diff --git a/server/handlers/authorize.go b/server/handlers/authorize.go index d2a9293..fd2372c 100644 --- a/server/handlers/authorize.go +++ b/server/handlers/authorize.go @@ -248,7 +248,7 @@ func AuthorizeHandler() gin.HandlerFunc { return } - memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken) + memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken) cookie.SetSession(gc, newSessionToken) code := uuid.New().String() memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken) diff --git a/server/handlers/token.go b/server/handlers/token.go index 090eb6a..da72969 100644 --- a/server/handlers/token.go +++ b/server/handlers/token.go @@ -76,7 +76,6 @@ func TokenHandler() gin.HandlerFunc { sessionKey := "" if isAuthorizationCodeGrant { - if codeVerifier == "" { log.Debug("Code verifier is empty") gc.JSON(http.StatusBadRequest, gin.H{ @@ -134,15 +133,18 @@ func TokenHandler() gin.HandlerFunc { }) return } + userID = claims.Subject roles = claims.Roles scope = claims.Scope loginMethod = claims.LoginMethod + // rollover the session for security sessionKey = userID if loginMethod != "" { sessionKey = loginMethod + ":" + userID } + go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce) } else { // validate refresh token diff --git a/server/memorystore/providers/inmemory/store.go b/server/memorystore/providers/inmemory/store.go index ebd0c06..13080c7 100644 --- a/server/memorystore/providers/inmemory/store.go +++ b/server/memorystore/providers/inmemory/store.go @@ -7,7 +7,7 @@ import ( "github.com/authorizerdev/authorizer/server/constants" ) -// SetUserSession sets the user session +// SetUserSession sets the user session for given user identifier in form recipe:user_id func (c *provider) SetUserSession(userId, key, token string) error { c.sessionStore.Set(userId, key, token) return nil diff --git a/server/memorystore/providers/providers.go b/server/memorystore/providers/providers.go index 4953edb..a4816c5 100644 --- a/server/memorystore/providers/providers.go +++ b/server/memorystore/providers/providers.go @@ -2,7 +2,7 @@ package providers // Provider defines current memory store provider type Provider interface { - // SetUserSession sets the user session + // SetUserSession sets the user session for given user identifier in form recipe:user_id SetUserSession(userId, key, token string) error // GetAllUserSessions returns all the user sessions from the session store GetAllUserSessions(userId string) (map[string]string, error) diff --git a/server/memorystore/providers/redis/store.go b/server/memorystore/providers/redis/store.go index f57e1ca..7cd575c 100644 --- a/server/memorystore/providers/redis/store.go +++ b/server/memorystore/providers/redis/store.go @@ -14,7 +14,7 @@ var ( envStorePrefix = "authorizer_env" ) -// SetUserSession sets the user session in redis store. +// SetUserSession sets the user session for given user identifier in form recipe:user_id func (c *provider) SetUserSession(userId, key, token string) error { err := c.store.HSet(c.ctx, userId, key, token).Err() if err != nil { diff --git a/server/token/auth_token.go b/server/token/auth_token.go index f108647..4572b6b 100644 --- a/server/token/auth_token.go +++ b/server/token/auth_token.go @@ -298,7 +298,6 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD if res.LoginMethod != "" { sessionStoreKey = res.LoginMethod + ":" + res.Subject } - token, err := memorystore.Provider.GetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+res.Nonce) if token == "" || err != nil { log.Debug("invalid browser session:", err)