Hash:    encodedHash,
 			EnvData: encryptedConfig,
 		}
 
-		db.Provider.AddEnv(env)
+		env, err = db.Provider.AddEnv(env)
+		if err != nil {
+			return err
+		}
 	} else {
 		// decrypt the config data from db
 		// decryption can be done using the hash stored in db
 		encryptionKey := env.Hash
-		decryptedEncryptionKey, err := utils.DecryptB64(encryptionKey)
+		decryptedEncryptionKey, err := crypto.DecryptB64(encryptionKey)
 		if err != nil {
 			return err
 		}
 
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey)
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey)
-		b64DecryptedConfig, err := utils.DecryptB64(env.EnvData)
+
+		b64DecryptedConfig, err := crypto.DecryptB64(env.EnvData)
 		if err != nil {
 			return err
 		}
 
-		decryptedConfigs, err := utils.DecryptAES([]byte(b64DecryptedConfig))
+		decryptedConfigs, err := crypto.DecryptAESEnv([]byte(b64DecryptedConfig))
 		if err != nil {
 			return err
 		}
@@ -79,6 +111,7 @@ func PersistEnv() error {
 		hasChanged := false
 
 		for key, value := range storeData.StringEnv {
+			// don't override unexposed envs
 			if key != constants.EnvKeyEncryptionKey {
 				// check only for derivative keys
 				// No need to check for ENCRYPTION_KEY which special key we use for encrypting config data
@@ -132,10 +165,16 @@ func PersistEnv() error {
 				hasChanged = true
 			}
 		}
+		envstore.EnvStoreObj.UpdateEnvStore(storeData)
+		jwk, err := crypto.GenerateJWKBasedOnEnv()
+		if err != nil {
+			return err
+		}
+		// updating jwk
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJWK, jwk)
 
-		envstore.EnvInMemoryStoreObj.UpdateEnvStore(storeData)
 		if hasChanged {
-			encryptedConfig, err := utils.EncryptEnvData(storeData)
+			encryptedConfig, err := crypto.EncryptEnvData(storeData)
 			if err != nil {
 				return err
 			}
@@ -147,7 +186,6 @@ func PersistEnv() error {
 				return err
 			}
 		}
-
 	}
 
 	return nil

server/envstore/store.go

@@ -22,14 +22,13 @@ type Store struct {
 	SliceEnv  map[string][]string `json:"slice_env"`
 }
 
-// EnvInMemoryStore struct
+// EnvStore struct
-type EnvInMemoryStore struct {
+type EnvStore struct {
 	mutex sync.Mutex
 	store *Store
 }
 
-// EnvInMemoryStoreObj global variable for EnvInMemoryStore
+var defaultStore = &EnvStore{
-var EnvInMemoryStoreObj = &EnvInMemoryStore{
 	store: &Store{
 		StringEnv: map[string]string{
 			constants.EnvKeyAdminCookieName:  "authorizer-admin",
@@ -47,8 +46,11 @@ var EnvInMemoryStoreObj = &EnvInMemoryStore{
 	},
 }
 
+// EnvStoreObj.GetBoolStoreEnvVariable global variable for EnvStore
+var EnvStoreObj = defaultStore
+
 // UpdateEnvStore to update the whole env store object
-func (e *EnvInMemoryStore) UpdateEnvStore(store Store) {
+func (e *EnvStore) UpdateEnvStore(store Store) {
 	e.mutex.Lock()
 	defer e.mutex.Unlock()
 	// just override the keys + new keys
@@ -67,7 +69,7 @@ func (e *EnvInMemoryStore) UpdateEnvStore(store Store) {
 }
 
 // UpdateEnvVariable to update the particular env variable
-func (e *EnvInMemoryStore) UpdateEnvVariable(storeIdentifier, key string, value interface{}) {
+func (e *EnvStore) UpdateEnvVariable(storeIdentifier, key string, value interface{}) {
 	e.mutex.Lock()
 	defer e.mutex.Unlock()
 	switch storeIdentifier {
@@ -81,31 +83,37 @@ func (e *EnvInMemoryStore) UpdateEnvVariable(storeIdentifier, key string, value
 }
 
 // GetStringStoreEnvVariable to get the env variable from string store object
-func (e *EnvInMemoryStore) GetStringStoreEnvVariable(key string) string {
+func (e *EnvStore) GetStringStoreEnvVariable(key string) string {
 	// e.mutex.Lock()
 	// defer e.mutex.Unlock()
 	return e.store.StringEnv[key]
 }
 
 // GetBoolStoreEnvVariable to get the env variable from bool store object
-func (e *EnvInMemoryStore) GetBoolStoreEnvVariable(key string) bool {
+func (e *EnvStore) GetBoolStoreEnvVariable(key string) bool {
 	// e.mutex.Lock()
 	// defer e.mutex.Unlock()
 	return e.store.BoolEnv[key]
 }
 
 // GetSliceStoreEnvVariable to get the env variable from slice store object
-func (e *EnvInMemoryStore) GetSliceStoreEnvVariable(key string) []string {
+func (e *EnvStore) GetSliceStoreEnvVariable(key string) []string {
 	// e.mutex.Lock()
 	// defer e.mutex.Unlock()
 	return e.store.SliceEnv[key]
 }
 
 // GetEnvStoreClone to get clone of current env store object
-func (e *EnvInMemoryStore) GetEnvStoreClone() Store {
+func (e *EnvStore) GetEnvStoreClone() Store {
 	e.mutex.Lock()
 	defer e.mutex.Unlock()
 
 	result := *e.store
 	return result
 }
+
+func (e *EnvStore) ResetStore() {
+	e.mutex.Lock()
+	defer e.mutex.Unlock()
+	e.store = defaultStore.store
+}

server/go.mod

@@ -30,6 +30,7 @@ require (
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/mail.v2 v2.3.1
+	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gorm.io/driver/mysql v1.2.1
 	gorm.io/driver/postgres v1.2.3

server/go.sum

@@ -682,8 +682,9 @@ gopkg.in/mail.v2 v2.3.1/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw=
 gopkg.in/readline.v1 v1.0.0-20160726135117-62c6fe619375/go.mod h1:lNEQeAhU009zbRxng+XOj5ITVgY24WcbNnQopyfKoYQ=
 gopkg.in/sourcemap.v1 v1.0.5 h1:inv58fC9f9J3TK2Y2R1NPntXEn3/wjWHkonhIUODNTI=
 gopkg.in/sourcemap.v1 v1.0.5/go.mod h1:2RlvNNSMglmRrcvhfuzp4hQHwOtjxlbjX7UPY/GXb78=
-gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

server/graph/model/models_gen.go

@@ -11,10 +11,12 @@ type AdminSignupInput struct {
 }
 
 type AuthResponse struct {
-	Message     string  `json:"message"`
+	Message      string  `json:"message"`
-	AccessToken *string `json:"access_token"`
+	AccessToken  *string `json:"access_token"`
-	ExpiresAt   *int64  `json:"expires_at"`
+	IDToken      *string `json:"id_token"`
-	User        *User   `json:"user"`
+	RefreshToken *string `json:"refresh_token"`
+	ExpiresIn    *int64  `json:"expires_in"`
+	User         *User   `json:"user"`
 }
 
 type DeleteUserInput struct {
@@ -23,9 +25,11 @@ type DeleteUserInput struct {
 
 type Env struct {
 	AdminSecret                *string  `json:"ADMIN_SECRET"`
-	DatabaseName               *string  `json:"DATABASE_NAME"`
+	DatabaseName               string   `json:"DATABASE_NAME"`
-	DatabaseURL                *string  `json:"DATABASE_URL"`
+	DatabaseURL                string   `json:"DATABASE_URL"`
-	DatabaseType               *string  `json:"DATABASE_TYPE"`
+	DatabaseType               string   `json:"DATABASE_TYPE"`
+	ClientID                   string   `json:"CLIENT_ID"`
+	ClientSecret               string   `json:"CLIENT_SECRET"`
 	CustomAccessTokenScript    *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT"`
 	SMTPHost                   *string  `json:"SMTP_HOST"`
 	SMTPPort                   *string  `json:"SMTP_PORT"`
@@ -65,27 +69,29 @@ type Error struct {
 }
 
 type ForgotPasswordInput struct {
-	Email string `json:"email"`
+	Email       string  `json:"email"`
-}
+	State       *string `json:"state"`
-
+	RedirectURI *string `json:"redirect_uri"`
-type IsValidJWTQueryInput struct {
-	Jwt   *string  `json:"jwt"`
-	Roles []string `json:"roles"`
 }
 
 type LoginInput struct {
 	Email    string   `json:"email"`
 	Password string   `json:"password"`
 	Roles    []string `json:"roles"`
+	Scope    []string `json:"scope"`
 }
 
 type MagicLinkLoginInput struct {
-	Email string   `json:"email"`
+	Email       string   `json:"email"`
-	Roles []string `json:"roles"`
+	Roles       []string `json:"roles"`
+	Scope       []string `json:"scope"`
+	State       *string  `json:"state"`
+	RedirectURI *string  `json:"redirect_uri"`
 }
 
 type Meta struct {
 	Version                      string `json:"version"`
+	ClientID                     string `json:"client_id"`
 	IsGoogleLoginEnabled         bool   `json:"is_google_login_enabled"`
 	IsFacebookLoginEnabled       bool   `json:"is_facebook_login_enabled"`
 	IsGithubLoginEnabled         bool   `json:"is_github_login_enabled"`
@@ -94,6 +100,10 @@ type Meta struct {
 	IsMagicLinkLoginEnabled      bool   `json:"is_magic_link_login_enabled"`
 }
 
+type OAuthRevokeInput struct {
+	RefreshToken string `json:"refresh_token"`
+}
+
 type PaginatedInput struct {
 	Pagination *PaginationInput `json:"pagination"`
 }
@@ -127,6 +137,7 @@ type Response struct {
 
 type SessionQueryInput struct {
 	Roles []string `json:"roles"`
+	Scope []string `json:"scope"`
 }
 
 type SignUpInput struct {
@@ -142,6 +153,7 @@ type SignUpInput struct {
 	Password        string   `json:"password"`
 	ConfirmPassword string   `json:"confirm_password"`
 	Roles           []string `json:"roles"`
+	Scope           []string `json:"scope"`
 }
 
 type UpdateEnvInput struct {
@@ -235,19 +247,16 @@ type Users struct {
 	Users      []*User     `json:"users"`
 }
 
-type ValidJWTResponse struct {
-	Valid   bool   `json:"valid"`
-	Message string `json:"message"`
-}
-
 type VerificationRequest struct {
-	ID         string  `json:"id"`
+	ID          string  `json:"id"`
-	Identifier *string `json:"identifier"`
+	Identifier  *string `json:"identifier"`
-	Token      *string `json:"token"`
+	Token       *string `json:"token"`
-	Email      *string `json:"email"`
+	Email       *string `json:"email"`
-	Expires    *int64  `json:"expires"`
+	Expires     *int64  `json:"expires"`
-	CreatedAt  *int64  `json:"created_at"`
+	CreatedAt   *int64  `json:"created_at"`
-	UpdatedAt  *int64  `json:"updated_at"`
+	UpdatedAt   *int64  `json:"updated_at"`
+	Nonce       *string `json:"nonce"`
+	RedirectURI *string `json:"redirect_uri"`
 }
 
 type VerificationRequests struct {

server/graph/schema.graphqls

@@ -14,6 +14,7 @@ type Pagination {
 
 type Meta {
 	version: String!
+	client_id: String!
 	is_google_login_enabled: Boolean!
 	is_facebook_login_enabled: Boolean!
 	is_github_login_enabled: Boolean!
@@ -56,6 +57,8 @@ type VerificationRequest {
 	expires: Int64
 	created_at: Int64
 	updated_at: Int64
+	nonce: String
+	redirect_uri: String
 }
 
 type VerificationRequests {
@@ -71,7 +74,9 @@ type Error {
 type AuthResponse {
 	message: String!
 	access_token: String
-	expires_at: Int64
+	id_token: String
+	refresh_token: String
+	expires_in: Int64
 	user: User
 }
 
@@ -79,16 +84,13 @@ type Response {
 	message: String!
 }
 
-type ValidJWTResponse {
-	valid: Boolean!
-	message: String!
-}
-
 type Env {
 	ADMIN_SECRET: String
-	DATABASE_NAME: String
+	DATABASE_NAME: String!
-	DATABASE_URL: String
+	DATABASE_URL: String!
-	DATABASE_TYPE: String
+	DATABASE_TYPE: String!
+	CLIENT_ID: String!
+	CLIENT_SECRET: String!
 	CUSTOM_ACCESS_TOKEN_SCRIPT: String
 	SMTP_HOST: String
 	SMTP_PORT: String
@@ -179,12 +181,14 @@ input SignUpInput {
 	password: String!
 	confirm_password: String!
 	roles: [String!]
+	scope: [String!]
 }
 
 input LoginInput {
 	email: String!
 	password: String!
 	roles: [String!]
+	scope: [String!]
 }
 
 input VerifyEmailInput {
@@ -228,6 +232,8 @@ input UpdateUserInput {
 
 input ForgotPasswordInput {
 	email: String!
+	state: String
+	redirect_uri: String
 }
 
 input ResetPasswordInput {
@@ -243,15 +249,14 @@ input DeleteUserInput {
 input MagicLinkLoginInput {
 	email: String!
 	roles: [String!]
+	scope: [String!]
+	state: String
+	redirect_uri: String
 }
 
 input SessionQueryInput {
 	roles: [String!]
-}
+	scope: [String!]
-
-input IsValidJWTQueryInput {
-	jwt: String
-	roles: [String!]
 }
 
 input PaginationInput {
@@ -263,6 +268,10 @@ input PaginatedInput {
 	pagination: PaginationInput
 }
 
+input OAuthRevokeInput {
+	refresh_token: String!
+}
+
 type Mutation {
 	signup(params: SignUpInput!): AuthResponse!
 	login(params: LoginInput!): AuthResponse!
@@ -273,6 +282,7 @@ type Mutation {
 	resend_verify_email(params: ResendVerifyEmailInput!): Response!
 	forgot_password(params: ForgotPasswordInput!): Response!
 	reset_password(params: ResetPasswordInput!): Response!
+	revoke(params: OAuthRevokeInput!): Response!
 	# admin only apis
 	_delete_user(params: DeleteUserInput!): Response!
 	_update_user(params: UpdateUserInput!): User!
@@ -285,7 +295,6 @@ type Mutation {
 type Query {
 	meta: Meta!
 	session(params: SessionQueryInput): AuthResponse!
-	is_valid_jwt(params: IsValidJWTQueryInput): ValidJWTResponse!
 	profile: User!
 	# admin only apis
 	_users(params: PaginatedInput): Users!

server/graph/schema.resolvers.go

@@ -47,6 +47,10 @@ func (r *mutationResolver) ResetPassword(ctx context.Context, params model.Reset
 	return resolvers.ResetPasswordResolver(ctx, params)
 }
 
+func (r *mutationResolver) Revoke(ctx context.Context, params model.OAuthRevokeInput) (*model.Response, error) {
+	return resolvers.RevokeResolver(ctx, params)
+}
+
 func (r *mutationResolver) DeleteUser(ctx context.Context, params model.DeleteUserInput) (*model.Response, error) {
 	return resolvers.DeleteUserResolver(ctx, params)
 }
@@ -79,10 +83,6 @@ func (r *queryResolver) Session(ctx context.Context, params *model.SessionQueryI
 	return resolvers.SessionResolver(ctx, params)
 }
 
