auth
auth/token.go
Enable terminating sessions through the API. Add a terminateSession method to the sessionStore that sets the Active property of the Session to false. Create a Context.TerminateSession wrapper for the terminateSession method on the sessionStore. Add a Sessions property to our response type so we can return a []Session in API responses. Use the URL-safe encoding when base64 encoding our session ID and CSRFToken, so the ID can be passed in the URL and so our encodings are consistent. Add a TerminateSessionHandler function that will extract a Session ID from the request URL, authenticate the user, check that the authenticated user owns the session in question, and terminate the session. Add implementations for our new terminateSession method for the memstore and postgres types. Test both the memstore and postgres implementation of our terminateSession helper in session_test.go.
| paddy@28 | 1 package auth |
| paddy@28 | 2 |
| paddy@28 | 3 import ( |
| paddy@123 | 4 "encoding/json" |
| paddy@28 | 5 "errors" |
| paddy@123 | 6 "log" |
| paddy@123 | 7 "net/http" |
| paddy@28 | 8 "time" |
| paddy@28 | 9 |
| paddy@107 | 10 "code.secondbit.org/uuid.hg" |
| paddy@28 | 11 ) |
| paddy@28 | 12 |
| paddy@69 | 13 const ( |
| paddy@125 | 14 defaultTokenExpiration = 3600 // one hour |
| paddy@69 | 15 ) |
| paddy@69 | 16 |
| paddy@123 | 17 func init() { |
| paddy@123 | 18 RegisterGrantType("refresh_token", GrantType{ |
| paddy@123 | 19 Validate: refreshTokenValidate, |
| paddy@123 | 20 Invalidate: refreshTokenInvalidate, |
| paddy@123 | 21 IssuesRefresh: true, |
| paddy@123 | 22 ReturnToken: RenderJSONToken, |
| paddy@124 | 23 AuditString: refreshTokenAuditString, |
| paddy@123 | 24 }) |
| paddy@123 | 25 } |
| paddy@123 | 26 |
| paddy@28 | 27 var ( |
| paddy@57 | 28 // ErrNoTokenStore is returned when a Context tries to act on a tokenStore without setting one first. |
| paddy@57 | 29 ErrNoTokenStore = errors.New("no tokenStore was specified for the Context") |
| paddy@57 | 30 // ErrTokenNotFound is returned when a Token is requested but not found in a tokenStore. |
| paddy@57 | 31 ErrTokenNotFound = errors.New("token not found in tokenStore") |
| paddy@57 | 32 // ErrTokenAlreadyExists is returned when a Token is added to a tokenStore, but another Token with |
| paddy@57 | 33 // the same AccessToken property already exists in the tokenStore. |
| paddy@57 | 34 ErrTokenAlreadyExists = errors.New("token already exists in tokenStore") |
| paddy@28 | 35 ) |
| paddy@28 | 36 |
| paddy@57 | 37 // Token represents an access and/or refresh token that the Client can use to access user data |
| paddy@57 | 38 // or obtain a new access token. |
| paddy@28 | 39 type Token struct { |
| paddy@125 | 40 AccessToken string |
| paddy@125 | 41 RefreshToken string |
| paddy@125 | 42 Created time.Time |
| paddy@125 | 43 CreatedFrom string |
| paddy@125 | 44 ExpiresIn int32 |
| paddy@125 | 45 TokenType string |
| paddy@155 | 46 Scopes []string `sql_column:"-"` |
| paddy@125 | 47 ProfileID uuid.ID |
| paddy@125 | 48 ClientID uuid.ID |
| paddy@125 | 49 Revoked bool |
