From 68629768cbb7c86fd4b118e7d555450297f3fb8a Mon Sep 17 00:00:00 2001 From: Vidhu Kant Sharma Date: Sun, 29 Jan 2023 20:45:43 +0530 Subject: moved refresh mechanism to package auth --- auth/refresh.go | 118 ++++++++++++++++++++++++++++++++++++++++++++++++++ auth/router.go | 11 ++--- main.go | 6 +++ transporter/router.go | 2 +- user/password.go | 2 +- user/refresh.go | 117 ------------------------------------------------- user/router.go | 4 +- user/user.go | 23 +++++----- util/authorize.go | 2 +- 9 files changed, 148 insertions(+), 137 deletions(-) create mode 100644 auth/refresh.go delete mode 100644 user/refresh.go diff --git a/auth/refresh.go b/auth/refresh.go new file mode 100644 index 0000000..6a77a78 --- /dev/null +++ b/auth/refresh.go @@ -0,0 +1,118 @@ +/* OpenBills-server - Server for libre billing software OpenBills-web + * Copyright (C) 2022 Vidhu Kant Sharma + + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +package auth + +import ( + "context" + "github.com/MikunoNaka/OpenBills-server/database" + "github.com/MikunoNaka/OpenBills-server/user" + "github.com/MikunoNaka/OpenBills-server/util" + "github.com/gin-gonic/gin" + "github.com/golang-jwt/jwt/v4" + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/bson/primitive" + "go.mongodb.org/mongo-driver/mongo" + "net/http" + "time" +) + +var db *mongo.Collection = database.DB.Collection("Users") + +var ( + refreshSecret []byte +) + +func init() { + conf := util.GetConfig().Crypto + refreshSecret = []byte(conf.RefreshTokenSecret) +} + +// middleware to check refresh token +func verifyRefreshToken() gin.HandlerFunc { + return func(ctx *gin.Context) { + refreshToken, err := ctx.Cookie("refreshToken") + if err == nil { + token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) { + return []byte(refreshSecret), nil + }) + if err != nil { // invalid token + ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"}) + } else { // valid token + // convert id from string to ObjectID + id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer) + + // check if user exists + var u user.User + if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { + ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"}) + } else { + // check if this refreshToken is in DB + for _, i := range u.Sessions { + if i.Token == refreshToken { + ctx.Set("user", u) + ctx.Next() + } + } + ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"}) + } + } + } else { + // invalid Authorization header + ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"}) + } + } +} + +/* + * the refresh token has a long lifespan and is stored in + * the database in case it needs to be revoked. + * + * this can be stored as an HTTP only cookie and will be used + * when creating a new access token + * + * I'm using a different secret key for refresh tokens + * for enhanced security + */ +func newRefreshToken(userId string) (string, int64, error) { + // convert id from string to ObjectID + id, _ := primitive.ObjectIDFromHex(userId) + + // check if user exists + var u user.User + if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { + return "", 0, user.ErrUserNotFound + } + + // generate refresh token + expiresAt := time.Now().Add(time.Hour * 12).Unix() + claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{ + Issuer: userId, + ExpiresAt: expiresAt, + }) + token, err := claims.SignedString(refreshSecret) + if err != nil { + return "", expiresAt, err + } + + // store refresh token in db with unique session name for ease in identification + sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName + u.Sessions = append(u.Sessions, user.Session{Name: sessionName, Token: token}) + db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}}) + + return token, expiresAt, nil +} diff --git a/auth/router.go b/auth/router.go index 9fa03b7..9782915 100644 --- a/auth/router.go +++ b/auth/router.go @@ -19,6 +19,7 @@ package auth import ( "github.com/MikunoNaka/OpenBills-server/user" + "github.com/MikunoNaka/OpenBills-server/util" "github.com/gin-gonic/gin" "log" "net/http" @@ -27,16 +28,16 @@ import ( func Routes(route *gin.Engine) { r := route.Group("/auth") { - r.POST("/login", user.checkPassword(), func(ctx *gin.Context) { + r.POST("/login", user.CheckPassword(), func(ctx *gin.Context) { user := ctx.MustGet("user").