-func (r *queryResolver) IsValidJwt(ctx context.Context, params *model.IsValidJWTQueryInput) (*model.ValidJWTResponse, error) {
-	return resolvers.IsValidJwtResolver(ctx, params)
-}
-
 func (r *queryResolver) Profile(ctx context.Context) (*model.User, error) {
 	return resolvers.ProfileResolver(ctx)
 }

server/handlers/app.go

@@ -1,7 +1,6 @@
 package handlers
 
 import (
-	"encoding/json"
 	"log"
 	"net/http"
 	"strings"
@@ -23,49 +22,30 @@ type State struct {
 func AppHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		hostname := utils.GetHost(c)
-		if envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableLoginPage) {
+		if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableLoginPage) {
 			c.JSON(400, gin.H{"error": "login page is not enabled"})
 			return
 		}
 
-		state := c.Query("state")
+		redirect_uri := strings.TrimSpace(c.Query("redirect_uri"))
+		state := strings.TrimSpace(c.Query("state"))
+		scopeString := strings.TrimSpace(c.Query("scope"))
 
-		var stateObj State
+		var scope []string
-
+		if scopeString == "" {
-		if state == "" {
+			scope = []string{"openid", "profile", "email"}
-			stateObj.AuthorizerURL = hostname
-			stateObj.RedirectURL = hostname + "/app"
 		} else {
-			decodedState, err := utils.DecryptB64(state)
+			scope = strings.Split(scopeString, " ")
-			if err != nil {
+		}
-				c.JSON(400, gin.H{"error": "[unable to decode state] invalid state"})
-				return
-			}
-
-			err = json.Unmarshal([]byte(decodedState), &stateObj)
-			if err != nil {
-				c.JSON(400, gin.H{"error": "[unable to parse state] invalid state"})
-				return
-			}
-			stateObj.AuthorizerURL = strings.TrimSuffix(stateObj.AuthorizerURL, "/")
-			stateObj.RedirectURL = strings.TrimSuffix(stateObj.RedirectURL, "/")
 
+		if redirect_uri == "" {
+			redirect_uri = hostname + "/app"
+		} else {
 			// validate redirect url with allowed origins
-			if !utils.IsValidOrigin(stateObj.RedirectURL) {
+			if !utils.IsValidOrigin(redirect_uri) {
 				c.JSON(400, gin.H{"error": "invalid redirect url"})
 				return
 			}
-
-			if stateObj.AuthorizerURL == "" {
-				c.JSON(400, gin.H{"error": "invalid authorizer url"})
-				return
-			}
-
-			// validate host and domain of authorizer url
-			if strings.TrimSuffix(stateObj.AuthorizerURL, "/") != hostname {
-				c.JSON(400, gin.H{"error": "invalid host url"})
-				return
-			}
 		}
 
 		// debug the request state
@@ -76,11 +56,13 @@ func AppHandler() gin.HandlerFunc {
 			}
 		}
 		c.HTML(http.StatusOK, "app.tmpl", gin.H{
-			"data": map[string]string{
+			"data": map[string]interface{}{
-				"authorizerURL":    stateObj.AuthorizerURL,
+				"authorizerURL":    hostname,
-				"redirectURL":      stateObj.RedirectURL,
+				"redirectURL":      redirect_uri,
-				"organizationName": envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationName),
+				"scope":            scope,
-				"organizationLogo": envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationLogo),
+				"state":            state,
+				"organizationName": envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationName),
+				"organizationLogo": envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationLogo),
 			},
 		})
 	}

server/handlers/authorize.go

@@ -0,0 +1,333 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// AuthorizeHandler is the handler for the /authorize route
+// required params
+// ?redirect_uri = redirect url
+// ?response_mode = to decide if result should be html or re-direct
+// state[recommended] = to prevent CSRF attack (for authorizer its compulsory)
+// code_challenge = to prevent CSRF attack
+// code_challenge_method = to prevent CSRF attack [only sh256 is supported]
+
+// check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.
+func AuthorizeHandler() gin.HandlerFunc {
+	return func(gc *gin.Context) {
+		redirectURI := strings.TrimSpace(gc.Query("redirect_uri"))
+		responseType := strings.TrimSpace(gc.Query("response_type"))
+		state := strings.TrimSpace(gc.Query("state"))
+		codeChallenge := strings.TrimSpace(gc.Query("code_challenge"))
+		scopeString := strings.TrimSpace(gc.Query("scope"))
+		clientID := strings.TrimSpace(gc.Query("client_id"))
+		template := "authorize.tmpl"
+		responseMode := strings.TrimSpace(gc.Query("response_mode"))
+
+		var scope []string
+		if scopeString == "" {
+			scope = []string{"openid", "profile", "email"}
+		} else {
+			scope = strings.Split(scopeString, " ")
+		}
+
+		if responseMode == "" {
+			responseMode = "query"
+		}
+
+		if responseMode != "query" && responseMode != "web_message" {
+			gc.JSON(400, gin.H{"error": "invalid response mode"})
+		}
+
+		if redirectURI == "" {
+			redirectURI = "/app"
+		}
+
+		isQuery := responseMode == "query"
+
+		loginURL := "/app?state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
+
+		if clientID == "" {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error": "client_id is required",
+						},
+					},
+				})
+			}
+			return
+		}
+
+		if clientID != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error": "invalid_client_id",
+						},
+					},
+				})
+			}
+			return
+		}
+
+		if state == "" {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error": "state is required",
+						},
+					},
+				})
+			}
+			return
+		}
+
+		if responseType == "" {
+			responseType = "token"
+		}
+
+		isResponseTypeCode := responseType == "code"
+		isResponseTypeToken := responseType == "token"
+
+		if !isResponseTypeCode && !isResponseTypeToken {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error": "response_type is invalid",
+						},
+					},
+				})
+			}
+			return
+		}
+
+		if isResponseTypeCode {
+			if codeChallenge == "" {
+				if isQuery {
+					gc.Redirect(http.StatusFound, loginURL)
+				} else {
+					gc.HTML(http.StatusBadRequest, template, gin.H{
+						"target_origin": redirectURI,
+						"authorization_response": map[string]interface{}{
+							"type": "authorization_response",
+							"response": map[string]string{
+								"error": "code_challenge is required",
+							},
+						},
+					})
+				}
+				return
+			}
+		}
+
+		sessionToken, err := cookie.GetSession(gc)
+		if err != nil {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error":             "login_required",
+							"error_description": "Login is required",
+						},
+					},
+				})
+			}
+			return
+		}
+
+		// get session from cookie
+		claims, err := token.ValidateBrowserSession(gc, sessionToken)
+		if err != nil {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error":             "login_required",
+							"error_description": "Login is required",
+						},
+					},
+				})
+			}
+			return
+		}
+		userID := claims.Subject
+		user, err := db.Provider.GetUserByID(userID)
+		if err != nil {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error":             "signup_required",
+							"error_description": "Sign up required",
+						},
+					},
+				})
+			}
+			return
+		}
+
+		// if user is logged in
+		// based on the response type, generate the response
+		if isResponseTypeCode {
+			// rollover the session for security
+			sessionstore.RemoveState(sessionToken)
+			nonce := uuid.New().String()
+			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope)
+			if err != nil {
+				if isQuery {
+					gc.Redirect(http.StatusFound, loginURL)
+				} else {
+					gc.HTML(http.StatusOK, template, gin.H{
+						"target_origin": redirectURI,
+						"authorization_response": map[string]interface{}{
+							"type": "authorization_response",
+							"response": map[string]string{
+								"error":             "login_required",
+								"error_description": "Login is required",
+							},
+						},
+					})
+				}
+				return
+			}
+
+			sessionstore.SetState(newSessionToken, newSessionTokenData.Nonce+"@"+user.ID)
+			cookie.SetSession(gc, newSessionToken)
+			code := uuid.New().String()
+			sessionstore.SetState(codeChallenge, code+"@"+newSessionToken)
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": redirectURI,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"code":  code,
+						"state": state,
+					},
+				},
+			})
+			return
+		}
+
+		if isResponseTypeToken {
+			// rollover the session for security
+			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope)
+			if err != nil {
+				if isQuery {
+					gc.Redirect(http.StatusFound, loginURL)
+				} else {
+					gc.HTML(http.StatusOK, template, gin.H{
+						"target_origin": redirectURI,
+						"authorization_response": map[string]interface{}{
+							"type": "authorization_response",
+							"response": map[string]string{
+								"error":             "login_required",
+								"error_description": "Login is required",
+							},
+						},
+					})
+				}
+				return
+			}
+			sessionstore.RemoveState(sessionToken)
+			sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+			sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+			cookie.SetSession(gc, authToken.FingerPrintHash)
+			expiresIn := int64(1800)
+
+			// used of query mode
+			params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
+
+			res := map[string]interface{}{
+				"access_token": authToken.AccessToken.Token,
+				"id_token":     authToken.IDToken.Token,
+				"state":        state,
+				"scope":        scope,
+				"token_type":   "Bearer",
+				"expires_in":   expiresIn,
+			}
+
+			if authToken.RefreshToken != nil {
+				res["refresh_token"] = authToken.RefreshToken.Token
+				params += "&refresh_token=" + authToken.RefreshToken.Token
+				sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
+			}
+
+			if isQuery {
+				if strings.Contains(redirectURI, "?") {
+					gc.Redirect(http.StatusFound, redirectURI+"&"+params)
+				} else {
+					gc.Redirect(http.StatusFound, redirectURI+"?"+params)
+				}
+			} else {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": redirectURI,
+					"authorization_response": map[string]interface{}{
+						"type":     "authorization_response",
+						"response": res,
+					},
+				})
+			}
+			return
+		}
+
+		if isQuery {
+			gc.Redirect(http.StatusFound, loginURL)
+		} else {
+			// by default return with error
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": redirectURI,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"error":             "login_required",
+						"error_description": "Login is required",
+					},
+				},
+			})
+		}
+	}
+}

server/handlers/dashboard.go

@@ -13,7 +13,7 @@ func DashboardHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		isOnboardingCompleted := false
 
-		if envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret) != "" {
+		if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret) != "" {
 			isOnboardingCompleted = true
 		}
 

server/handlers/jwks.go

@@ -0,0 +1,30 @@
+package handlers
+
+import (
+	"encoding/json"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/gin-gonic/gin"
+)
+
+func JWKsHandler() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		var data map[string]string
+		jwk := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJWK)
+		err := json.Unmarshal([]byte(jwk), &data)
+		if err != nil {
+			c.JSON(500, gin.H{
+				"error": err.Error(),
+			})
+
+			return
+		}
+
+		c.JSON(200, gin.H{
+			"keys": []map[string]string{
+				data,
+			},
+		})
+	}
+}

server/handlers/logout.go

@@ -0,0 +1,47 @@
+package handlers
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/gin-gonic/gin"
+)
+
+// Handler to logout user
+func LogoutHandler() gin.HandlerFunc {
+	return func(gc *gin.Context) {
+		redirectURL := strings.TrimSpace(gc.Query("redirect_uri"))
+		// get fingerprint hash
+		fingerprintHash, err := cookie.GetSession(gc)
+		if err != nil {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error": err.Error(),
+			})
+			return
+		}
+
+		decryptedFingerPrint, err := crypto.DecryptAES(fingerprintHash)
+		if err != nil {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error": err.Error(),
+			})
+			return
+		}
+
+		fingerPrint := string(decryptedFingerPrint)
+
+		sessionstore.RemoveState(fingerPrint)
+		cookie.DeleteSession(gc)
+
+		if redirectURL != "" {
+			gc.Redirect(http.StatusFound, redirectURL)
+		} else {
+			gc.JSON(http.StatusOK, gin.H{
+				"message": "Logged out successfully",
+			})
+		}
+	}
+}

server/handlers/oauth_callback.go

@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
@@ -30,22 +31,23 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		provider := c.Param("oauth_provider")
 		state := c.Request.FormValue("state")
 
-		sessionState := sessionstore.GetSocailLoginState(state)
+		sessionState := sessionstore.GetState(state)
 		if sessionState == "" {
 			c.JSON(400, gin.H{"error": "invalid oauth state"})
 		}
-		sessionstore.RemoveSocialLoginState(state)
+		sessionstore.GetState(state)
 		// contains random token, redirect url, role
 		sessionSplit := strings.Split(state, "___")
 
-		// TODO validate redirect url
+		if len(sessionSplit) < 3 {
-		if len(sessionSplit) < 2 {
 			c.JSON(400, gin.H{"error": "invalid redirect url"})
 			return
 		}
 
-		inputRoles := strings.Split(sessionSplit[2], ",")
+		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
+		inputRoles := strings.Split(sessionSplit[2], ",")
+		scopes := strings.Split(sessionSplit[3], ",")
 
 		var err error
 		user := models.User{}
@@ -74,7 +76,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			// make sure inputRoles don't include protected roles
 			hasProtectedRole := false
 			for _, ir := range inputRoles {
-				if utils.StringSliceContains(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles), ir) {
+				if utils.StringSliceContains(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles), ir) {
 					hasProtectedRole = true
 				}
 			}
@@ -122,7 +124,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 				// check if it contains protected unassigned role
 				hasProtectedRole := false
 				for _, ur := range unasignedRoles {
-					if utils.StringSliceContains(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles), ur) {
+					if utils.StringSliceContains(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles), ur) {
 						hasProtectedRole = true
 					}
 				}
@@ -144,10 +146,28 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			}
 		}
 
-		authToken, _ := token.CreateAuthToken(user, inputRoles)
+		authToken, err := token.CreateAuthToken(c, user, inputRoles, scopes)
-		sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+		if err != nil {
-		cookie.SetCookie(c, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
+			c.JSON(500, gin.H{"error": err.Error()})
-		utils.SaveSessionInDB(user.ID, c)
+		}
+		expiresIn := int64(1800)
+		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + stateValue + "&id_token=" + authToken.IDToken.Token
+
+		cookie.SetSession(c, authToken.FingerPrintHash)
+		sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+
+		if authToken.RefreshToken != nil {
+			params = params + `&refresh_token=` + authToken.RefreshToken.Token
+			sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
+		}
+
+		go utils.SaveSessionInDB(c, user.ID)
+		if strings.Contains(redirectURL, "?") {
+			redirectURL = redirectURL + "&" + params
+		} else {
+			redirectURL = redirectURL + "?" + params
+		}
 
 		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 	}
@@ -227,7 +247,7 @@ func processGithubUserInfo(code string) (models.User, error) {
 		GivenName:  &firstName,
 		FamilyName: &lastName,
 		Picture:    &picture,
-		Email:      userRawData["email"],
+		Email:      userRawData["sub"],
 	}
 
 	return user, nil
@@ -260,7 +280,7 @@ func processFacebookUserInfo(code string) (models.User, error) {
 	userRawData := make(map[string]interface{})
 	json.Unmarshal(body, &userRawData)
 
-	email := fmt.Sprintf("%v", userRawData["email"])
+	email := fmt.Sprintf("%v", userRawData["sub"])
 
 	picObject := userRawData["picture"].(map[string]interface{})["data"]
 	picDataObject := picObject.(map[string]interface{})

server/handlers/oauth_login.go

@@ -10,41 +10,55 @@ import (
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )
 
 // OAuthLoginHandler set host in the oauth state that is useful for redirecting to oauth_callback
 func OAuthLoginHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		hostname := utils.GetHost(c)
-		redirectURL := c.Query("redirectURL")
+		redirectURI := strings.TrimSpace(c.Query("redirectURL"))
-		roles := c.Query("roles")
+		roles := strings.TrimSpace(c.Query("roles"))
+		state := strings.TrimSpace(c.Query("state"))
+		scopeString := strings.TrimSpace(c.Query("scope"))
 
-		if redirectURL == "" {
+		if redirectURI == "" {
 			c.JSON(400, gin.H{
-				"error": "invalid redirect url",
+				"error": "invalid redirect uri",
 			})
 			return
 		}
 
+		if state == "" {
+			c.JSON(400, gin.H{
+				"error": "invalid state",
+			})
+			return
+		}
+
+		var scope []string
+		if scopeString == "" {
+			scope = []string{"openid", "profile", "email"}
+		} else {
+			scope = strings.Split(scopeString, " ")
+		}
+
 		if roles != "" {
 			// validate role
 			rolesSplit := strings.Split(roles, ",")
 