| paddy@125 | 50 RefreshRevoked bool |
| paddy@28 | 51 } |
| paddy@28 | 52 |
| paddy@57 | 53 type tokenStore interface { |
| paddy@57 | 54 getToken(token string, refresh bool) (Token, error) |
| paddy@57 | 55 saveToken(token Token) error |
| paddy@91 | 56 revokeToken(token string, refresh bool) error |
| paddy@57 | 57 getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error) |
| paddy@28 | 58 } |
| paddy@28 | 59 |
| paddy@57 | 60 func (m *memstore) getToken(token string, refresh bool) (Token, error) { |
| paddy@28 | 61 if refresh { |
| paddy@28 | 62 t, err := m.lookupTokenByRefresh(token) |
| paddy@28 | 63 if err != nil { |
| paddy@28 | 64 return Token{}, err |
| paddy@28 | 65 } |
| paddy@28 | 66 token = t |
| paddy@28 | 67 } |
| paddy@28 | 68 m.tokenLock.RLock() |
| paddy@28 | 69 defer m.tokenLock.RUnlock() |
| paddy@28 | 70 result, ok := m.tokens[token] |
| paddy@28 | 71 if !ok { |
| paddy@28 | 72 return Token{}, ErrTokenNotFound |
| paddy@28 | 73 } |
| paddy@28 | 74 return result, nil |
| paddy@28 | 75 } |
| paddy@28 | 76 |
| paddy@57 | 77 func (m *memstore) saveToken(token Token) error { |
| paddy@28 | 78 m.tokenLock.Lock() |
| paddy@28 | 79 defer m.tokenLock.Unlock() |
| paddy@28 | 80 _, ok := m.tokens[token.AccessToken] |
| paddy@28 | 81 if ok { |
| paddy@28 | 82 return ErrTokenAlreadyExists |
| paddy@28 | 83 } |
| paddy@28 | 84 m.tokens[token.AccessToken] = token |
| paddy@28 | 85 if token.RefreshToken != "" { |
| paddy@28 | 86 m.refreshTokenLookup[token.RefreshToken] = token.AccessToken |
| paddy@28 | 87 } |
| paddy@28 | 88 if _, ok = m.profileTokenLookup[token.ProfileID.String()]; ok { |
| paddy@28 | 89 m.profileTokenLookup[token.ProfileID.String()] = append(m.profileTokenLookup[token.ProfileID.String()], token.AccessToken) |
| paddy@28 | 90 } else { |
| paddy@28 | 91 m.profileTokenLookup[token.ProfileID.String()] = []string{token.AccessToken} |
| paddy@28 | 92 } |
| paddy@28 | 93 return nil |
| paddy@28 | 94 } |
| paddy@28 | 95 |
| paddy@91 | 96 func (m *memstore) revokeToken(token string, refresh bool) error { |
| paddy@91 | 97 if refresh { |
| paddy@91 | 98 t, err := m.lookupTokenByRefresh(token) |
| paddy@91 | 99 if err != nil { |
| paddy@91 | 100 return err |
| paddy@91 | 101 } |
| paddy@91 | 102 token = t |
| paddy@91 | 103 } |
| paddy@91 | 104 m.tokenLock.Lock() |
| paddy@91 | 105 defer m.tokenLock.Unlock() |
| paddy@91 | 106 t, ok := m.tokens[token] |
| paddy@91 | 107 if !ok { |
| paddy@91 | 108 return ErrTokenNotFound |
| paddy@91 | 109 } |
| paddy@123 | 110 if refresh { |
| paddy@123 | 111 t.RefreshRevoked = true |
| paddy@123 | 112 } else { |
| paddy@123 | 113 t.Revoked = true |
| paddy@123 | 114 } |
| paddy@91 | 115 m.tokens[token] = t |
| paddy@91 | 116 return nil |
| paddy@91 | 117 } |
| paddy@91 | 118 |
| paddy@57 | 119 func (m *memstore) getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error) { |
| paddy@28 | 120 ids, err := m.lookupTokensByProfileID(profileID.String()) |
| paddy@28 | 121 if err != nil { |
| paddy@28 | 122 return []Token{}, err |
| paddy@28 | 123 } |
