From 8d85b0f87590b0941dfb2d8815aa2c7b7462a89f Mon Sep 17 00:00:00 2001 From: Vidhu Kant Sharma Date: Sun, 4 Dec 2022 19:14:41 +0530 Subject: saving and checking refreshToken in DB --- auth/auth.go | 16 ++++++---------- auth/jwt.go | 30 ++++++++++++++++++++++++++---- auth/jwt_middleware.go | 30 +++++++++++++++++++++++++----- brand/router.go | 2 ++ client/router.go | 2 ++ invoice/router.go | 2 ++ user/user.go | 6 ++++++ 7 files changed, 69 insertions(+), 19 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index 7bf251f..1048f82 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -51,17 +51,13 @@ func Routes(route *gin.Engine) { }) r.POST("/refresh", verifyRefreshToken(), func (ctx *gin.Context) { - userId := ctx.MustGet("userId") - if userId != "" { - accessToken, err := newAccessToken(userId.(string)) - if err != nil { - log.Printf("Error while generating new access token: %v", err) - ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"}) - } else { - ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken}) - } + u := ctx.MustGet("user").(user.User) + accessToken, err := newAccessToken(u.Id.Hex()) + if err != nil { + log.Printf("Error while generating new access token: %v", err) + ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"}) } else { - ctx.JSON(http.StatusBadRequest, gin.H{"message": "invalid user info"}) + ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken}) } }) } diff --git a/auth/jwt.go b/auth/jwt.go index 2d2ea8e..66a4f12 100644 --- a/auth/jwt.go +++ b/auth/jwt.go @@ -18,11 +18,21 @@ package auth import ( - "github.com/golang-jwt/jwt/v4" + "github.com/MikunoNaka/OpenBills-server/user" "github.com/MikunoNaka/OpenBills-server/util" + "github.com/golang-jwt/jwt/v4" + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/bson/primitive" + + "context" + "errors" "time" ) +var ( + errUserNotFound error = errors.New("user does not exist") +) + var accessSecret []byte var refreshSecret []byte func init() { @@ -56,18 +66,30 @@ func newAccessToken(userId string) (string, error) { * for enhanced security */ func newRefreshToken(userId string) (string, int64, error) { - // TODO: store in DB - expiresAt := time.Now().Add(time.Hour * 12).Unix() + // convert id from string to ObjectID + id, _ := primitive.ObjectIDFromHex(userId) + // check if user exists + var u user.User + if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { + return "", 0, errUserNotFound + } + + // generate refresh token + expiresAt := time.Now().Add(time.Hour * 12).Unix() claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims { Issuer: userId, ExpiresAt: expiresAt, }) - token, err := claims.SignedString(refreshSecret) if err != nil { return "", expiresAt, err } + // store refresh token in db with unique session name for ease in identification + sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName + u.Sessions = append(u.Sessions, user.Session{Name: sessionName, Token: token}) + db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}}) + return token, expiresAt, nil } diff --git a/auth/jwt_middleware.go b/auth/jwt_middleware.go index 22d1fd7..8dd77b8 100644 --- a/auth/jwt_middleware.go +++ b/auth/jwt_middleware.go @@ -18,9 +18,13 @@ package auth import ( - "net/http" + "github.com/MikunoNaka/OpenBills-server/user" + "go.mongodb.org/mongo-driver/bson/primitive" + "go.mongodb.org/mongo-driver/bson" "github.com/golang-jwt/jwt/v4" "github.com/gin-gonic/gin" + "net/http" + "context" ) func Authorize() gin.HandlerFunc { @@ -51,11 +55,27 @@ func verifyRefreshToken() gin.HandlerFunc { token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) { return []byte(refreshSecret), nil }) - if err != nil { + if err != nil { // invalid token ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"}) - } else { - ctx.Set("userId", token.Claims.(*jwt.StandardClaims).Issuer) - ctx.Next() + } else { // valid token + // convert id from string to ObjectID + id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer) + + // check if user exists + var u user.User + if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { + ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"}) + } else { + // check if this refreshToken is in DB + for _, i := range u.Sessions { + if i.Token == refreshToken { + ctx.Set("user", u) + ctx.Next() + } else { + ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"}) + } + } + } } } else { // invalid Authorization header diff --git a/brand/router.go b/brand/router.go index 75c4eb4..b5522dc 100644 --- a/brand/router.go +++ b/brand/router.go @@ -18,6 +18,7 @@ package brand import ( + "github.com/MikunoNaka/OpenBills-server/auth" "github.com/gin-gonic/gin" "go.mongodb.org/mongo-driver/bson/primitive" "log" @@ -27,6 +28,7 @@ import ( func Routes(route *gin.Engine) { b := route.Group("/brand") + b.Use(auth.Authorize()) { b.GET("/all", func(ctx *gin.Context) { // TODO: add functionality to filter results diff --git a/client/router.go b/client/router.go index 46e339a..0e5663b 100644 --- a/client/router.go +++ b/client/router.go @@ -18,6 +18,7 @@ package client import ( + "github.com/MikunoNaka/OpenBills-server/auth" "github.com/gin-gonic/gin" "log" "net/http" @@ -26,6 +27,7 @@ import ( func Routes(route *gin.Engine) { c := route.Group("/client") + c.Use(auth.Authorize()) { c.GET("/all", func(ctx *gin.Context) { // TODO: add functionality to filter results diff --git a/invoice/router.go b/invoice/router.go index ba6665f..37c3cd5 100644 --- a/invoice/router.go +++ b/invoice/router.go @@ -18,6 +18,7 @@ package invoice import ( + "github.com/MikunoNaka/OpenBills-server/auth" "github.com/gin-gonic/gin" "log" "errors" @@ -30,6 +31,7 @@ import ( func Routes(route *gin.Engine) { i := route.Group("/invoice") + i.Use(auth.Authorize()) { i.GET("/all", func(ctx *gin.Context) { // TODO: add functionality to filter results diff --git a/user/user.go b/user/user.go index c6c3d53..4c41f24 100644 --- a/user/user.go +++ b/user/user.go @@ -30,12 +30,18 @@ var db *mongo.Collection = database.DB.Collection("Users") type Config struct { } +type Session struct { + Name string `bson:"Name" json:"Name"` + Token string `bson:"Token" json:"Token"` +} + type User struct { Id primitive.ObjectID `bson:"_id,omitempty" json:"Id"` UserName string `bson:"UserName" json:"UserName"` Email string `bson:"Email" json:"Email"` Password string `bson:"Password" json:"Password"` Config Config `bson:"Config" json:"Config"` + Sessions []Session `bson:"Sessions" json:"Sessions"` // some actions are only available when email is verified Verified bool `bson:"Verified" json:"Verified"` } -- cgit v1.2.3