 			// use protected roles verification for admin login only.
 			// though if not associated with user, it will be rejected from oauth_callback
-			if !utils.IsValidRoles(append([]string{}, append(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)...)...), rolesSplit) {
+			if !utils.IsValidRoles(append([]string{}, append(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)...)...), rolesSplit) {
 				c.JSON(400, gin.H{
 					"error": "invalid role",
 				})
 				return
 			}
 		} else {
-			roles = strings.Join(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
+			roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
 		}
 
-		uuid := uuid.New()
+		oauthStateString := state + "___" + redirectURI + "___" + roles + "___" + strings.Join(scope, ",")
-		oauthStateString := uuid.String() + "___" + redirectURL + "___" + roles
 
 		provider := c.Param("oauth_provider")
 		isProviderConfigured := true
@@ -54,7 +68,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				isProviderConfigured = false
 				break
 			}
-			sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodGoogle)
+			sessionstore.SetState(oauthStateString, constants.SignupMethodGoogle)
 			// during the init of OAuthProvider authorizer url might be empty
 			oauth.OAuthProviders.GoogleConfig.RedirectURL = hostname + "/oauth_callback/google"
 			url := oauth.OAuthProviders.GoogleConfig.AuthCodeURL(oauthStateString)
@@ -64,7 +78,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				isProviderConfigured = false
 				break
 			}
-			sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodGithub)
+			sessionstore.SetState(oauthStateString, constants.SignupMethodGithub)
 			oauth.OAuthProviders.GithubConfig.RedirectURL = hostname + "/oauth_callback/github"
 			url := oauth.OAuthProviders.GithubConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
@@ -73,7 +87,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				isProviderConfigured = false
 				break
 			}
-			sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodFacebook)
+			sessionstore.SetState(oauthStateString, constants.SignupMethodFacebook)
 			oauth.OAuthProviders.FacebookConfig.RedirectURL = hostname + "/oauth_callback/facebook"
 			url := oauth.OAuthProviders.FacebookConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)

server/handlers/openid_config.go

@@ -0,0 +1,30 @@
+package handlers
+
+import (
+	"github.com/gin-gonic/gin"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/utils"
+)
+
+// OpenIDConfigurationHandler handler for open-id configurations
+func OpenIDConfigurationHandler() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		issuer := utils.GetHost(c)
+		jwtType := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)
+
+		c.JSON(200, gin.H{
+			"issuer":                                issuer,
+			"authorization_endpoint":                issuer + "/authorize",
+			"token_endpoint":                        issuer + "/token",
+			"userinfo_endpoint":                     issuer + "/userinfo",
+			"jwks_uri":                              issuer + "/.well-known/jwks.json",
+			"response_types_supported":              []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"},
+			"scopes_supported":                      []string{"openid", "email", "profile", "email_verified", "given_name", "family_name", "nick_name", "picture"},
+			"response_modes_supported":              []string{"query", "fragment", "form_post"},
+			"id_token_signing_alg_values_supported": []string{jwtType},
+			"claims_supported":                      []string{"aud", "exp", "iss", "iat", "sub", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "picture", "email", "email_verified", "roles", "gender", "birthdate", "phone_number", "phone_number_verified"},
+		})
+	}
+}

server/handlers/revoke.go

@@ -0,0 +1,50 @@
+package handlers
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/gin-gonic/gin"
+)
+
+// Revoke handler to revoke refresh token
+func RevokeHandler() gin.HandlerFunc {
+	return func(gc *gin.Context) {
+		var reqBody map[string]string
+		if err := gc.BindJSON(&reqBody); err != nil {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "error_binding_json",
+				"error_description": err.Error(),
+			})
+			return
+		}
+		// get fingerprint hash
+		refreshToken := strings.TrimSpace(reqBody["refresh_token"])
+		clientID := strings.TrimSpace(reqBody["client_id"])
+
+		if clientID == "" {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "client_id_required",
+				"error_description": "The client id is required",
+			})
+			return
+		}
+
+		if clientID != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "invalid_client_id",
+				"error_description": "The client id is invalid",
+			})
+			return
+		}
+
+		sessionstore.RemoveState(refreshToken)
+
+		gc.JSON(http.StatusOK, gin.H{
+			"message": "Token revoked successfully",
+		})
+	}
+}

server/handlers/token.go

@@ -0,0 +1,193 @@
+package handlers
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"net/http"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/gin-gonic/gin"
+)
+
+// TokenHandler to handle /oauth/token requests
+// grant type required
+func TokenHandler() gin.HandlerFunc {
+	return func(gc *gin.Context) {
+		var reqBody map[string]string
+		if err := gc.BindJSON(&reqBody); err != nil {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "error_binding_json",
+				"error_description": err.Error(),
+			})
+			return
+		}
+
+		codeVerifier := strings.TrimSpace(reqBody["code_verifier"])
+		code := strings.TrimSpace(reqBody["code"])
+		clientID := strings.TrimSpace(reqBody["client_id"])
+		grantType := strings.TrimSpace(reqBody["grant_type"])
+		refreshToken := strings.TrimSpace(reqBody["refresh_token"])
+
+		if grantType == "" {
+			grantType = "authorization_code"
+		}
+
+		isRefreshTokenGrant := grantType == "refresh_token"
+		isAuthorizationCodeGrant := grantType == "authorization_code"
+
+		if !isRefreshTokenGrant && !isAuthorizationCodeGrant {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "invalid_grant_type",
+				"error_description": "grant_type is invalid",
+			})
+		}
+
+		if clientID == "" {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "client_id_required",
+				"error_description": "The client id is required",
+			})
+			return
+		}
+
+		if clientID != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "invalid_client_id",
+				"error_description": "The client id is invalid",
+			})
+			return
+		}
+
+		var userID string
+		var roles, scope []string
+		if isAuthorizationCodeGrant {
+
+			if codeVerifier == "" {
+				gc.JSON(http.StatusBadRequest, gin.H{
+					"error":             "invalid_code_verifier",
+					"error_description": "The code verifier is required",
+				})
+				return
+			}
+
+			if code == "" {
+				gc.JSON(http.StatusBadRequest, gin.H{
+					"error":             "invalid_code",
+					"error_description": "The code is required",
+				})
+				return
+			}
+
+			hash := sha256.New()
+			hash.Write([]byte(codeVerifier))
+			encryptedCode := strings.ReplaceAll(base64.URLEncoding.EncodeToString(hash.Sum(nil)), "+", "-")
+			encryptedCode = strings.ReplaceAll(encryptedCode, "/", "_")
+			encryptedCode = strings.ReplaceAll(encryptedCode, "=", "")
+			sessionData := sessionstore.GetState(encryptedCode)
+			if sessionData == "" {
+				gc.JSON(http.StatusBadRequest, gin.H{
+					"error":             "invalid_code_verifier",
+					"error_description": "The code verifier is invalid",
+				})
+				return
+			}
+
+			// split session data
+			// it contains code@sessiontoken
+			sessionDataSplit := strings.Split(sessionData, "@")
+
+			if sessionDataSplit[0] != code {
+				gc.JSON(http.StatusBadRequest, gin.H{
+					"error":             "invalid_code_verifier",
+					"error_description": "The code verifier is invalid",
+				})
+				return
+			}
+
+			// rollover the session for security
+			sessionstore.RemoveState(sessionDataSplit[1])
+			// validate session
+			claims, err := token.ValidateBrowserSession(gc, sessionDataSplit[1])
+			if err != nil {
+				gc.JSON(http.StatusUnauthorized, gin.H{
+					"error":             "unauthorized",
+					"error_description": "Invalid session data",
+				})
+				return
+			}
+			userID = claims.Subject
+			roles = claims.Roles
+			scope = claims.Scope
+		} else {
+			// validate refresh token
+			if refreshToken == "" {
+				gc.JSON(http.StatusBadRequest, gin.H{
+					"error":             "invalid_refresh_token",
+					"error_description": "The refresh token is invalid",
+				})
+			}
+
+			claims, err := token.ValidateRefreshToken(gc, refreshToken)
+			if err != nil {
+				gc.JSON(http.StatusUnauthorized, gin.H{
+					"error":             "unauthorized",
+					"error_description": err.Error(),
+				})
+			}
+			userID = claims["sub"].(string)
+			rolesInterface := claims["roles"].([]interface{})
+			scopeInterface := claims["scope"].([]interface{})
+			for _, v := range rolesInterface {
+				roles = append(roles, v.(string))
+			}
+			for _, v := range scopeInterface {
+				scope = append(scope, v.(string))
+			}
+			// remove older refresh token and rotate it for security
+			sessionstore.RemoveState(refreshToken)
+		}
+
+		user, err := db.Provider.GetUserByID(userID)
+		if err != nil {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error":             "unauthorized",
+				"error_description": "User not found",
+			})
+			return
+		}
+
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope)
+		if err != nil {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error":             "unauthorized",
+				"error_description": "User not found",
+			})
+			return
+		}
+		sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+		cookie.SetSession(gc, authToken.FingerPrintHash)
+
+		expiresIn := int64(1800)
+		res := map[string]interface{}{
+			"access_token": authToken.AccessToken.Token,
+			"id_token":     authToken.IDToken.Token,
+			"scope":        scope,
+			"roles":        roles,
+			"expires_in":   expiresIn,
+		}
+
+		if authToken.RefreshToken != nil {
+			res["refresh_token"] = authToken.RefreshToken.Token
+			sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
+		}
+
+		gc.JSON(http.StatusOK, res)
+	}
+}

server/handlers/userinfo.go

@@ -0,0 +1,40 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/gin-gonic/gin"
+)
+
+func UserInfoHandler() gin.HandlerFunc {
+	return func(gc *gin.Context) {
+		accessToken, err := token.GetAccessToken(gc)
+		if err != nil {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error": err.Error(),
+			})
+			return
+		}
+
+		claims, err := token.ValidateAccessToken(gc, accessToken)
+		if err != nil {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error": err.Error(),
+			})
+			return
+		}
+
+		userID := claims["sub"].(string)
+		user, err := db.Provider.GetUserByID(userID)
+		if err != nil {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error": err.Error(),
+			})
+			return
+		}
+
+		gc.JSON(http.StatusOK, user.AsAPIUser())
+	}
+}

server/handlers/verify_email.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
@@ -18,7 +19,7 @@ import (
 func VerifyEmailHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		errorRes := gin.H{
-			"message": "invalid token",
+			"error": "invalid_token",
 		}
 		tokenInQuery := c.Query("token")
 		if tokenInQuery == "" {
@@ -28,22 +29,24 @@ func VerifyEmailHandler() gin.HandlerFunc {
 
 		verificationRequest, err := db.Provider.GetVerificationRequestByToken(tokenInQuery)
 		if err != nil {
+			errorRes["error_description"] = err.Error()
 			c.JSON(400, errorRes)
 			return
 		}
 
 		// verify if token exists in db
-		claim, err := token.ParseJWTToken(tokenInQuery)
+		hostname := utils.GetHost(c)
+		claim, err := token.ParseJWTToken(tokenInQuery, hostname, verificationRequest.Nonce, verificationRequest.Email)
 		if err != nil {
+			errorRes["error_description"] = err.Error()
 			c.JSON(400, errorRes)
 			return
 		}
 
-		user, err := db.Provider.GetUserByEmail(claim["email"].(string))
+		user, err := db.Provider.GetUserByEmail(claim["sub"].(string))
 		if err != nil {
-			c.JSON(400, gin.H{
+			errorRes["error_description"] = err.Error()
-				"message": err.Error(),
+			c.JSON(400, errorRes)
-			})
 			return
 		}
 
@@ -56,18 +59,53 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		// delete from verification table
 		db.Provider.DeleteVerificationRequest(verificationRequest)
 
-		roles := strings.Split(user.Roles, ",")
+		state := strings.TrimSpace(c.Query("state"))
-		authToken, err := token.CreateAuthToken(user, roles)
+		redirectURL := strings.TrimSpace(c.Query("redirect_uri"))
+		rolesString := strings.TrimSpace(c.Query("roles"))
+		var roles []string
+		if rolesString == "" {
+			roles = strings.Split(user.Roles, ",")
+		} else {
+			roles = strings.Split(rolesString, ",")
+		}
+
+		scopeString := strings.TrimSpace(c.Query("scope"))
+		var scope []string
+		if scopeString == "" {
+			scope = []string{"openid", "email", "profile"}
+		} else {
+			scope = strings.Split(scopeString, " ")
+		}
+		authToken, err := token.CreateAuthToken(c, user, roles, scope)
 		if err != nil {
-			c.JSON(400, gin.H{
+			errorRes["error_description"] = err.Error()
-				"message": err.Error(),
+			c.JSON(500, errorRes)
-			})
 			return
 		}
-		sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+		expiresIn := int64(1800)
-		cookie.SetCookie(c, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
+		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
-		utils.SaveSessionInDB(user.ID, c)
 
-		c.Redirect(http.StatusTemporaryRedirect, claim["redirect_url"].(string))
+		cookie.SetSession(c, authToken.FingerPrintHash)
+		sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+
+		if authToken.RefreshToken != nil {
+			params = params + `&refresh_token=${refresh_token}`
+			sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
+		}
+
+		if redirectURL == "" {
+			redirectURL = claim["redirect_uri"].(string)
+		}
+
+		if strings.Contains(redirectURL, "?") {
+			redirectURL = redirectURL + "&" + params
+		} else {
+			redirectURL = redirectURL + "?" + params
+		}
+
+		go utils.SaveSessionInDB(c, user.ID)
+
+		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 	}
 }

server/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"flag"
+	"log"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
@@ -20,16 +21,45 @@ func main() {
 	envstore.ARG_ENV_FILE = flag.String("env_file", "", "Env file path")
 	flag.Parse()
 
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyVersion, VERSION)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyVersion, VERSION)
 
-	env.InitEnv()
+	// initialize required envs (mainly db & env file path)
-	db.InitDB()
+	err := env.InitRequiredEnv()
-	env.PersistEnv()
+	if err != nil {
+		log.Fatal("Error while initializing required envs:", err)
+	}
 
-	sessionstore.InitSession()
+	// initialize db provider
-	oauth.InitOAuth()
+	err = db.InitDB()
+	if err != nil {
+		log.Fatalln("Error while initializing db:", err)
+	}
+
+	// initialize all envs
+	// (get if present from db else construct from os env + defaults)
+	err = env.InitAllEnv()
+	if err != nil {
+		log.Fatalln("Error while initializing env: ", err)
+	}
+
+	// persist all envs
+	err = env.PersistEnv()
+	if err != nil {
+		log.Fatalln("Error while persisting env:", err)
+	}
+
+	// initialize session store (redis or in-memory based on env)
+	err = sessionstore.InitSession()
+	if err != nil {
+		log.Fatalln("Error while initializing session store:", err)
+	}
+
+	// initialize oauth providers based on env
+	err = oauth.InitOAuth()
+	if err != nil {
+		log.Fatalln("Error while initializing oauth:", err)
+	}
 
 	router := routes.InitRouter()
-
+	router.Run(":" + envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyPort))
-	router.Run(":" + envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyPort))
 }

server/oauth/oauth.go

@@ -2,7 +2,6 @@ package oauth
 
 import (
 	"context"
-	"log"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
@@ -32,37 +31,39 @@ var (
 )
 
