Refactor verifyClient, implement refresh tokens.
Refactor verifyClient into verifyClient and getClientAuth. We moved verifyClient
out of each of the GrantType's validation functions and into the access token
endpoint, where it will be called before the GrantType's validation function.
Yay, less code repetition. And seeing as we always want to verify the client,
that seems like a good way to prevent things like 118a69954621 from happening.
This did, however, force us to add an AllowsPublic property to the GrantType, so
the token endpoint knows whether or not a public Client is valid for any given
GrantType.
We also implemented the refresh token grant type, which required adding ClientID
and RefreshRevoked as properties on the Token type. We need ClientID because we
need to constrain refresh tokens to the client that issued them. We also should
probably keep track of which tokens belong to which clients, just as a general
rule of thumb. RefreshRevoked had to be created, next to Revoked, because the
AccessToken could be revoked and the RefreshToken still valid, or vice versa.
Notably, when you issue a new refresh token, the old one is revoked, but the
access token is still valid. It remains to be seen whether this is a good way to
track things or not. The number of duplicated properties lead me to believe our
type is not a great representation of the underlying concepts.
6 "code.secondbit.org/uuid.hg"
10 tokens map[string]Token
11 refreshTokenLookup map[string]string
12 profileTokenLookup map[string][]string
13 tokenLock sync.RWMutex
15 authCodes map[string]AuthorizationCode
16 authCodeLock sync.RWMutex
18 clients map[string]Client
19 profileClientLookup map[string][]uuid.ID
20 clientLock sync.RWMutex
22 endpoints map[string][]Endpoint
23 endpointLock sync.RWMutex
25 profiles map[string]Profile
26 profileLock sync.RWMutex
28 logins map[string]Login
29 profileLoginLookup map[string][]string
30 loginLock sync.RWMutex
32 sessions map[string]Session
33 sessionLock sync.RWMutex
36 // NewMemstore returns an in-memory version of our datastores,
37 // which is handy for tests. Though the implementation is concurrency-safe,
38 // if makes no attempt to persist the data, and therefore it is inadvisable
39 // to use it in a production setting.
40 func NewMemstore() *memstore {
42 tokens: map[string]Token{},
43 refreshTokenLookup: map[string]string{},
44 profileTokenLookup: map[string][]string{},
45 authCodes: map[string]AuthorizationCode{},
46 clients: map[string]Client{},
47 profileClientLookup: map[string][]uuid.ID{},
48 endpoints: map[string][]Endpoint{},
49 profiles: map[string]Profile{},
50 logins: map[string]Login{},
51 profileLoginLookup: map[string][]string{},
52 sessions: map[string]Session{},
56 func (m *memstore) lookupTokenByRefresh(token string) (string, error) {
58 defer m.tokenLock.RUnlock()
59 t, ok := m.refreshTokenLookup[token]
61 return "", ErrTokenNotFound
66 func (m *memstore) lookupTokensByProfileID(id string) ([]string, error) {
68 defer m.tokenLock.RUnlock()
69 return m.profileTokenLookup[id], nil
72 func (m *memstore) lookupClientsByProfileID(id string) []uuid.ID {
74 defer m.clientLock.RUnlock()
75 c, ok := m.profileClientLookup[id]