| paddy@28 | 124 if len(ids) > num+offset { |
| paddy@28 | 125 ids = ids[offset : num+offset] |
| paddy@28 | 126 } else if len(ids) > offset { |
| paddy@28 | 127 ids = ids[offset:] |
| paddy@28 | 128 } else { |
| paddy@28 | 129 return []Token{}, nil |
| paddy@28 | 130 } |
| paddy@28 | 131 tokens := []Token{} |
| paddy@28 | 132 for _, id := range ids { |
| paddy@57 | 133 token, err := m.getToken(id, false) |
| paddy@28 | 134 if err != nil { |
| paddy@28 | 135 return []Token{}, err |
| paddy@28 | 136 } |
| paddy@28 | 137 tokens = append(tokens, token) |
| paddy@28 | 138 } |
| paddy@28 | 139 return tokens, nil |
| paddy@28 | 140 } |
| paddy@123 | 141 |
| paddy@135 | 142 func refreshTokenValidate(w http.ResponseWriter, r *http.Request, context Context) (scopes []string, profileID uuid.ID, valid bool) { |
| paddy@123 | 143 enc := json.NewEncoder(w) |
| paddy@123 | 144 refresh := r.PostFormValue("refresh_token") |
| paddy@123 | 145 if refresh == "" { |
| paddy@123 | 146 w.WriteHeader(http.StatusBadRequest) |
| paddy@123 | 147 renderJSONError(enc, "invalid_request") |
| paddy@123 | 148 return |
| paddy@123 | 149 } |
| paddy@123 | 150 token, err := context.GetToken(refresh, true) |
| paddy@123 | 151 if err != nil { |
| paddy@123 | 152 if err == ErrTokenNotFound { |
| paddy@123 | 153 w.WriteHeader(http.StatusBadRequest) |
| paddy@123 | 154 renderJSONError(enc, "invalid_grant") |
| paddy@123 | 155 return |
| paddy@123 | 156 } |
| paddy@123 | 157 log.Println("Error exchanging refresh token:", err) |
| paddy@123 | 158 w.WriteHeader(http.StatusInternalServerError) |
| paddy@123 | 159 renderJSONError(enc, "server_error") |
| paddy@123 | 160 return |
| paddy@123 | 161 } |
| paddy@123 | 162 clientID, _, ok := getClientAuth(w, r, true) |
| paddy@123 | 163 if !ok { |
| paddy@123 | 164 return |
| paddy@123 | 165 } |
| paddy@123 | 166 if !token.ClientID.Equal(clientID) { |
| paddy@123 | 167 w.WriteHeader(http.StatusBadRequest) |
| paddy@123 | 168 renderJSONError(enc, "invalid_grant") |
| paddy@123 | 169 return |
| paddy@123 | 170 } |
| paddy@123 | 171 if token.RefreshRevoked { |
| paddy@123 | 172 w.WriteHeader(http.StatusBadRequest) |
| paddy@123 | 173 renderJSONError(enc, "invalid_grant") |
| paddy@123 | 174 return |
| paddy@123 | 175 } |
| paddy@135 | 176 return token.Scopes, token.ProfileID, true |
| paddy@123 | 177 } |
| paddy@123 | 178 |
| paddy@123 | 179 func refreshTokenInvalidate(r *http.Request, context Context) error { |
| paddy@123 | 180 refresh := r.PostFormValue("refresh_token") |
| paddy@123 | 181 if refresh == "" { |
| paddy@123 | 182 return ErrTokenNotFound |
| paddy@123 | 183 } |
| paddy@123 | 184 return context.RevokeToken(refresh, true) |
| paddy@123 | 185 } |
| paddy@124 | 186 |
| paddy@124 | 187 func refreshTokenAuditString(r *http.Request) string { |
| paddy@124 | 188 return "refresh_token:" + r.PostFormValue("refresh_token") |
| paddy@124 | 189 } |
| paddy@128 | 190 |
| paddy@128 | 191 // BUG(paddy): We need to implement a handler for revoking a token. |
| paddy@128 | 192 // BUG(paddy): We need to implement a handler for listing active tokens. |