 // InitOAuth initializes the OAuth providers based on EnvData
-func InitOAuth() {
+func InitOAuth() error {
 	ctx := context.Background()
-	if envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientID) != "" && envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientSecret) != "" {
+	if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientID) != "" && envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientSecret) != "" {
 		p, err := oidc.NewProvider(ctx, "https://accounts.google.com")
 		if err != nil {
-			log.Fatalln("error creating oidc provider for google:", err)
+			return err
 		}
 		OIDCProviders.GoogleOIDC = p
 		OAuthProviders.GoogleConfig = &oauth2.Config{
-			ClientID:     envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientID),
+			ClientID:     envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientID),
-			ClientSecret: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientSecret),
+			ClientSecret: envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientSecret),
 			RedirectURL:  "/oauth_callback/google",
 			Endpoint:     OIDCProviders.GoogleOIDC.Endpoint(),
 			Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
 		}
 	}
-	if envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientID) != "" && envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientSecret) != "" {
+	if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientID) != "" && envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientSecret) != "" {
 		OAuthProviders.GithubConfig = &oauth2.Config{
-			ClientID:     envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientID),
+			ClientID:     envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientID),
-			ClientSecret: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientSecret),
+			ClientSecret: envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGithubClientSecret),
 			RedirectURL:  "/oauth_callback/github",
 			Endpoint:     githubOAuth2.Endpoint,
 		}
 	}
-	if envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyFacebookClientID) != "" && envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientID) != "" {
+	if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyFacebookClientID) != "" && envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyGoogleClientID) != "" {
 		OAuthProviders.FacebookConfig = &oauth2.Config{
-			ClientID:     envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyFacebookClientID),
+			ClientID:     envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyFacebookClientID),
-			ClientSecret: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyFacebookClientSecret),
+			ClientSecret: envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyFacebookClientSecret),
 			RedirectURL:  "/oauth_callback/facebook",
 			Endpoint:     facebookOAuth2.Endpoint,
 			Scopes:       []string{"public_profile", "email"},
 		}
 	}
+
+	return nil
 }

server/resolvers/admin_login.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/utils"
@@ -20,12 +21,12 @@ func AdminLoginResolver(ctx context.Context, params model.AdminLoginInput) (*mod
 		return res, err
 	}
 
-	adminSecret := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)
+	adminSecret := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)
 	if params.AdminSecret != adminSecret {
 		return res, fmt.Errorf(`invalid admin secret`)
 	}
 
-	hashedKey, err := utils.EncryptPassword(adminSecret)
+	hashedKey, err := crypto.EncryptPassword(adminSecret)
 	if err != nil {
 		return res, err
 	}

server/resolvers/admin_session.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/token"
@@ -25,7 +26,7 @@ func AdminSessionResolver(ctx context.Context) (*model.Response, error) {
 		return res, fmt.Errorf("unauthorized")
 	}
 
-	hashedKey, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+	hashedKey, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 	if err != nil {
 		return res, err
 	}

server/resolvers/admin_signup.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -33,18 +34,18 @@ func AdminSignupResolver(ctx context.Context, params model.AdminSignupInput) (*m
 		return res, err
 	}
 
-	adminSecret := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)
+	adminSecret := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)
 
 	if adminSecret != "" {
 		err = fmt.Errorf("admin sign up already completed")
 		return res, err
 	}
 
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyAdminSecret, params.AdminSecret)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyAdminSecret, params.AdminSecret)
 	// consvert EnvData to JSON
 	var storeData envstore.Store
 
-	jsonBytes, err := json.Marshal(envstore.EnvInMemoryStoreObj.GetEnvStoreClone())
+	jsonBytes, err := json.Marshal(envstore.EnvStoreObj.GetEnvStoreClone())
 	if err != nil {
 		return res, err
 	}
@@ -58,7 +59,7 @@ func AdminSignupResolver(ctx context.Context, params model.AdminSignupInput) (*m
 		return res, err
 	}
 
-	envData, err := utils.EncryptEnvData(storeData)
+	envData, err := crypto.EncryptEnvData(storeData)
 	if err != nil {
 		return res, err
 	}
@@ -68,7 +69,7 @@ func AdminSignupResolver(ctx context.Context, params model.AdminSignupInput) (*m
 		return res, err
 	}
 
-	hashedKey, err := utils.EncryptPassword(params.AdminSecret)
+	hashedKey, err := crypto.EncryptPassword(params.AdminSecret)
 	if err != nil {
 		return res, err
 	}

server/resolvers/delete_user.go

@@ -29,7 +29,7 @@ func DeleteUserResolver(ctx context.Context, params model.DeleteUserInput) (*mod
 		return res, err
 	}
 
-	sessionstore.DeleteAllUserSession(fmt.Sprintf("%x", user.ID))
+	go sessionstore.DeleteAllUserSession(fmt.Sprintf("%x", user.ID))
 
 	err = db.Provider.DeleteUser(user)
 	if err != nil {

server/resolvers/env.go

@@ -26,8 +26,10 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 	}
 
 	// get clone of store
-	store := envstore.EnvInMemoryStoreObj.GetEnvStoreClone()
+	store := envstore.EnvStoreObj.GetEnvStoreClone()
 	adminSecret := store.StringEnv[constants.EnvKeyAdminSecret]
+	clientID := store.StringEnv[constants.EnvKeyClientID]
+	clientSecret := store.StringEnv[constants.EnvKeyClientSecret]
 	databaseURL := store.StringEnv[constants.EnvKeyDatabaseURL]
 	databaseName := store.StringEnv[constants.EnvKeyDatabaseName]
 	databaseType := store.StringEnv[constants.EnvKeyDatabaseType]
@@ -65,9 +67,11 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 
 	res = &model.Env{
 		AdminSecret:                &adminSecret,
-		DatabaseName:               &databaseName,
+		DatabaseName:               databaseName,
-		DatabaseURL:                &databaseURL,
+		DatabaseURL:                databaseURL,
-		DatabaseType:               &databaseType,
+		DatabaseType:               databaseType,
+		ClientID:                   clientID,
+		ClientSecret:               clientSecret,
 		CustomAccessTokenScript:    &customAccessTokenScript,
 		SMTPHost:                   &smtpHost,
 		SMTPPort:                   &smtpPort,

server/resolvers/forgot_password.go

@@ -24,7 +24,7 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 	if err != nil {
 		return res, err
 	}
-	if envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
+	if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
 		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
 	}
 	params.Email = strings.ToLower(params.Email)
@@ -39,21 +39,30 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 	}
 
 	hostname := utils.GetHost(gc)
-	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword, hostname)
+	_, nonceHash, err := utils.GenerateNonce()
+	if err != nil {
+		return res, err
+	}
+	redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
+	if params.RedirectURI != nil {
+		redirectURL = *params.RedirectURI
+	}
+
+	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURL)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
 	db.Provider.AddVerificationRequest(models.VerificationRequest{
-		Token:      verificationToken,
+		Token:       verificationToken,
-		Identifier: constants.VerificationTypeForgotPassword,
+		Identifier:  constants.VerificationTypeForgotPassword,
-		ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
+		ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-		Email:      params.Email,
+		Email:       params.Email,
+		Nonce:       nonceHash,
+		RedirectURI: redirectURL,
 	})
 
 	// exec it as go routin so that we can reduce the api latency
-	go func() {
+	go email.SendForgotPasswordMail(params.Email, verificationToken, hostname)
-		email.SendForgotPasswordMail(params.Email, verificationToken, hostname)
-	}()
 
 	res = &model.Response{
 		Message: `Please check your inbox! We have sent a password reset link.`,

server/resolvers/is_valid_jwt.go

@@ -1,52 +0,0 @@
-package resolvers
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/authorizerdev/authorizer/server/constants"
-	"github.com/authorizerdev/authorizer/server/envstore"
-	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/token"
-	tokenHelper "github.com/authorizerdev/authorizer/server/token"
-	"github.com/authorizerdev/authorizer/server/utils"
-)
-
-// IsValidJwtResolver resolver to return if given jwt is valid
-func IsValidJwtResolver(ctx context.Context, params *model.IsValidJWTQueryInput) (*model.ValidJWTResponse, error) {
-	gc, err := utils.GinContextFromContext(ctx)
-	token, err := token.GetAccessToken(gc)
-
-	if token == "" || err != nil {
-		if params != nil && *params.Jwt != "" {
-			token = *params.Jwt
-		} else {
-			return nil, errors.New("no jwt provided via cookie / header / params")
-		}
-	}
-
-	claims, err := tokenHelper.ParseJWTToken(token)
-	if err != nil {
-		return nil, err
-	}
-
-	claimRoleInterface := claims[envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)].([]interface{})
-	claimRoles := []string{}
-	for _, v := range claimRoleInterface {
-		claimRoles = append(claimRoles, v.(string))
-	}
-
-	if params != nil && params.Roles != nil && len(params.Roles) > 0 {
-		for _, v := range params.Roles {
-			if !utils.StringSliceContains(claimRoles, v) {
-				return nil, fmt.Errorf(`unauthorized`)
-			}
-		}
-	}
-
-	return &model.ValidJWTResponse{
-		Valid:   true,
-		Message: "Valid JWT",
-	}, nil
-}

server/resolvers/login.go

@@ -25,7 +25,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		return res, err
 	}
 
-	if envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
+	if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
 		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
 	}
 
@@ -49,7 +49,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		log.Println("compare password error:", err)
 		return res, fmt.Errorf(`invalid password`)
 	}
-	roles := envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
+	roles := envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
 	currentRoles := strings.Split(user.Roles, ",")
 	if len(params.Roles) > 0 {
 		if !utils.IsValidRoles(currentRoles, params.Roles) {
@@ -59,20 +59,35 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		roles = params.Roles
 	}
 
-	authToken, err := token.CreateAuthToken(user, roles)
+	scope := []string{"openid", "email", "profile"}
+	if params.Scope != nil && len(scope) > 0 {
+		scope = params.Scope
+	}
+
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope)
 	if err != nil {
 		return res, err
 	}
-	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
-	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
-	utils.SaveSessionInDB(user.ID, gc)
 
+	expiresIn := int64(1800)
 	res = &model.AuthResponse{
 		Message:     `Logged in successfully`,
 		AccessToken: &authToken.AccessToken.Token,
-		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		IDToken:     &authToken.IDToken.Token,
+		ExpiresIn:   &expiresIn,
 		User:        user.AsAPIUser(),
 	}
 
+	cookie.SetSession(gc, authToken.FingerPrintHash)
+	sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+	sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+
+	if authToken.RefreshToken != nil {
+		res.RefreshToken = &authToken.RefreshToken.Token
+		sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
+	}
+
+	go utils.SaveSessionInDB(gc, user.ID)
+
 	return res, nil
 }

server/resolvers/logout.go

@@ -4,9 +4,9 @@ import (
 	"context"
 
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
-	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
@@ -18,34 +18,21 @@ func LogoutResolver(ctx context.Context) (*model.Response, error) {
 		return res, err
 	}
 
-	// get refresh token
-	refreshToken, err := token.GetRefreshToken(gc)
-	if err != nil {
-		return res, err
-	}
-
 	// get fingerprint hash
-	fingerprintHash, err := token.GetFingerPrint(gc)
+	fingerprintHash, err := cookie.GetSession(gc)
 	if err != nil {
 		return res, err
 	}
 
-	decryptedFingerPrint, err := utils.DecryptAES([]byte(fingerprintHash))
+	decryptedFingerPrint, err := crypto.DecryptAES(fingerprintHash)
 	if err != nil {
 		return res, err
 	}
 
 	fingerPrint := string(decryptedFingerPrint)
 
-	// verify refresh token and fingerprint
+	sessionstore.RemoveState(fingerPrint)
-	claims, err := token.ParseJWTToken(refreshToken)
+	cookie.DeleteSession(gc)
-	if err != nil {
-		return res, err
-	}
-
-	userID := claims["id"].(string)
-	sessionstore.DeleteUserSession(userID, fingerPrint)
-	cookie.DeleteCookie(gc)
 
 	res = &model.Response{
 		Message: "Logged out successfully",

server/resolvers/magic_link_login.go

@@ -25,7 +25,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		return res, err
 	}
 
-	if envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableMagicLinkLogin) {
+	if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableMagicLinkLogin) {
 		return res, fmt.Errorf(`magic link login is disabled for this instance`)
 	}
 
@@ -49,13 +49,13 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		// define roles for new user
 		if len(params.Roles) > 0 {
 			// check if roles exists
-			if !utils.IsValidRoles(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), params.Roles) {
+			if !utils.IsValidRoles(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), params.Roles) {
 				return res, fmt.Errorf(`invalid roles`)
 			} else {
 				inputRoles = params.Roles
 			}
 		} else {
-			inputRoles = envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
+			inputRoles = envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
 		}
 
 		user.Roles = strings.Join(inputRoles, ",")
@@ -68,6 +68,9 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		// 		Need to modify roles in this case
 
 		// find the unassigned roles
+		if len(params.Roles) <= 0 {
+			inputRoles = envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
+		}
 		existingRoles := strings.Split(existingUser.Roles, ",")
 		unasignedRoles := []string{}
 		for _, ir := range inputRoles {
@@ -80,7 +83,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 			// check if it contains protected unassigned role
 			hasProtectedRole := false
 			for _, ur := range unasignedRoles {
-				if utils.StringSliceContains(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles), ur) {
+				if utils.StringSliceContains(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles), ur) {
 					hasProtectedRole = true
 				}
 			}
@@ -107,24 +110,49 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 	}
 
 	hostname := utils.GetHost(gc)
-	if !envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
+	if !envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
+		_, nonceHash, err := utils.GenerateNonce()
+		if err != nil {
+			return res, err
+		}
+		redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")
+		if params.State != nil {
+			redirectURLParams = redirectURLParams + "&state=" + *params.State
+		}
+		if params.Scope != nil && len(params.Scope) > 0 {
+			redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")
+		}
+		redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
+		if params.RedirectURI != nil {
+			redirectURL = *params.RedirectURI
+		}
+
+		if strings.Contains(redirectURL, "?") {
+			redirectURL = redirectURL + "&" + redirectURLParams
+		} else {
+			redirectURL = redirectURL + "?" + redirectURLParams
+		}
+
 		verificationType := constants.VerificationTypeMagicLinkLogin
-		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname)
+		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash, redirectURL)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
-		db.Provider.AddVerificationRequest(models.VerificationRequest{
+		_, err = db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      verificationToken,
+			Token:       verificationToken,
-			Identifier: verificationType,
+			Identifier:  verificationType,
-			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
+			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-			Email:      params.Email,
+			Email:       params.Email,
+			Nonce:       nonceHash,
+			RedirectURI: redirectURL,
 		})
+		if err != nil {
+			return res, err
+		}
 
-		// exec it as go routin so that we can reduce the api latency
+		// exec it as go routing so that we can reduce the api latency
-		go func() {
+		go email.SendVerificationMail(params.Email, verificationToken, hostname)
-			email.SendVerificationMail(params.Email, verificationToken, hostname)
-		}()
 	}
 
 	res = &model.Response{

server/resolvers/profile.go

@@ -2,7 +2,6 @@ package resolvers
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -18,13 +17,17 @@ func ProfileResolver(ctx context.Context) (*model.User, error) {
 		return res, err
 	}
 
-	claims, err := token.ValidateAccessToken(gc)
+	accessToken, err := token.GetAccessToken(gc)
 	if err != nil {
 		return res, err
 	}
 
-	userID := fmt.Sprintf("%v", claims["id"])
+	claims, err := token.ValidateAccessToken(gc, accessToken)
+	if err != nil {
+		return res, err
+	}
 
+	userID := claims["sub"].(string)
 	user, err := db.Provider.GetUserByID(userID)
 	if err != nil {
 		return res, err

server/resolvers/resend_verify_email.go

@@ -44,21 +44,26 @@ func ResendVerifyEmailResolver(ctx context.Context, params model.ResendVerifyEma
 	}
 
 	hostname := utils.GetHost(gc)
-	verificationToken, err := token.CreateVerificationToken(params.Email, params.Identifier, hostname)
+	_, nonceHash, err := utils.GenerateNonce()
+	if err != nil {
+		return res, err
+	}
+
+	verificationToken, err := token.CreateVerificationToken(params.Email, params.Identifier, hostname, nonceHash, verificationRequest.RedirectURI)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
 	db.Provider.AddVerificationRequest(models.VerificationRequest{
-		Token:      verificationToken,
+		Token:       verificationToken,
-		Identifier: params.Identifier,
+		Identifier:  params.Identifier,
-		ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
+		ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-		Email:      params.Email,
+		Email:       params.Email,
+		Nonce:       nonceHash,
+		RedirectURI: verificationRequest.RedirectURI,
 	})
 
