summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
authorVidhu Kant Sharma <vidhukant@vidhukant.xyz>2023-01-29 20:45:43 +0530
committerVidhu Kant Sharma <vidhukant@vidhukant.xyz>2023-01-29 20:45:43 +0530
commit68629768cbb7c86fd4b118e7d555450297f3fb8a (patch)
treee5bb06635ddf50bc58e25bae931ac453a28f844a /auth
parent7ee07197f4fc5806e72a1aefd49c7a448c600cf4 (diff)
moved refresh mechanism to package auth
Diffstat (limited to 'auth')
-rw-r--r--auth/refresh.go118
-rw-r--r--auth/router.go11
2 files changed, 124 insertions, 5 deletions
diff --git a/auth/refresh.go b/auth/refresh.go
new file mode 100644
index 0000000..6a77a78
--- /dev/null
+++ b/auth/refresh.go
@@ -0,0 +1,118 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package auth
+
+import (
+ "context"
+ "github.com/MikunoNaka/OpenBills-server/database"
+ "github.com/MikunoNaka/OpenBills-server/user"
+ "github.com/MikunoNaka/OpenBills-server/util"
+ "github.com/gin-gonic/gin"
+ "github.com/golang-jwt/jwt/v4"
+ "go.mongodb.org/mongo-driver/bson"
+ "go.mongodb.org/mongo-driver/bson/primitive"
+ "go.mongodb.org/mongo-driver/mongo"
+ "net/http"
+ "time"
+)
+
+var db *mongo.Collection = database.DB.Collection("Users")
+
+var (
+ refreshSecret []byte
+)
+
+func init() {
+ conf := util.GetConfig().Crypto
+ refreshSecret = []byte(conf.RefreshTokenSecret)
+}
+
+// middleware to check refresh token
+func verifyRefreshToken() gin.HandlerFunc {
+ return func(ctx *gin.Context) {
+ refreshToken, err := ctx.Cookie("refreshToken")
+ if err == nil {
+ token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+ return []byte(refreshSecret), nil
+ })
+ if err != nil { // invalid token
+ ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
+ } else { // valid token
+ // convert id from string to ObjectID
+ id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer)
+
+ // check if user exists
+ var u user.User
+ if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil {
+ ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"})
+ } else {
+ // check if this refreshToken is in DB
+ for _, i := range u.Sessions {
+ if i.Token == refreshToken {
+ ctx.Set("user", u)
+ ctx.Next()
+ }
+ }
+ ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"})
+ }
+ }
+ } else {
+ // invalid Authorization header
+ ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
+ }
+ }
+}
+
+/*
+ * the refresh token has a long lifespan and is stored in
+ * the database in case it needs to be revoked.
+ *
+ * this can be stored as an HTTP only cookie and will be used
+ * when creating a new access token
+ *
+ * I'm using a different secret key for refresh tokens
+ * for enhanced security
+ */
+func newRefreshToken(userId string) (string, int64, error) {
+ // convert id from string to ObjectID
+ id, _ := primitive.ObjectIDFromHex(userId)
+
+ // check if user exists
+ var u user.User
+ if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil {
+ return "", 0, user.ErrUserNotFound
+ }
+
+ // generate refresh token
+ expiresAt := time.Now().Add(time.Hour * 12).Unix()
+ claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{
+ Issuer: userId,
+ ExpiresAt: expiresAt,
+ })
+ token, err := claims.SignedString(refreshSecret)
+ if err != nil {
+ return "", expiresAt, err
+ }
+
+ // store refresh token in db with unique session name for ease in identification
+ sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName
+ u.Sessions = append(u.Sessions, user.Session{Name: sessionName, Token: token})
+ db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}})
+
+ return token, expiresAt, nil
+}
diff --git a/auth/router.go b/auth/router.go
index 9fa03b7..9782915 100644
--- a/auth/router.go
+++ b/auth/router.go
@@ -19,6 +19,7 @@ package auth
import (
"github.com/MikunoNaka/OpenBills-server/user"
+ "github.com/MikunoNaka/OpenBills-server/util"
"github.com/gin-gonic/gin"
"log"
"net/http"
@@ -27,16 +28,16 @@ import (
func Routes(route *gin.Engine) {
r := route.Group("/auth")
{
- r.POST("/login", user.checkPassword(), func(ctx *gin.Context) {
+ r.POST("/login", user.CheckPassword(), func(ctx *gin.Context) {
user := ctx.MustGet("user").(user.User)
- accessToken, err := user.newAccessToken(user.Id.Hex())
+ accessToken, err := util.NewAccessToken(user.Id.Hex())
if err != nil {
log.Printf("Error while generating new access token: %v", err)
ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
}
- refreshToken, expiresAt, err := user.newRefreshToken(user.Id.Hex())
+ refreshToken, expiresAt, err := newRefreshToken(user.Id.Hex())
if err != nil {
log.Printf("Error while generating new refresh token: %v", err)
ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
@@ -46,9 +47,9 @@ func Routes(route *gin.Engine) {
ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken})
})
- r.POST("/refresh", user.verifyRefreshToken(), func(ctx *gin.Context) {
+ r.POST("/refresh", verifyRefreshToken(), func(ctx *gin.Context) {
u := ctx.MustGet("user").(user.User)
- accessToken, err := util.newAccessToken(u.Id.Hex())
+ accessToken, err := util.NewAccessToken(u.Id.Hex())
if err != nil {
log.Printf("Error while generating new access token: %v", err)
ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"})