Switch to a JWT approach.
We're going to use a JWT as our access tokens (as discussed in &yet's excellent
post https://blog.andyet.com/2015/05/12/micro-services-user-info-and-auth and my
ensuing conversation with Fritzy).
The benefit of this approach is that we can do authentication and even some
authorization without touching the database at all.
The drawback is that we can no longer revoke access tokens, only the refresh
tokens that grant the access tokens.
We need a new config variable to set our private key, used to sign the JWT.
We get to remove our token handlers, as we no longer can revoke tokens, so
there's no purpose in getting information about it or listing them.
Our tokenStore revokeToken gets to be simplified, as it will only ever be used
for refresh tokens now. We also updated our postgres and memstore
implementations.
We added a helper method for generating the signed "access token" (our JWT) and
started using it in the places where we're creating a Token.
We get to remove the `revoked` SQL column for the tokens table, and rename the
`refresh_revoked` column to just be `revoked`.
We shortened our access token expiration to 15 minutes instead of an hour, to
deal with the token not being revokable.
6 "code.secondbit.org/uuid.hg"
10 tokens map[string]Token
11 refreshTokenLookup map[string]string
12 profileTokenLookup map[string][]string
13 tokenLock sync.RWMutex
15 authCodes map[string]AuthorizationCode
16 authCodeLock sync.RWMutex
18 clients map[string]Client
19 profileClientLookup map[string][]uuid.ID
20 clientLock sync.RWMutex
22 endpoints map[string][]Endpoint
23 endpointLock sync.RWMutex
25 profiles map[string]Profile
26 profileLock sync.RWMutex
28 logins map[string]Login
29 profileLoginLookup map[string][]string
30 loginLock sync.RWMutex
32 sessions map[string]Session
33 sessionLock sync.RWMutex
35 scopes map[string]Scope
36 scopeLock sync.RWMutex
39 // NewMemstore returns an in-memory version of our datastores,
40 // which is handy for tests. Though the implementation is concurrency-safe,
41 // if makes no attempt to persist the data, and therefore it is inadvisable
42 // to use it in a production setting.
43 func NewMemstore() *memstore {
45 tokens: map[string]Token{},
46 refreshTokenLookup: map[string]string{},
47 profileTokenLookup: map[string][]string{},
48 authCodes: map[string]AuthorizationCode{},
49 clients: map[string]Client{},
50 profileClientLookup: map[string][]uuid.ID{},
51 endpoints: map[string][]Endpoint{},
52 profiles: map[string]Profile{},
53 logins: map[string]Login{},
54 profileLoginLookup: map[string][]string{},
55 sessions: map[string]Session{},
56 scopes: map[string]Scope{},
60 func (m *memstore) lookupTokenByRefresh(token string) (string, error) {
62 defer m.tokenLock.RUnlock()
63 t, ok := m.refreshTokenLookup[token]
65 return "", ErrTokenNotFound
70 func (m *memstore) lookupTokensByProfileID(id string) ([]string, error) {
72 defer m.tokenLock.RUnlock()
73 return m.profileTokenLookup[id], nil
76 func (m *memstore) lookupClientsByProfileID(id string) []uuid.ID {
78 defer m.clientLock.RUnlock()
79 c, ok := m.profileClientLookup[id]