 	// exec it as go routin so that we can reduce the api latency
-	go func() {
+	go email.SendVerificationMail(params.Email, verificationToken, hostname)
-		email.SendVerificationMail(params.Email, verificationToken, hostname)
-	}()
 
 	res = &model.Response{
 		Message: `Verification email has been sent. Please check your inbox`,

server/resolvers/reset_password.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -17,7 +18,11 @@ import (
 // ResetPasswordResolver is a resolver for reset password mutation
 func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput) (*model.Response, error) {
 	var res *model.Response
-	if envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		return res, err
+	}
+	if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
 		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
 	}
 
@@ -31,17 +36,18 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
 	}
 
 	// verify if token exists in db
-	claim, err := token.ParseJWTToken(params.Token)
+	hostname := utils.GetHost(gc)
+	claim, err := token.ParseJWTToken(params.Token, hostname, verificationRequest.Nonce, verificationRequest.Email)
 	if err != nil {
 		return res, fmt.Errorf(`invalid token`)
 	}
 
-	user, err := db.Provider.GetUserByEmail(claim["email"].(string))
+	user, err := db.Provider.GetUserByEmail(claim["sub"].(string))
 	if err != nil {
 		return res, err
 	}
 
-	password, _ := utils.EncryptPassword(params.Password)
+	password, _ := crypto.EncryptPassword(params.Password)
 	user.Password = &password
 
 	signupMethod := user.SignupMethods

server/resolvers/revoke.go

@@ -0,0 +1,16 @@
+package resolvers
+
+import (
+	"context"
+
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+)
+
+// RevokeResolver resolver to revoke refresh token
+func RevokeResolver(ctx context.Context, params model.OAuthRevokeInput) (*model.Response, error) {
+	sessionstore.RemoveState(params.RefreshToken)
+	return &model.Response{
+		Message: "Token revoked",
+	}, nil
+}

server/resolvers/session.go

@@ -13,6 +13,7 @@ import (
 )
 
 // SessionResolver is a resolver for session query
+// TODO allow validating with code and code verifier instead of cookie (PKCE flow)
 func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*model.AuthResponse, error) {
 	var res *model.AuthResponse
 
@@ -21,48 +22,27 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 		return res, err
 	}
 
-	// get refresh token
+	sessionToken, err := cookie.GetSession(gc)
-	refreshToken, err := token.GetRefreshToken(gc)
 	if err != nil {
 		return res, err
 	}
 
-	// get fingerprint hash
+	// get session from cookie
-	fingerprintHash, err := token.GetFingerPrint(gc)
+	claims, err := token.ValidateBrowserSession(gc, sessionToken)
 	if err != nil {
 		return res, err
 	}
-
+	userID := claims.Subject
-	decryptedFingerPrint, err := utils.DecryptAES([]byte(fingerprintHash))
-	if err != nil {
-		return res, err
-	}
-
-	fingerPrint := string(decryptedFingerPrint)
-
-	// verify refresh token and fingerprint
-	claims, err := token.ParseJWTToken(refreshToken)
-	if err != nil {
-		return res, err
-	}
-
-	userID := claims["id"].(string)
-
-	persistedRefresh := sessionstore.GetUserSession(userID, fingerPrint)
-	if refreshToken != persistedRefresh {
-		return res, fmt.Errorf(`unauthorized`)
-	}
-
 	user, err := db.Provider.GetUserByID(userID)
 	if err != nil {
 		return res, err
 	}
 
 	// refresh token has "roles" as claim
-	claimRoleInterface := claims["roles"].([]interface{})
+	claimRoleInterface := claims.Roles
 	claimRoles := []string{}
 	for _, v := range claimRoleInterface {
-		claimRoles = append(claimRoles, v.(string))
+		claimRoles = append(claimRoles, v)
 	}
 
 	if params != nil && params.Roles != nil && len(params.Roles) > 0 {
@@ -73,22 +53,35 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 		}
 	}
 
-	// delete older session
+	scope := []string{"openid", "email", "profile"}
-	sessionstore.DeleteUserSession(userID, fingerPrint)
+	if params != nil && params.Scope != nil && len(scope) > 0 {
+		scope = params.Scope
+	}
 
-	authToken, err := token.CreateAuthToken(user, claimRoles)
+	authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope)
 	if err != nil {
 		return res, err
 	}
-	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
-	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 
+	// rollover the session for security
+	sessionstore.RemoveState(sessionToken)
+	sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+	sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+	cookie.SetSession(gc, authToken.FingerPrintHash)
+
+	expiresIn := int64(1800)
 	res = &model.AuthResponse{
 		Message:     `Session token refreshed`,
 		AccessToken: &authToken.AccessToken.Token,
-		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		ExpiresIn:   &expiresIn,
+		IDToken:     &authToken.IDToken.Token,
 		User:        user.AsAPIUser(),
 	}
 
+	if authToken.RefreshToken != nil {
+		res.RefreshToken = &authToken.RefreshToken.Token
+		sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
+	}
+
 	return res, nil
 }

server/resolvers/signup.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
@@ -27,7 +28,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		return res, err
 	}
 
-	if envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
+	if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication) {
 		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
 	}
 	if params.ConfirmPassword != params.Password {
@@ -57,13 +58,13 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 
 	if len(params.Roles) > 0 {
 		// check if roles exists
-		if !utils.IsValidRoles(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), params.Roles) {
+		if !utils.IsValidRoles(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), params.Roles) {
 			return res, fmt.Errorf(`invalid roles`)
 		} else {
 			inputRoles = params.Roles
 		}
 	} else {
-		inputRoles = envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
+		inputRoles = envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
 	}
 
 	user := models.User{
@@ -72,7 +73,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 
 	user.Roles = strings.Join(inputRoles, ",")
 
-	password, _ := utils.EncryptPassword(params.Password)
+	password, _ := crypto.EncryptPassword(params.Password)
 	user.Password = &password
 
 	if params.GivenName != nil {
@@ -108,7 +109,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 	}
 
 	user.SignupMethods = constants.SignupMethodBasicAuth
-	if envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
+	if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		now := time.Now().Unix()
 		user.EmailVerifiedAt = &now
 	}
@@ -120,43 +121,55 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 	userToReturn := user.AsAPIUser()
 
 	hostname := utils.GetHost(gc)
-	if !envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
+	if !envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
-		verificationType := constants.VerificationTypeBasicAuthSignup
+		_, nonceHash, err := utils.GenerateNonce()
-		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname)
 		if err != nil {
-			log.Println(`error generating token`, err)
+			return res, err
+		}
+		verificationType := constants.VerificationTypeBasicAuthSignup
+		redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
+		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash, redirectURL)
+		if err != nil {
+			return res, err
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      verificationToken,
+			Token:       verificationToken,
-			Identifier: verificationType,
+			Identifier:  verificationType,
-			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
+			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-			Email:      params.Email,
+			Email:       params.Email,
+			Nonce:       nonceHash,
+			RedirectURI: redirectURL,
 		})
 
 		// exec it as go routin so that we can reduce the api latency
-		go func() {
+		go email.SendVerificationMail(params.Email, verificationToken, hostname)
-			email.SendVerificationMail(params.Email, verificationToken, hostname)
-		}()
 
 		res = &model.AuthResponse{
 			Message: `Verification email has been sent. Please check your inbox`,
 			User:    userToReturn,
 		}
 	} else {
+		scope := []string{"openid", "email", "profile"}
+		if params.Scope != nil && len(scope) > 0 {
+			scope = params.Scope
+		}
 
-		authToken, err := token.CreateAuthToken(user, roles)
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope)
 		if err != nil {
 			return res, err
 		}
-		sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+
-		cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
+		sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
-		utils.SaveSessionInDB(user.ID, gc)
+		cookie.SetSession(gc, authToken.FingerPrintHash)
+		go utils.SaveSessionInDB(gc, user.ID)
+
+		expiresIn := int64(1800)
 
 		res = &model.AuthResponse{
 			Message:     `Signed up successfully.`,
 			AccessToken: &authToken.AccessToken.Token,
-			ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+			ExpiresIn:   &expiresIn,
 			User:        userToReturn,
 		}
 	}

server/resolvers/update_env.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -33,6 +34,66 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		return res, fmt.Errorf("unauthorized")
 	}
 
+	updatedData := envstore.EnvStoreObj.GetEnvStoreClone()
+
+	isJWTUpdated := false
+	algo := updatedData.StringEnv[constants.EnvKeyJwtType]
+	if params.JwtType != nil {
+		algo = *params.JwtType
+		if !crypto.IsHMACA(algo) && !crypto.IsECDSA(algo) && !crypto.IsRSA(algo) {
+			return res, fmt.Errorf("invalid jwt type")
+		}
+
+		updatedData.StringEnv[constants.EnvKeyJwtType] = algo
+		isJWTUpdated = true
+	}
+
+	if params.JwtSecret != nil || params.JwtPublicKey != nil || params.JwtPrivateKey != nil {
+		isJWTUpdated = true
+	}
+
+	if isJWTUpdated {
+		// check if jwt secret is provided
+		if crypto.IsHMACA(algo) {
+			if params.JwtSecret == nil {
+				return res, fmt.Errorf("jwt secret is required for HMAC algorithm")
+			}
+		}
+
+		if crypto.IsRSA(algo) {
+			if params.JwtPrivateKey == nil || params.JwtPublicKey == nil {
+				return res, fmt.Errorf("jwt private and public key is required for RSA (PKCS1) / ECDSA algorithm")
+			}
+
+			_, err = crypto.ParseRsaPrivateKeyFromPemStr(*params.JwtPrivateKey)
+			if err != nil {
+				return res, err
+			}
+
+			_, err := crypto.ParseRsaPublicKeyFromPemStr(*params.JwtPublicKey)
+			if err != nil {
+				return res, err
+			}
+		}
+
+		if crypto.IsECDSA(algo) {
+			if params.JwtPrivateKey == nil || params.JwtPublicKey == nil {
+				return res, fmt.Errorf("jwt private and public key is required for RSA (PKCS1) / ECDSA algorithm")
+			}
+
+			_, err = crypto.ParseEcdsaPrivateKeyFromPemStr(*params.JwtPrivateKey)
+			if err != nil {
+				return res, err
+			}
+
+			_, err := crypto.ParseEcdsaPublicKeyFromPemStr(*params.JwtPublicKey)
+			if err != nil {
+				return res, err
+			}
+		}
+
+	}
+
 	var data map[string]interface{}
 	byteData, err := json.Marshal(params)
 	if err != nil {
@@ -50,7 +111,7 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 			return res, errors.New("admin secret and old admin secret are required for secret change")
 		}
 
-		if *params.OldAdminSecret != envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret) {
+		if *params.OldAdminSecret != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret) {
 			return res, errors.New("old admin secret is not correct")
 		}
 
@@ -61,7 +122,6 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 
 	}
 
-	updatedData := envstore.EnvInMemoryStoreObj.GetEnvStoreClone()
 	for key, value := range data {
 		if value != nil {
 			fieldType := reflect.TypeOf(value).String()
@@ -116,9 +176,21 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 	}
 
 	// Update local store
-	envstore.EnvInMemoryStoreObj.UpdateEnvStore(updatedData)
+	envstore.EnvStoreObj.UpdateEnvStore(updatedData)
-	sessionstore.InitSession()
+	jwk, err := crypto.GenerateJWKBasedOnEnv()
-	oauth.InitOAuth()
+	if err != nil {
+		return res, err
+	}
+	// updating jwk
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJWK, jwk)
+	err = sessionstore.InitSession()
+	if err != nil {
+		return res, err
+	}
+	err = oauth.InitOAuth()
+	if err != nil {
+		return res, err
+	}
 
 	// Fetch the current db store and update it
 	env, err := db.Provider.GetEnv()
@@ -127,14 +199,14 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 	}
 
 	if params.AdminSecret != nil {
-		hashedKey, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		hashedKey, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 		if err != nil {
 			return res, err
 		}
 		cookie.SetAdminCookie(gc, hashedKey)
 	}
 
-	encryptedConfig, err := utils.EncryptEnvData(updatedData)
+	encryptedConfig, err := crypto.EncryptEnvData(updatedData)
 	if err != nil {
 		return res, err
 	}

server/resolvers/update_profile.go

@@ -9,9 +9,11 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
+	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/token"
@@ -27,7 +29,11 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 		return res, err
 	}
 
-	claims, err := token.ValidateAccessToken(gc)
+	accessToken, err := token.GetAccessToken(gc)
+	if err != nil {
+		return res, err
+	}
+	claims, err := token.ValidateAccessToken(gc, accessToken)
 	if err != nil {
 		return res, err
 	}
@@ -37,8 +43,8 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 		return res, fmt.Errorf("please enter at least one param to update")
 	}
 
-	userEmail := fmt.Sprintf("%v", claims["email"])
+	userID := claims["sub"].(string)
-	user, err := db.Provider.GetUserByEmail(userEmail)
+	user, err := db.Provider.GetUserByID(userID)
 	if err != nil {
 		return res, err
 	}
@@ -92,7 +98,7 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 			return res, fmt.Errorf(`password and confirm password does not match`)
 		}
 
-		password, _ := utils.EncryptPassword(*params.NewPassword)
+		password, _ := crypto.EncryptPassword(*params.NewPassword)
 
 		user.Password = &password
 	}
@@ -107,38 +113,46 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 		newEmail := strings.ToLower(*params.Email)
 		// check if user with new email exists
 		_, err := db.Provider.GetUserByEmail(newEmail)
-
 		// err = nil means user exists
 		if err == nil {
 			return res, fmt.Errorf("user with this email address already exists")
 		}
 
-		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		// TODO figure out how to delete all user sessions
-		cookie.DeleteCookie(gc)
+		go sessionstore.DeleteAllUserSession(user.ID)
 
-		hostname := utils.GetHost(gc)
+		cookie.DeleteSession(gc)
 		user.Email = newEmail
-		user.EmailVerifiedAt = nil
+
-		hasEmailChanged = true
+		if !envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
-		// insert verification request
+			hostname := utils.GetHost(gc)
-		verificationType := constants.VerificationTypeUpdateEmail
+			user.EmailVerifiedAt = nil
-		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname)
+			hasEmailChanged = true
-		if err != nil {
+			// insert verification request
-			log.Println(`error generating token`, err)
+			_, nonceHash, err := utils.GenerateNonce()
+			if err != nil {
+				return res, err
+			}
+			verificationType := constants.VerificationTypeUpdateEmail
+			redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
+			verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname, nonceHash, redirectURL)
+			if err != nil {
+				log.Println(`error generating token`, err)
+			}
+			db.Provider.AddVerificationRequest(models.VerificationRequest{
+				Token:       verificationToken,
+				Identifier:  verificationType,
+				ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
+				Email:       newEmail,
+				Nonce:       nonceHash,
+				RedirectURI: redirectURL,
+			})
+
+			// exec it as go routin so that we can reduce the api latency
+			go email.SendVerificationMail(newEmail, verificationToken, hostname)
+
 		}
-		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      verificationToken,
-			Identifier: verificationType,
-			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
-			Email:      newEmail,
-		})
-
-		// exec it as go routin so that we can reduce the api latency
-		go func() {
-			email.SendVerificationMail(newEmail, verificationToken, hostname)
-		}()
 	}
-
 	_, err = db.Provider.UpdateUser(user)
 	if err != nil {
 		log.Println("error updating user:", err)

server/resolvers/update_user.go

@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
-	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
@@ -95,29 +94,35 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			return res, fmt.Errorf("user with this email address already exists")
 		}
 
