1 files changed, 117 insertions, 0 deletions
diff --git a/user/refresh.go b/user/refresh.go
new file mode 100644
index 0000000..72a7655
--- /dev/null
+++ b/user/refresh.go
@@ -0,0 +1,117 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022  Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package user
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/MikunoNaka/OpenBills-server/util"
+	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt/v4"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+	"net/http"
+	"time"
+)
+
+var (
+	errUserNotFound error = errors.New("user does not exist")
+	refreshSecret   []byte
+)
+
+func init() {
+	conf := util.GetConfig().Crypto
+	refreshSecret = []byte(conf.RefreshTokenSecret)
+}
+
+// middleware to check refresh token
+func verifyRefreshToken() gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		refreshToken, err := ctx.Cookie("refreshToken")
+		fmt.Println(refreshToken)
+		if err == nil {
+			token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+				return []byte(refreshSecret), nil
+			})
+			if err != nil { // invalid token
+				ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
+			} else { // valid token
+				// convert id from string to ObjectID
+				id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer)
+
+				// check if user exists
+				var u User
+				if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil {
+					ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"})
+				} else {
+					// check if this refreshToken is in DB
+					for _, i := range u.Sessions {
+						if i.Token == refreshToken {
+							ctx.Set("user", u)
+							ctx.Next()
+						}
+					}
+					ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"})
+				}
+			}
+		} else {
+			// invalid Authorization header
+			ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
+		}
+	}
+}
+
+/*
+ * the refresh token has a long lifespan and is stored in
+ * the database in case it needs to be revoked.
+ *
+ * this can be stored as an HTTP only cookie and will be used
+ * when creating a new access token
+ *
+ * I'm using a different secret key for refresh tokens
+ * for enhanced security
+ */
+func newRefreshToken(userId string) (string, int64, error) {
+	// convert id from string to ObjectID
+	id, _ := primitive.ObjectIDFromHex(userId)
+
+	// check if user exists
+	var u User
+	if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil {
+		return "", 0, errUserNotFound
+	}
+
+	// generate refresh token
+	expiresAt := time.Now().Add(time.Hour * 12).Unix()
+	claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{
+		Issuer:    userId,
+		ExpiresAt: expiresAt,
+	})
+	token, err := claims.SignedString(refreshSecret)
+	if err != nil {
+		return "", expiresAt, err
+	}
+
+	// store refresh token in db with unique session name for ease in identification
+	sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName
+	u.Sessions = append(u.Sessions, Session{Name: sessionName, Token: token})
+	db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}})
+
+	return token, expiresAt, nil
+}