From 68629768cbb7c86fd4b118e7d555450297f3fb8a Mon Sep 17 00:00:00 2001 From: Vidhu Kant Sharma Date: Sun, 29 Jan 2023 20:45:43 +0530 Subject: moved refresh mechanism to package auth --- user/refresh.go | 117 -------------------------------------------------------- 1 file changed, 117 deletions(-) delete mode 100644 user/refresh.go (limited to 'user/refresh.go') diff --git a/user/refresh.go b/user/refresh.go deleted file mode 100644 index 72a7655..0000000 --- a/user/refresh.go +++ /dev/null @@ -1,117 +0,0 @@ -/* OpenBills-server - Server for libre billing software OpenBills-web - * Copyright (C) 2022 Vidhu Kant Sharma - - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -package user - -import ( - "context" - "errors" - "fmt" - "github.com/MikunoNaka/OpenBills-server/util" - "github.com/gin-gonic/gin" - "github.com/golang-jwt/jwt/v4" - "go.mongodb.org/mongo-driver/bson" - "go.mongodb.org/mongo-driver/bson/primitive" - "net/http" - "time" -) - -var ( - errUserNotFound error = errors.New("user does not exist") - refreshSecret []byte -) - -func init() { - conf := util.GetConfig().Crypto - refreshSecret = []byte(conf.RefreshTokenSecret) -} - -// middleware to check refresh token -func verifyRefreshToken() gin.HandlerFunc { - return func(ctx *gin.Context) { - refreshToken, err := ctx.Cookie("refreshToken") - fmt.Println(refreshToken) - if err == nil { - token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) { - return []byte(refreshSecret), nil - }) - if err != nil { // invalid token - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"}) - } else { // valid token - // convert id from string to ObjectID - id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer) - - // check if user exists - var u User - if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { - ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"}) - } else { - // check if this refreshToken is in DB - for _, i := range u.Sessions { - if i.Token == refreshToken { - ctx.Set("user", u) - ctx.Next() - } - } - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"}) - } - } - } else { - // invalid Authorization header - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"}) - } - } -} - -/* - * the refresh token has a long lifespan and is stored in - * the database in case it needs to be revoked. - * - * this can be stored as an HTTP only cookie and will be used - * when creating a new access token - * - * I'm using a different secret key for refresh tokens - * for enhanced security - */ -func newRefreshToken(userId string) (string, int64, error) { - // convert id from string to ObjectID - id, _ := primitive.ObjectIDFromHex(userId) - - // check if user exists - var u User - if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { - return "", 0, errUserNotFound - } - - // generate refresh token - expiresAt := time.Now().Add(time.Hour * 12).Unix() - claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{ - Issuer: userId, - ExpiresAt: expiresAt, - }) - token, err := claims.SignedString(refreshSecret) - if err != nil { - return "", expiresAt, err - } - - // store refresh token in db with unique session name for ease in identification - sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName - u.Sessions = append(u.Sessions, Session{Name: sessionName, Token: token}) - db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}}) - - return token, expiresAt, nil -} -- cgit v1.2.3