-		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		// TODO figure out how to do this
-		cookie.DeleteCookie(gc)
+		go sessionstore.DeleteAllUserSession(user.ID)
 
 		hostname := utils.GetHost(gc)
 		user.Email = newEmail
 		user.EmailVerifiedAt = nil
 		// insert verification request
+		_, nonceHash, err := utils.GenerateNonce()
+		if err != nil {
+			return res, err
+		}
 		verificationType := constants.VerificationTypeUpdateEmail
-		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname)
+		redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
+		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname, nonceHash, redirectURL)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      verificationToken,
+			Token:       verificationToken,
-			Identifier: verificationType,
+			Identifier:  verificationType,
-			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
+			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-			Email:      newEmail,
+			Email:       newEmail,
+			Nonce:       nonceHash,
+			RedirectURI: redirectURL,
 		})
 
 		// exec it as go routin so that we can reduce the api latency
-		go func() {
+		go email.SendVerificationMail(newEmail, verificationToken, hostname)
-			email.SendVerificationMail(newEmail, verificationToken, hostname)
+
-		}()
 	}
 
 	rolesToSave := ""
@@ -128,7 +133,7 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			inputRoles = append(inputRoles, *item)
 		}
 
-		if !utils.IsValidRoles(inputRoles, append([]string{}, append(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)...)...)) {
+		if !utils.IsValidRoles(inputRoles, append([]string{}, append(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)...)...)) {
 			return res, fmt.Errorf("invalid list of roles")
 		}
 
@@ -136,8 +141,7 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			rolesToSave = strings.Join(inputRoles, ",")
 		}
 
-		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		go sessionstore.DeleteAllUserSession(user.ID)
-		cookie.DeleteCookie(gc)
 	}
 
 	if rolesToSave != "" {

server/resolvers/verify_email.go

@@ -24,16 +24,17 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 
 	verificationRequest, err := db.Provider.GetVerificationRequestByToken(params.Token)
 	if err != nil {
-		return res, fmt.Errorf(`invalid token`)
+		return res, fmt.Errorf(`invalid token: %s`, err.Error())
 	}
 
 	// verify if token exists in db
-	claim, err := token.ParseJWTToken(params.Token)
+	hostname := utils.GetHost(gc)
+	claim, err := token.ParseJWTToken(params.Token, hostname, verificationRequest.Nonce, verificationRequest.Email)
 	if err != nil {
-		return res, fmt.Errorf(`invalid token`)
+		return res, fmt.Errorf(`invalid token: %s`, err.Error())
 	}
 
-	user, err := db.Provider.GetUserByEmail(claim["email"].(string))
+	user, err := db.Provider.GetUserByEmail(claim["sub"].(string))
 	if err != nil {
 		return res, err
 	}
@@ -41,25 +42,35 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	// update email_verified_at in users table
 	now := time.Now().Unix()
 	user.EmailVerifiedAt = &now
-	db.Provider.UpdateUser(user)
+	user, err = db.Provider.UpdateUser(user)
-	// delete from verification table
+	if err != nil {
-	db.Provider.DeleteVerificationRequest(verificationRequest)
+		return res, err
-
+	}
-	roles := strings.Split(user.Roles, ",")
+	// delete from verification table
-	authToken, err := token.CreateAuthToken(user, roles)
+	err = db.Provider.DeleteVerificationRequest(verificationRequest)
 	if err != nil {
 		return res, err
 	}
-	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
-	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
-	utils.SaveSessionInDB(user.ID, gc)
 
+	roles := strings.Split(user.Roles, ",")
+	scope := []string{"openid", "email", "profile"}
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope)
+	if err != nil {
+		return res, err
+	}
+
+	sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+	sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+	cookie.SetSession(gc, authToken.FingerPrintHash)
+	go utils.SaveSessionInDB(gc, user.ID)
+
+	expiresIn := int64(1800)
 	res = &model.AuthResponse{
 		Message:     `Email verified successfully.`,
 		AccessToken: &authToken.AccessToken.Token,
-		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		IDToken:     &authToken.IDToken.Token,
+		ExpiresIn:   &expiresIn,
 		User:        user.AsAPIUser(),
 	}
-
 	return res, nil
 }

server/routes/routes.go

@@ -20,6 +20,14 @@ func InitRouter() *gin.Engine {
 	router.GET("/oauth_login/:oauth_provider", handlers.OAuthLoginHandler())
 	router.GET("/oauth_callback/:oauth_provider", handlers.OAuthCallbackHandler())
 	router.GET("/verify_email", handlers.VerifyEmailHandler())
+	// OPEN ID routes
+	router.GET("/.well-known/openid-configuration", handlers.OpenIDConfigurationHandler())
+	router.GET("/.well-known/jwks.json", handlers.JWKsHandler())
+	router.GET("/authorize", handlers.AuthorizeHandler())
+	router.GET("/userinfo", handlers.UserInfoHandler())
+	router.GET("/logout", handlers.LogoutHandler())
+	router.POST("/oauth/token", handlers.TokenHandler())
+	router.POST("/oauth/revoke", handlers.RevokeHandler())
 
 	router.LoadHTMLGlob("templates/*")
 	// login page app related routes.

server/sessionstore/in_memory_session.go

@@ -1,112 +1,74 @@
 package sessionstore
 
 import (
+	"strings"
 	"sync"
 )
 
 // InMemoryStore is a simple in-memory store for sessions.
 type InMemoryStore struct {
-	mutex            sync.Mutex
+	mutex        sync.Mutex
-	store            map[string]map[string]string
+	sessionStore map[string]map[string]string
-	socialLoginState map[string]string
+	stateStore   map[string]string
-}
-
-// AddUserSession adds a user session to the in-memory store.
-func (c *InMemoryStore) AddUserSession(userId, accessToken, refreshToken string) {
-	c.mutex.Lock()
-	defer c.mutex.Unlock()
-	// delete sessions > 500 // not recommended for production
-	if len(c.store) >= 500 {
-		c.store = map[string]map[string]string{}
-	}
-	// check if entry exists in map
-	_, exists := c.store[userId]
-	if exists {
-		tempMap := c.store[userId]
-		tempMap[accessToken] = refreshToken
-		c.store[userId] = tempMap
-	} else {
-		tempMap := map[string]string{
-			accessToken: refreshToken,
-		}
-		c.store[userId] = tempMap
-	}
-}
-
-// DeleteAllUserSession deletes all the user sessions from in-memory store.
-func (c *InMemoryStore) DeleteAllUserSession(userId string) {
-	c.mutex.Lock()
-	defer c.mutex.Unlock()
-	delete(c.store, userId)
-}
-
-// DeleteUserSession deletes the particular user session from in-memory store.
-func (c *InMemoryStore) DeleteUserSession(userId, accessToken string) {
-	c.mutex.Lock()
-	defer c.mutex.Unlock()
-	delete(c.store[userId], accessToken)
 }
 
 // ClearStore clears the in-memory store.
 func (c *InMemoryStore) ClearStore() {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
-	c.store = map[string]map[string]string{}
+	c.sessionStore = map[string]map[string]string{}
-}
-
-// GetUserSession returns the user session token from the in-memory store.
-func (c *InMemoryStore) GetUserSession(userId, accessToken string) string {
-	// c.mutex.Lock()
-	// defer c.mutex.Unlock()
-
-	token := ""
-	if sessionMap, ok := c.store[userId]; ok {
-		if val, ok := sessionMap[accessToken]; ok {
-			token = val
-		}
-	}
-
-	return token
 }
 
 // GetUserSessions returns all the user session token from the in-memory store.
 func (c *InMemoryStore) GetUserSessions(userId string) map[string]string {
 	// c.mutex.Lock()
 	// defer c.mutex.Unlock()
-
+	res := map[string]string{}
-	sessionMap, ok := c.store[userId]
+	for k, v := range c.stateStore {
-	if !ok {
+		split := strings.Split(v, "@")
-		return nil
+		if split[1] == userId {
+			res[k] = split[0]
+		}
 	}
 
-	return sessionMap
+	return res
 }
 
-// SetSocialLoginState sets the social login state in the in-memory store.
+// DeleteAllUserSession deletes all the user sessions from in-memory store.
-func (c *InMemoryStore) SetSocialLoginState(key, state string) {
+func (c *InMemoryStore) DeleteAllUserSession(userId string) {
+	// c.mutex.Lock()
+	// defer c.mutex.Unlock()
+	sessions := GetUserSessions(userId)
+	for k := range sessions {
+		RemoveState(k)
+	}
+}
+
+// SetState sets the state in the in-memory store.
+func (c *InMemoryStore) SetState(key, state string) {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
 
-	c.socialLoginState[key] = state
+	c.stateStore[key] = state
 }
 
-// GetSocialLoginState gets the social login state from the in-memory store.
+// GetState gets the state from the in-memory store.
-func (c *InMemoryStore) GetSocialLoginState(key string) string {
+func (c *InMemoryStore) GetState(key string) string {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
 
 	state := ""
-	if stateVal, ok := c.socialLoginState[key]; ok {
+	if stateVal, ok := c.stateStore[key]; ok {
 		state = stateVal
 	}
 
 	return state
 }
 
-// RemoveSocialLoginState removes the social login state from the in-memory store.
+// RemoveState removes the state from the in-memory store.
-func (c *InMemoryStore) RemoveSocialLoginState(key string) {
+func (c *InMemoryStore) RemoveState(key string) {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
 
-	delete(c.socialLoginState, key)
+	delete(c.stateStore, key)
 }

server/sessionstore/redis_store.go

@@ -2,8 +2,8 @@ package sessionstore
 
 import (
 	"context"
-	"fmt"
 	"log"
+	"strings"
 )
 
 type RedisStore struct {
@@ -11,32 +11,6 @@ type RedisStore struct {
 	store RedisSessionClient
 }
 
-// AddUserSession adds the user session to redis
-func (c *RedisStore) AddUserSession(userId, accessToken, refreshToken string) {
-	err := c.store.HMSet(c.ctx, "authorizer_"+userId, map[string]string{
-		accessToken: refreshToken,
-	}).Err()
-	if err != nil {
-		log.Fatalln("Error saving redis token:", err)
-	}
-}
-
-// DeleteAllUserSession deletes all the user session from redis
-func (c *RedisStore) DeleteAllUserSession(userId string) {
-	err := c.store.Del(c.ctx, "authorizer_"+userId).Err()
-	if err != nil {
-		log.Fatalln("Error deleting redis token:", err)
-	}
-}
-
-// DeleteUserSession deletes the particular user session from redis
-func (c *RedisStore) DeleteUserSession(userId, accessToken string) {
-	err := c.store.HDel(c.ctx, "authorizer_"+userId, accessToken).Err()
-	if err != nil {
-		log.Fatalln("Error deleting redis token:", err)
-	}
-}
-
 // ClearStore clears the redis store for authorizer related tokens
 func (c *RedisStore) ClearStore() {
 	err := c.store.Del(c.ctx, "authorizer_*").Err()
@@ -45,41 +19,49 @@ func (c *RedisStore) ClearStore() {
 	}
 }
 
-// GetUserSession returns the user session token from the redis store.
-func (c *RedisStore) GetUserSession(userId, accessToken string) string {
-	token := ""
-	res, err := c.store.HMGet(c.ctx, "authorizer_"+userId, accessToken).Result()
-	if err != nil {
-		log.Println("error getting token from redis store:", err)
-	}
-	if len(res) > 0 && res[0] != nil {
-		token = fmt.Sprintf("%v", res[0])
-	}
-	return token
-}
-
 // GetUserSessions returns all the user session token from the redis store.
 func (c *RedisStore) GetUserSessions(userID string) map[string]string {
-	res, err := c.store.HGetAll(c.ctx, "authorizer_"+userID).Result()
+	data, err := c.store.HGetAll(c.ctx, "*").Result()
 	if err != nil {
 		log.Println("error getting token from redis store:", err)
 	}
 
+	res := map[string]string{}
+	for k, v := range data {
+		split := strings.Split(v, "@")
+		if split[1] == userID {
+			res[k] = split[0]
+		}
+	}
+
 	return res
 }
 
-// SetSocialLoginState sets the social login state in redis store.
+// DeleteAllUserSession deletes all the user session from redis
-func (c *RedisStore) SetSocialLoginState(key, state string) {
+func (c *RedisStore) DeleteAllUserSession(userId string) {
-	err := c.store.Set(c.ctx, key, state, 0).Err()
+	sessions := GetUserSessions(userId)
+	for k, v := range sessions {
+		if k == "token" {
+			err := c.store.Del(c.ctx, v)
+			if err != nil {
+				log.Println("Error deleting redis token:", err)
+			}
+		}
+	}
+}
+
+// SetState sets the state in redis store.
+func (c *RedisStore) SetState(key, value string) {
+	err := c.store.Set(c.ctx, "authorizer_"+key, value, 0).Err()
 	if err != nil {
 		log.Fatalln("Error saving redis token:", err)
 	}
 }
 
-// GetSocialLoginState gets the social login state from redis store.
+// GetState gets the state from redis store.
-func (c *RedisStore) GetSocialLoginState(key string) string {
+func (c *RedisStore) GetState(key string) string {
 	state := ""
-	state, err := c.store.Get(c.ctx, key).Result()
+	state, err := c.store.Get(c.ctx, "authorizer_"+key).Result()
 	if err != nil {
 		log.Println("error getting token from redis store:", err)
 	}
@@ -87,9 +69,9 @@ func (c *RedisStore) GetSocialLoginState(key string) string {
 	return state
 }
 
-// RemoveSocialLoginState removes the social login state from redis store.
+// RemoveState removes the state from redis store.
-func (c *RedisStore) RemoveSocialLoginState(key string) {
+func (c *RedisStore) RemoveState(key string) {
-	err := c.store.Del(c.ctx, key).Err()
+	err := c.store.Del(c.ctx, "authorizer_"+key).Err()
 	if err != nil {
 		log.Fatalln("Error deleting redis token:", err)
 	}

server/sessionstore/session.go

@@ -22,26 +22,6 @@ type SessionStore struct {
 // reference to various session store instances
 var SessionStoreObj SessionStore
 
-// SetUserSession sets the user session in the session store
-func SetUserSession(userId, fingerprint, refreshToken string) {
-	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		SessionStoreObj.RedisMemoryStoreObj.AddUserSession(userId, fingerprint, refreshToken)
-	}
-	if SessionStoreObj.InMemoryStoreObj != nil {
-		SessionStoreObj.InMemoryStoreObj.AddUserSession(userId, fingerprint, refreshToken)
-	}
-}
-
-// DeleteUserSession deletes the particular user session from the session store
-func DeleteUserSession(userId, fingerprint string) {
-	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		SessionStoreObj.RedisMemoryStoreObj.DeleteUserSession(userId, fingerprint)
-	}
-	if SessionStoreObj.InMemoryStoreObj != nil {
-		SessionStoreObj.InMemoryStoreObj.DeleteUserSession(userId, fingerprint)
-	}
-}
-
 // DeleteAllSessions deletes all the sessions from the session store
 func DeleteAllUserSession(userId string) {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
@@ -52,18 +32,6 @@ func DeleteAllUserSession(userId string) {
 	}
 }
 
-// GetUserSession returns the user session from the session store
-func GetUserSession(userId, fingerprint string) string {
-	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		return SessionStoreObj.RedisMemoryStoreObj.GetUserSession(userId, fingerprint)
-	}
-	if SessionStoreObj.InMemoryStoreObj != nil {
-		return SessionStoreObj.InMemoryStoreObj.GetUserSession(userId, fingerprint)
-	}
-
-	return ""
-}
-
 // GetUserSessions returns all the user sessions from the session store
 func GetUserSessions(userId string) map[string]string {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
@@ -86,95 +54,97 @@ func ClearStore() {
 	}
 }
 