(user.User) - accessToken, err := user.newAccessToken(user.Id.Hex()) + accessToken, err := util.NewAccessToken(user.Id.Hex()) if err != nil { log.Printf("Error while generating new access token: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"}) } - refreshToken, expiresAt, err := user.newRefreshToken(user.Id.Hex()) + refreshToken, expiresAt, err := newRefreshToken(user.Id.Hex()) if err != nil { log.Printf("Error while generating new refresh token: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"}) @@ -46,9 +47,9 @@ func Routes(route *gin.Engine) { ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken}) }) - r.POST("/refresh", user.verifyRefreshToken(), func(ctx *gin.Context) { + r.POST("/refresh", verifyRefreshToken(), func(ctx *gin.Context) { u := ctx.MustGet("user").(user.User) - accessToken, err := util.newAccessToken(u.Id.Hex()) + accessToken, err := util.NewAccessToken(u.Id.Hex()) if err != nil { log.Printf("Error while generating new access token: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"}) diff --git a/main.go b/main.go index d309be4..7942af7 100644 --- a/main.go +++ b/main.go @@ -25,6 +25,9 @@ import ( "github.com/MikunoNaka/OpenBills-server/item" "github.com/MikunoNaka/OpenBills-server/user" "github.com/MikunoNaka/OpenBills-server/util" + "github.com/MikunoNaka/OpenBills-server/auth" + "github.com/MikunoNaka/OpenBills-server/transport" + "github.com/MikunoNaka/OpenBills-server/transporter" "github.com/gin-gonic/gin" ) @@ -38,6 +41,9 @@ func main() { client.Routes(r) invoice.Routes(r) user.Routes(r) + auth.Routes(r) + transport.Routes(r) + transporter.Routes(r) // ping server and check if logged in r.POST("/ping", util.Authorize(), func(ctx *gin.Context) { diff --git a/transporter/router.go b/transporter/router.go index 769d7fa..8bf7728 100644 --- a/transporter/router.go +++ b/transporter/router.go @@ -23,7 +23,7 @@ import ( ) func Routes(route *gin.Engine) { - t := route.Group("/transport", util.Authorize()) + t := route.Group("/transporter", util.Authorize()) { t.GET("/all", getAll) t.DELETE("/:transportId", remove) diff --git a/user/password.go b/user/password.go index d667ebc..df3811b 100644 --- a/user/password.go +++ b/user/password.go @@ -26,7 +26,7 @@ import ( "net/http" ) -func checkPassword() gin.HandlerFunc { +func CheckPassword() gin.HandlerFunc { return func(ctx *gin.Context) { var u User ctx.BindJSON(&u) diff --git a/user/refresh.go b/user/refresh.go deleted file mode 100644 index 72a7655..0000000 --- a/user/refresh.go +++ /dev/null @@ -1,117 +0,0 @@ -/* OpenBills-server - Server for libre billing software OpenBills-web - * Copyright (C) 2022 Vidhu Kant Sharma - - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -package user - -import ( - "context" - "errors" - "fmt" - "github.com/MikunoNaka/OpenBills-server/util" - "github.com/gin-gonic/gin" - "github.com/golang-jwt/jwt/v4" - "go.mongodb.org/mongo-driver/bson" - "go.mongodb.org/mongo-driver/bson/primitive" - "net/http" - "time" -) - -var ( - errUserNotFound error = errors.New("user does not exist") - refreshSecret []byte -) - -func init() { - conf := util.GetConfig().Crypto - refreshSecret = []byte(conf.RefreshTokenSecret) -} - -// middleware to check refresh token -func verifyRefreshToken() gin.HandlerFunc { - return func(ctx *gin.Context) { - refreshToken, err := ctx.Cookie("refreshToken") - fmt.Println(refreshToken) - if err == nil { - token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) { - return []byte(refreshSecret), nil - }) - if err != nil { // invalid token - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"}) - } else { // valid token - // convert id from string to ObjectID - id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer) - - // check if user exists - var u User - if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { - ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"}) - } else { - // check if this refreshToken is in DB - for _, i := range u.Sessions { - if i.Token == refreshToken { - ctx.Set("user", u) - ctx.Next() - } - } - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"}) - } - } - } else { - // invalid Authorization header - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"}) - } - } -} - -/* - * the refresh token has a long lifespan and is stored in - * the database in case it needs to be revoked. - * - * this can be stored as an HTTP only cookie and will be used - * when creating a new access token - * - * I'm using a different secret key for refresh tokens - * for enhanced security - */ -func newRefreshToken(userId string) (string, int64, error) { - // convert id from string to ObjectID - id, _ := primitive.ObjectIDFromHex(userId) - - // check if user exists - var u User - if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { - return "", 0, errUserNotFound - } - - // generate refresh token - expiresAt := time.Now().Add(time.Hour * 12).Unix() - claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{ - Issuer: userId, - ExpiresAt: expiresAt, - }) - token, err := claims.SignedString(refreshSecret) - if err != nil { - return "", expiresAt, err - } - - // store refresh token in db with unique session name for ease in identification - sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName - u.Sessions = append(u.Sessions, Session{Name: sessionName, Token: token}) - db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}}) - - return token, expiresAt, nil -} diff --git a/user/router.go b/user/router.go index ad9b4df..2614bf4 100644 --- a/user/router.go +++ b/user/router.go @@ -27,7 +27,7 @@ func Routes(route *gin.Engine) { { u.GET("/", util.Authorize(), getSelf) u.POST("/new", validateMiddleware(), save) - u.PUT("/:userId", checkPassword(), modify) - u.DELETE("/:userId", checkPassword(), remove) + u.PUT("/:userId", CheckPassword(), modify) + u.DELETE("/:userId", CheckPassword(), remove) } } diff --git a/user/user.go b/user/user.go index 30ae333..6fc6163 100644 --- a/user/user.go +++ b/user/user.go @@ -18,12 +18,15 @@ package user import ( + "errors" + "github.com/MikunoNaka/OpenBills-server/database" "go.mongodb.org/mongo-driver/bson/primitive" "go.mongodb.org/mongo-driver/mongo" - "github.com/MikunoNaka/OpenBills-server/database" - "golang.org/x/crypto/bcrypt" + "golang.org/x/crypto/bcrypt" ) +var ErrUserNotFound error = errors.New("user does not exist") + var db *mongo.Collection = database.DB.Collection("Users") // per-user config can be shared to DB @@ -33,19 +36,19 @@ type Config struct { } type Session struct { - Name string `bson:"Name" json:"Name"` + Name string `bson:"Name" json:"Name"` Token string `bson:"Token" json:"Token"` } type User struct { - Id primitive.ObjectID `bson:"_id,omitempty" json:"Id"` - UserName string `bson:"UserName" json:"UserName"` - Email string `bson:"Email" json:"Email"` - Password string `bson:"Password" json:"Password"` - Config Config `bson:"Config" json:"Config"` - Sessions []Session `bson:"Sessions" json:"Sessions"` + Id primitive.ObjectID `bson:"_id,omitempty" json:"Id"` + UserName string `bson:"UserName" json:"UserName"` + Email string `bson:"Email" json:"Email"` + Password string `bson:"Password" json:"Password"` + Config Config `bson:"Config" json:"Config"` + Sessions []Session `bson:"Sessions" json:"Sessions"` // some actions are only available when email is verified - Verified bool `bson:"Verified" json:"Verified"` + Verified bool `bson:"Verified" json:"Verified"` } func (u *User) hashPassword() error { diff --git a/util/authorize.go b/util/authorize.go index ca6660e..6fb7a0c 100644 --- a/util/authorize.go +++ b/util/authorize.go @@ -53,7 +53,7 @@ func Authorize() gin.HandlerFunc { } // generate new access token -func newAccessToken(userId string) (string, error) { +func NewAccessToken(userId string) (string, error) { claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{ Issuer: userId, ExpiresAt: time.Now().Add(time.Second * 15).Unix(), -- cgit v1.2.3