-// SetSocialLoginState sets the social login state in the session store
+// SetState sets the login state (key, value form) in the session store
-func SetSocailLoginState(key, state string) {
+func SetState(key, state string) {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		SessionStoreObj.RedisMemoryStoreObj.SetSocialLoginState(key, state)
+		SessionStoreObj.RedisMemoryStoreObj.SetState(key, state)
 	}
 	if SessionStoreObj.InMemoryStoreObj != nil {
-		SessionStoreObj.InMemoryStoreObj.SetSocialLoginState(key, state)
+		SessionStoreObj.InMemoryStoreObj.SetState(key, state)
 	}
 }
 
-// GetSocialLoginState returns the social login state from the session store
+// GetState returns the state from the session store
-func GetSocailLoginState(key string) string {
+func GetState(key string) string {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		return SessionStoreObj.RedisMemoryStoreObj.GetSocialLoginState(key)
+		return SessionStoreObj.RedisMemoryStoreObj.GetState(key)
 	}
 	if SessionStoreObj.InMemoryStoreObj != nil {
-		return SessionStoreObj.InMemoryStoreObj.GetSocialLoginState(key)
+		return SessionStoreObj.InMemoryStoreObj.GetState(key)
 	}
 
 	return ""
 }
 
-// RemoveSocialLoginState removes the social login state from the session store
+// RemoveState removes the social login state from the session store
-func RemoveSocialLoginState(key string) {
+func RemoveState(key string) {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		SessionStoreObj.RedisMemoryStoreObj.RemoveSocialLoginState(key)
+		SessionStoreObj.RedisMemoryStoreObj.RemoveState(key)
 	}
 	if SessionStoreObj.InMemoryStoreObj != nil {
-		SessionStoreObj.InMemoryStoreObj.RemoveSocialLoginState(key)
+		SessionStoreObj.InMemoryStoreObj.RemoveState(key)
 	}
 }
 
 // InitializeSessionStore initializes the SessionStoreObj based on environment variables
-func InitSession() {
+func InitSession() error {
-	if envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyRedisURL) != "" {
+	if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyRedisURL) != "" {
 		log.Println("using redis store to save sessions")
-		if isCluster(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyRedisURL)) {
+
-			clusterOpt, err := getClusterOptions(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyRedisURL))
+		redisURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyRedisURL)
+		redisURLHostPortsList := strings.Split(redisURL, ",")
+
+		if len(redisURLHostPortsList) > 1 {
+			opt, err := redis.ParseURL(redisURLHostPortsList[0])
 			if err != nil {
-				log.Fatalln("Error parsing redis url:", err)
+				return err
 			}
+			urls := []string{opt.Addr}
+			urlList := redisURLHostPortsList[1:]
+			urls = append(urls, urlList...)
+			clusterOpt := &redis.ClusterOptions{Addrs: urls}
+
 			rdb := redis.NewClusterClient(clusterOpt)
 			ctx := context.Background()
 			_, err = rdb.Ping(ctx).Result()
 			if err != nil {
-				log.Fatalln("Error connecting to redis cluster server", err)
+				return err
 			}
 			SessionStoreObj.RedisMemoryStoreObj = &RedisStore{
 				ctx:   ctx,
 				store: rdb,
 			}
-			return
+
+			// return on successful initialization
+			return nil
 		}
-		opt, err := redis.ParseURL(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyRedisURL))
+
+		opt, err := redis.ParseURL(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyRedisURL))
 		if err != nil {
-			log.Fatalln("Error parsing redis url:", err)
+			return err
 		}
+
 		rdb := redis.NewClient(opt)
 		ctx := context.Background()
 		_, err = rdb.Ping(ctx).Result()
-
 		if err != nil {
-			log.Fatalln("Error connecting to redis server", err)
+			return err
 		}
+
 		SessionStoreObj.RedisMemoryStoreObj = &RedisStore{
 			ctx:   ctx,
 			store: rdb,
 		}
 
-	} else {
+		// return on successful initialization
-		SessionStoreObj.InMemoryStoreObj = &InMemoryStore{
+		return nil
-			store:            map[string]map[string]string{},
-			socialLoginState: map[string]string{},
-		}
 	}
-}
 
-func isCluster(url string) bool {
+	// if redis url is not set use in memory store
-	return len(strings.Split(url, ",")) > 1
+	SessionStoreObj.InMemoryStoreObj = &InMemoryStore{
-}
+		sessionStore: map[string]map[string]string{},
-
+		stateStore:   map[string]string{},
-func getClusterOptions(url string) (*redis.ClusterOptions, error) {
-	hostPortsList := strings.Split(url, ",")
-	opt, err := redis.ParseURL(hostPortsList[0])
-	if err != nil {
-		return nil, err
 	}
-	urls := []string{opt.Addr}
+
-	urlList := hostPortsList[1:]
+	return nil
-	urls = append(urls, urlList...)
-	return &redis.ClusterOptions{Addrs: urls}, nil
 }

server/test/admin_login_test.go

@@ -21,7 +21,7 @@ func adminLoginTests(t *testing.T, s TestSetup) {
 		assert.NotNil(t, err)
 
 		_, err = resolvers.AdminLoginResolver(ctx, model.AdminLoginInput{
-			AdminSecret: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret),
+			AdminSecret: envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret),
 		})
 
 		assert.Nil(t, err)

server/test/admin_logout_test.go

@@ -5,9 +5,9 @@ import (
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/resolvers"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -18,9 +18,9 @@ func adminLogoutTests(t *testing.T, s TestSetup) {
 		_, err := resolvers.AdminLogoutResolver(ctx)
 		assert.NotNil(t, err)
 
-		h, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 		assert.Nil(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
 		_, err = resolvers.AdminLogoutResolver(ctx)
 
 		assert.Nil(t, err)

server/test/admin_session_test.go

@@ -5,9 +5,9 @@ import (
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/resolvers"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -18,9 +18,9 @@ func adminSessionTests(t *testing.T, s TestSetup) {
 		_, err := resolvers.AdminSessionResolver(ctx)
 		assert.NotNil(t, err)
 
-		h, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 		assert.Nil(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
 		_, err = resolvers.AdminSessionResolver(ctx)
 
 		assert.Nil(t, err)

server/test/admin_signup_test.go

@@ -20,7 +20,7 @@ func adminSignupTests(t *testing.T, s TestSetup) {
 
 		assert.NotNil(t, err)
 		// reset env for test to pass
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyAdminSecret, "")
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyAdminSecret, "")
 
 		_, err = resolvers.AdminSignupResolver(ctx, model.AdminSignupInput{
 			AdminSecret: "admin123",

server/test/delete_user_test.go

@@ -5,10 +5,10 @@ import (
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -28,9 +28,9 @@ func deleteUserTest(t *testing.T, s TestSetup) {
 		})
 		assert.NotNil(t, err, "unauthorized")
 
-		h, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 		assert.Nil(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
 
 		_, err = resolvers.DeleteUserResolver(ctx, model.DeleteUserInput{
 			Email: email,

server/test/env_file_test.go

@@ -10,15 +10,15 @@ import (
 )
 
 func TestEnvs(t *testing.T) {
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEnvPath, "../../.env.sample")
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEnvPath, "../../.env.sample")
-	env.InitEnv()
+	env.InitAllEnv()
-	store := envstore.EnvInMemoryStoreObj.GetEnvStoreClone()
+	store := envstore.EnvStoreObj.GetEnvStoreClone()
 
 	assert.Equal(t, store.StringEnv[constants.EnvKeyEnv], "production")
 	assert.False(t, store.BoolEnv[constants.EnvKeyDisableEmailVerification])
 	assert.False(t, store.BoolEnv[constants.EnvKeyDisableMagicLinkLogin])
 	assert.False(t, store.BoolEnv[constants.EnvKeyDisableBasicAuthentication])
-	assert.Equal(t, store.StringEnv[constants.EnvKeyJwtType], "HS256")
+	assert.Equal(t, store.StringEnv[constants.EnvKeyJwtType], "RS256")
 	assert.Equal(t, store.StringEnv[constants.EnvKeyJwtRoleClaim], "role")
 	assert.EqualValues(t, store.SliceEnv[constants.EnvKeyRoles], []string{"user"})
 	assert.EqualValues(t, store.SliceEnv[constants.EnvKeyDefaultRoles], []string{"user"})

server/test/env_test.go

@@ -5,9 +5,9 @@ import (
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/resolvers"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -18,12 +18,12 @@ func envTests(t *testing.T, s TestSetup) {
 		_, err := resolvers.EnvResolver(ctx)
 		assert.NotNil(t, err)
 
-		h, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 		assert.Nil(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
 		res, err := resolvers.EnvResolver(ctx)
 
 		assert.Nil(t, err)
-		assert.Equal(t, *res.AdminSecret, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		assert.Equal(t, *res.AdminSecret, envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 	})
 }

server/test/is_valid_jwt_test.go

@@ -1,38 +0,0 @@
-package test
-
-import (
-	"testing"
-
-	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/resolvers"
-	"github.com/authorizerdev/authorizer/server/token"
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-)
-
-func isValidJWTTests(t *testing.T, s TestSetup) {
-	t.Helper()
-	_, ctx := createContext(s)
-	expiredToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbGxvd2VkX3JvbGVzIjpbIiJdLCJiaXJ0aGRhdGUiOm51bGwsImNyZWF0ZWRfYXQiOjAsImVtYWlsIjoiam9obi5kb2VAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE2NDI5NjEwMTEsImV4dHJhIjp7IngtZXh0cmEtaWQiOiJkMmNhMjQwNy05MzZmLTQwYzQtOTQ2NS05Y2M5MWYxZTJhNDQifSwiZmFtaWx5X25hbWUiOm51bGwsImdlbmRlciI6bnVsbCwiZ2l2ZW5fbmFtZSI6bnVsbCwiaWF0IjoxNjQyOTYwOTgxLCJpZCI6ImQyY2EyNDA3LTkzNmYtNDBjNC05NDY1LTljYzkxZjFlMmE0NCIsIm1pZGRsZV9uYW1lIjpudWxsLCJuaWNrbmFtZSI6bnVsbCwicGhvbmVfbnVtYmVyIjpudWxsLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOmZhbHNlLCJwaWN0dXJlIjpudWxsLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqb2huLmRvZUBnbWFpbC5jb20iLCJyb2xlIjpbXSwic2lnbnVwX21ldGhvZHMiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwidXBkYXRlZF9hdCI6MH0.FrdyeOC5e8uU1SowGj0omFJuwRnh4BrEk89S_fbEkzs"
-
-	t.Run(`should fail for invalid jwt`, func(t *testing.T) {
-		_, err := resolvers.IsValidJwtResolver(ctx, &model.IsValidJWTQueryInput{
-			Jwt: &expiredToken,
-		})
-		assert.NotNil(t, err)
-	})
-
-	t.Run(`should pass with valid jwt`, func(t *testing.T) {
-		authToken, err := token.CreateAuthToken(models.User{
-			ID:    uuid.New().String(),
-			Email: "john.doe@gmail.com",
-		}, []string{})
-		assert.Nil(t, err)
-		res, err := resolvers.IsValidJwtResolver(ctx, &model.IsValidJWTQueryInput{
-			Jwt: &authToken.AccessToken.Token,
-		})
-		assert.Nil(t, err)
-		assert.True(t, res.Valid)
-	})
-}

server/test/jwt_test.go

@@ -5,31 +5,42 @@ import (
 	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/golang-jwt/jwt"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestJwt(t *testing.T) {
+	// persist older data till test is done and then reset it
+	jwtType := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)
+	publicKey := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtPublicKey)
+	privateKey := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtPrivateKey)
+	clientID := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID)
+	nonce := uuid.New().String()
+	hostname := "localhost"
+	subject := "test"
 	claims := jwt.MapClaims{
 		"exp":   time.Now().Add(time.Minute * 30).Unix(),
 		"iat":   time.Now().Unix(),
 		"email": "test@yopmail.com",
+		"sub":   subject,
+		"aud":   clientID,
+		"nonce": nonce,
+		"iss":   hostname,
 	}
 
-	// persist older data till test is done and then reset it
-	jwtType := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)
-	jwtSecret := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)
-
 	t.Run("invalid jwt type", func(t *testing.T) {
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "invalid")
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "invalid")
 		token, err := token.SignJWTToken(claims)
 		assert.Error(t, err, "unsupported signing method")
 		assert.Empty(t, token)
 	})
 	t.Run("expired jwt token", func(t *testing.T) {
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS256")
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS256")
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtSecret, "test")
 		expiredClaims := jwt.MapClaims{
 			"exp":   time.Now().Add(-time.Minute * 30).Unix(),
 			"iat":   time.Now().Unix(),
@@ -37,66 +48,77 @@ func TestJwt(t *testing.T) {
 		}
 		jwtToken, err := token.SignJWTToken(expiredClaims)
 		assert.NoError(t, err)
-		_, err = token.ParseJWTToken(jwtToken)
+		_, err = token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 		assert.Error(t, err, err.Error(), "Token is expired")
 	})
 	t.Run("HMAC algorithms", func(t *testing.T) {
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtSecret, "test")
 		t.Run("HS256", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS256")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS256")
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 		t.Run("HS384", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS384")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS384")
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 		t.Run("HS512", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS512")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "HS512")
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 	})
 
 	t.Run("RSA algorithms", func(t *testing.T) {
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, "-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgHUQac/v0f3c8m4L9BMWfxBiEzkdV5CoaqfxhO5IwAX/1cs0WceN\njM7g/qzC7YmEOSiYqupiRtsyn6riz0xT/VUg4uv1uZ/muC6EVfOjR5Ack3Brquql\nD+oMxN4CeA0Wzp2dEV4N3Gv7wWHdhg9ZSc4g6+ZUdlkhIPfeO9RNK9pPAgMBAAEC\ngYBqLrIbp0dNQn0vbm48ZhppDNys4L2NfAYKQZs23Aw5JN6Si/CnffBrsk+u+ryl\nEKcb+KaHJQ9qQdfsFAC+FizhMQy0Dq9yw6shnqHX+paB6E6z2/vX8ToPzJRwxBY3\nyuaetCEpSXR7pQEd5YWDTUH7qYnb9FObD+umhVvmlsTHCQJBALagPmexu0DvMXKZ\nWdplik6eXg9lptiuj5MYqitEUyzU9E9HNeHKlZM7szGeWG3jNduoKcyo4M0Flvt9\ncP+soVUCQQCkGOQ5Y3/GoZmclKWMVwqGdmL6wEjhNfg4PRfgUalHBif9Q1KnM8FP\nAvIqIH8bttRfyT185WmaM2gml0ApwF0TAkBVil9QoK4t7xvBKtUsd809n+481gc9\njR4Q70edtoYjBKhejeNOHF7NNPRtNFcFOZybg3v4sc2CGrEqoQoRp+F1AkBeLmMe\nhPrbF/jAI5h4WaSS0/OvExlBGOaj8Hx5pKTRPLlK5I7VpCC4pmoyv3/0ehSd/TQr\nMMhRVlvaeki7Lcq9AkBravJUadVCAIsB6oh03mo8gUFFFqXDyEl6BiJYqrjCQ5wd\nAQYJGbqQvgjPxN9+PTPldDNi6KVXntSg5gF/dA+Z\n-----END RSA PRIVATE KEY-----")
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, "-----BEGIN PUBLIC KEY-----\nMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgHUQac/v0f3c8m4L9BMWfxBiEzkd\nV5CoaqfxhO5IwAX/1cs0WceNjM7g/qzC7YmEOSiYqupiRtsyn6riz0xT/VUg4uv1\nuZ/muC6EVfOjR5Ack3BrquqlD+oMxN4CeA0Wzp2dEV4N3Gv7wWHdhg9ZSc4g6+ZU\ndlkhIPfeO9RNK9pPAgMBAAE=\n-----END PUBLIC KEY-----")
 		t.Run("RS256", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "RS256")
+			_, privateKey, publickKey, _, err := crypto.NewRSAKey("RS256", clientID)
+			assert.NoError(t, err)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "RS256")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, privateKey)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, publickKey)
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 		t.Run("RS384", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "RS384")
+			_, privateKey, publickKey, _, err := crypto.NewRSAKey("RS384", clientID)
+			assert.NoError(t, err)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "RS384")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, privateKey)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, publickKey)
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 		t.Run("RS512", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "RS512")
+			_, privateKey, publickKey, _, err := crypto.NewRSAKey("RS512", clientID)
+			assert.NoError(t, err)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "RS512")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, privateKey)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, publickKey)
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
@@ -104,40 +126,47 @@ func TestJwt(t *testing.T) {
 
 	t.Run("ECDSA algorithms", func(t *testing.T) {
 		t.Run("ES256", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----")
+			_, privateKey, publickKey, _, err := crypto.NewECDSAKey("ES256", clientID)
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----")
+			assert.NoError(t, err)
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "ES256")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "ES256")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, privateKey)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, publickKey)
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 		t.Run("ES384", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, "-----BEGIN PRIVATE KEY-----\nMIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCAHpFQ62QnGCEvYh/p\nE9QmR1C9aLcDItRbslbmhen/h1tt8AyMhskeenT+rAyyPhGhZANiAAQLW5ZJePZz\nMIPAxMtZXkEWbDF0zo9f2n4+T1h/2sh/fviblc/VTyrv10GEtIi5qiOy85Pf1RRw\n8lE5IPUWpgu553SteKigiKLUPeNpbqmYZUkWGh3MLfVzLmx85ii2vMU=\n-----END PRIVATE KEY-----")
+			_, privateKey, publickKey, _, err := crypto.NewECDSAKey("ES384", clientID)
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEC1uWSXj2czCDwMTLWV5BFmwxdM6PX9p+\nPk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii\n1D3jaW6pmGVJFhodzC31cy5sfOYotrzF\n-----END PUBLIC KEY-----")
+			assert.NoError(t, err)
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "ES384")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "ES384")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, privateKey)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, publickKey)
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 		t.Run("ES512", func(t *testing.T) {
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, "-----BEGIN PRIVATE KEY-----\nMIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBiyAa7aRHFDCh2qga\n9sTUGINE5jHAFnmM8xWeT/uni5I4tNqhV5Xx0pDrmCV9mbroFtfEa0XVfKuMAxxf\nZ6LM/yKhgYkDgYYABAGBzgdnP798FsLuWYTDDQA7c0r3BVk8NnRUSexpQUsRilPN\nv3SchO0lRw9Ru86x1khnVDx+duq4BiDFcvlSAcyjLACJvjvoyTLJiA+TQFdmrear\njMiZNE25pT2yWP1NUndJxPcvVtfBW48kPOmvkY4WlqP5bAwCXwbsKrCgk6xbsp12\new==\n-----END PRIVATE KEY-----")
+			_, privateKey, publickKey, _, err := crypto.NewECDSAKey("ES512", clientID)
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, "-----BEGIN PUBLIC KEY-----\nMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBgc4HZz+/fBbC7lmEww0AO3NK9wVZ\nPDZ0VEnsaUFLEYpTzb90nITtJUcPUbvOsdZIZ1Q8fnbquAYgxXL5UgHMoywAib47\n6MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj+WwM\nAl8G7CqwoJOsW7Kddns=\n-----END PUBLIC KEY-----")
+			assert.NoError(t, err)
-			envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "ES512")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, "ES512")
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, privateKey)
+			envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, publickKey)
 			jwtToken, err := token.SignJWTToken(claims)
 			assert.NoError(t, err)
 			assert.NotEmpty(t, jwtToken)
-			c, err := token.ParseJWTToken(jwtToken)
+			c, err := token.ParseJWTToken(jwtToken, hostname, nonce, subject)
 			assert.NoError(t, err)
 			assert.Equal(t, c["email"].(string), claims["email"])
 		})
 	})
 
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, jwtType)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtType, jwtType)
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtSecret, jwtSecret)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPublicKey, publicKey)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJwtPrivateKey, privateKey)
 }

server/test/login_test.go

@@ -5,14 +5,17 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
 func loginTests(t *testing.T, s TestSetup) {
 	t.Helper()
 	t.Run(`should login`, func(t *testing.T) {
+		t.Logf("=> is enabled: %v", envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification))
 		_, ctx := createContext(s)
 		email := "login." + s.TestInfo.Email
 		_, err := resolvers.SignupResolver(ctx, model.SignUpInput{
@@ -21,18 +24,23 @@ func loginTests(t *testing.T, s TestSetup) {
 			ConfirmPassword: s.TestInfo.Password,
 		})
 
-		_, err = resolvers.LoginResolver(ctx, model.LoginInput{
+		res, err := resolvers.LoginResolver(ctx, model.LoginInput{
 			Email:    email,
 			Password: s.TestInfo.Password,
 		})
 
 		assert.NotNil(t, err, "should fail because email is not verified")
-
+		assert.Nil(t, res)
 		verificationRequest, err := db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeBasicAuthSignup)
-		resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
+		n, err := utils.EncryptNonce(verificationRequest.Nonce)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, n)
+		assert.NotNil(t, verificationRequest)
+		res, err = resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
 			Token: verificationRequest.Token,
 		})
-
+		assert.NoError(t, err)
+		assert.NotNil(t, res)
 		_, err = resolvers.LoginResolver(ctx, model.LoginInput{
 			Email:    email,
 			Password: s.TestInfo.Password,

server/test/logout_test.go

@@ -2,7 +2,6 @@ package test
 
 import (
 	"fmt"
-	"net/url"
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
@@ -11,7 +10,6 @@ import (
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -30,18 +28,15 @@ func logoutTests(t *testing.T, s TestSetup) {
 			Token: verificationRequest.Token,
 		})
 
-		sessions := sessionstore.GetUserSessions(verifyRes.User.ID)
-		fingerPrint := ""
-		refreshToken := ""
-		for key, val := range sessions {
-			fingerPrint = key
-			refreshToken = val
-		}
-
-		fingerPrintHash, _ := utils.EncryptAES([]byte(fingerPrint))
-
 		token := *verifyRes.AccessToken
-		cookie := fmt.Sprintf("%s=%s;%s=%s;%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", url.QueryEscape(string(fingerPrintHash)), envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", refreshToken, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token)
+		sessions := sessionstore.GetUserSessions(verifyRes.User.ID)
+		cookie := ""
+		// set all they keys in cookie one of them should be session cookie
+		for key := range sessions {
+			if key != token {
+				cookie += fmt.Sprintf("%s=%s;", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"_session", key)
+			}
+		}
 
 		req.Header.Set("Cookie", cookie)
 		_, err = resolvers.LogoutResolver(ctx)

server/test/magic_link_login_test.go

@@ -1,12 +1,11 @@
 package test
 
 import (
-	"fmt"
+	"context"
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
-	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
 	"github.com/stretchr/testify/assert"
@@ -27,12 +26,13 @@ func magicLinkLoginTests(t *testing.T, s TestSetup) {
 		verifyRes, err := resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
 			Token: verificationRequest.Token,
 		})
-
+		assert.NoError(t, err)
-		token := *verifyRes.AccessToken
+		assert.NotNil(t, verifyRes.AccessToken)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token))
+		s.GinContext.Request.Header.Set("Authorization", "Bearer "+*verifyRes.AccessToken)
+		ctx = context.WithValue(req.Context(), "GinContextKey", s.GinContext)
 		_, err = resolvers.ProfileResolver(ctx)
 		assert.Nil(t, err)
-
+		s.GinContext.Request.Header.Set("Authorization", "")
 		cleanData(email)
 	})
 }

server/test/profile_test.go

@@ -1,12 +1,11 @@
 package test
 
 import (
-	"fmt"
+	"context"
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
-	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
 	"github.com/stretchr/testify/assert"
@@ -14,7 +13,7 @@ import (
 
 func profileTests(t *testing.T, s TestSetup) {
 	t.Helper()
-	t.Run(`should get profile only with token`, func(t *testing.T) {
+	t.Run(`should get profile only access_token token`, func(t *testing.T) {
 		req, ctx := createContext(s)
 		email := "profile." + s.TestInfo.Email
 
@@ -31,11 +30,14 @@ func profileTests(t *testing.T, s TestSetup) {
 		verifyRes, err := resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
 			Token: verificationRequest.Token,
 		})
+		assert.NoError(t, err)
+		assert.NotNil(t, verifyRes.AccessToken)
 
-		token := *verifyRes.AccessToken
+		s.GinContext.Request.Header.Set("Authorization", "Bearer "+*verifyRes.AccessToken)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token))
+		ctx = context.WithValue(req.Context(), "GinContextKey", s.GinContext)
 		profileRes, err := resolvers.ProfileResolver(ctx)
 		assert.Nil(t, err)
+		s.GinContext.Request.Header.Set("Authorization", "")
 
 		newEmail := *&profileRes.Email
 		assert.Equal(t, email, newEmail, "emails should be equal")

server/test/resolvers_test.go

@@ -1,7 +1,6 @@
 package test
 
 import (
-	"log"
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
@@ -12,29 +11,31 @@ import (
 
 func TestResolvers(t *testing.T) {
 	databases := map[string]string{
-		constants.DbTypeSqlite:   "../../data.db",
+		constants.DbTypeSqlite: "../../data.db",
-		constants.DbTypeArangodb: "http://localhost:8529",
+		// constants.DbTypeArangodb: "http://localhost:8529",
-		constants.DbTypeMongodb:  "mongodb://localhost:27017",
+		// constants.DbTypeMongodb:  "mongodb://localhost:27017",
 	}
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyVersion, "test")
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyVersion, "test")
 	for dbType, dbURL := range databases {
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseURL, dbURL)
-		envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseType, dbType)
-
 		s := testSetup()
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseURL, dbURL)
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseType, dbType)
 		defer s.Server.Close()
-
+		err := db.InitDB()
-		db.InitDB()
+		if err != nil {
+			t.Errorf("Error initializing database: %s", err)
+		}
 
 		// clean the persisted config for test to use fresh config
 		envData, err := db.Provider.GetEnv()
-		log.Println("=> envData:", envstore.EnvInMemoryStoreObj.GetEnvStoreClone())
 		if err == nil {
 			envData.EnvData = ""
 			db.Provider.UpdateEnv(envData)
 		}
 		env.PersistEnv()
 
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEnv, "test")
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.BoolStoreIdentifier, constants.EnvKeyIsProd, false)
 		t.Run("should pass tests for "+dbType, func(t *testing.T) {
 			// admin tests
 			adminSignupTests(t, s)
@@ -61,7 +62,6 @@ func TestResolvers(t *testing.T) {
 			magicLinkLoginTests(t, s)
 			logoutTests(t, s)
 			metaTests(t, s)
-			isValidJWTTests(t, s)
 		})
 	}
 }

server/test/session_test.go

@@ -2,7 +2,7 @@ package test
 
 import (
 	"fmt"
-	"net/url"
+	"strings"
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
@@ -11,7 +11,6 @@ import (
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -36,17 +35,15 @@ func sessionTests(t *testing.T, s TestSetup) {
 		})
 
 		sessions := sessionstore.GetUserSessions(verifyRes.User.ID)
-		fingerPrint := ""
+		cookie := ""
-		refreshToken := ""
-		for key, val := range sessions {
-			fingerPrint = key
-			refreshToken = val
-		}
-
-		fingerPrintHash, _ := utils.EncryptAES([]byte(fingerPrint))
-
 		token := *verifyRes.AccessToken
-		cookie := fmt.Sprintf("%s=%s;%s=%s;%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", url.QueryEscape(string(fingerPrintHash)), envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", refreshToken, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token)
+		// set all they keys in cookie one of them should be session cookie
+		for key := range sessions {
+			if key != token {
+				cookie += fmt.Sprintf("%s=%s;", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"_session", key)
+			}
+		}
+		cookie = strings.TrimSuffix(cookie, ";")
 
 		req.Header.Set("Cookie", cookie)
 

server/test/test.go

@@ -71,14 +71,16 @@ func testSetup() TestSetup {
 		Password: "test",
 	}
 
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEnvPath, "../../.env.sample")
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEnvPath, "../../.env.sample")
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpHost, "smtp.yopmail.com")
+	env.InitRequiredEnv()
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpPort, "2525")
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpHost, "smtp.yopmail.com")
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpUsername, "lakhan@yopmail.com")
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpPort, "2525")
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpPassword, "test")
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpUsername, "lakhan@yopmail.com")
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySenderEmail, "info@yopmail.com")
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySmtpPassword, "test")
-	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.SliceStoreIdentifier, constants.EnvKeyProtectedRoles, []string{"admin"})
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeySenderEmail, "info@yopmail.com")
-	env.InitEnv()
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.SliceStoreIdentifier, constants.EnvKeyProtectedRoles, []string{"admin"})
+	db.InitDB()
+	env.InitAllEnv()
 	sessionstore.InitSession()
 
 	w := httptest.NewRecorder()

server/test/update_env_test.go

@@ -5,10 +5,10 @@ import (
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -16,16 +16,16 @@ func updateEnvTests(t *testing.T, s TestSetup) {
 	t.Helper()
 	t.Run(`should update envs`, func(t *testing.T) {
 		req, ctx := createContext(s)
-		originalAppURL := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
+		originalAppURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
 
 		data := model.UpdateEnvInput{}
 		_, err := resolvers.UpdateEnvResolver(ctx, data)
 
 		assert.NotNil(t, err)
 
-		h, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 		assert.Nil(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
 		newURL := "https://test.com"
 		disableLoginPage := true
 		allowedOrigins := []string{"http://localhost:8080"}
@@ -37,9 +37,9 @@ func updateEnvTests(t *testing.T, s TestSetup) {
 		_, err = resolvers.UpdateEnvResolver(ctx, data)
 
 		assert.Nil(t, err)
-		assert.Equal(t, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL), newURL)
+		assert.Equal(t, envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL), newURL)
-		assert.True(t, envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableLoginPage))
+		assert.True(t, envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableLoginPage))
-		assert.Equal(t, envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyAllowedOrigins), allowedOrigins)
+		assert.Equal(t, envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyAllowedOrigins), allowedOrigins)
 
 		disableLoginPage = false
 		data = model.UpdateEnvInput{

server/test/update_profile_test.go

@@ -1,12 +1,11 @@
 package test
 
 import (
-	"fmt"
+	"context"
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
-	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
 	"github.com/stretchr/testify/assert"
@@ -34,18 +33,16 @@ func updateProfileTests(t *testing.T, s TestSetup) {
 		verifyRes, err := resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
 			Token: verificationRequest.Token,
 		})
+		assert.NoError(t, err)
 
-		token := *verifyRes.AccessToken
+		s.GinContext.Request.Header.Set("Authorization", "Bearer "+*verifyRes.AccessToken)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token))
+		ctx = context.WithValue(req.Context(), "GinContextKey", s.GinContext)
-		_, err = resolvers.UpdateProfileResolver(ctx, model.UpdateProfileInput{
-			FamilyName: &fName,
-		})
-		assert.Nil(t, err)
 
 		newEmail := "new_" + email
 		_, err = resolvers.UpdateProfileResolver(ctx, model.UpdateProfileInput{
 			Email: &newEmail,
 		})
+		s.GinContext.Request.Header.Set("Authorization", "")
 		assert.Nil(t, err)
 		_, err = resolvers.ProfileResolver(ctx)
 		assert.NotNil(t, err, "unauthorized")

server/test/update_user_test.go

@@ -5,10 +5,10 @@ import (
 	"testing"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
-	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -33,9 +33,9 @@ func updateUserTest(t *testing.T, s TestSetup) {
 		})
 		assert.NotNil(t, err, "unauthorized")
 
-		h, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+		h, err := crypto.EncryptPassword(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
 		assert.Nil(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), h))
 		_, err = resolvers.UpdateUserResolver(ctx, model.UpdateUserInput{
 			ID:    user.ID,
 			Roles: newRoles,