chore: update auth checks

2025-06-15 04:17:50 +00:00 · 2024-05-21 20:34:06 +08:00
parent 0602b2475a
commit 26aa00e20b
4 changed files with 13 additions and 16 deletions
--- a/server/route/api/v1/acl.go
+++ b/server/route/api/v1/acl.go
@ -14,7 +14,6 @@ import (

 	"github.com/yourselfhosted/slash/internal/util"
 	storepb "github.com/yourselfhosted/slash/proto/gen/store"
-	"github.com/yourselfhosted/slash/server/route/auth"
 	"github.com/yourselfhosted/slash/store"
 )

@ -81,7 +80,7 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken str
 	if accessToken == "" {
 		return 0, status.Errorf(codes.Unauthenticated, "access token not found")
 	}
-	claims := &auth.ClaimsMessage{}
+	claims := &ClaimsMessage{}
 	_, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
 		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
 			return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
@ -96,11 +95,11 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken str
 	if err != nil {
 		return 0, status.Errorf(codes.Unauthenticated, "Invalid or expired access token")
 	}
-	if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) {
+	if !audienceContains(claims.Audience, AccessTokenAudienceName) {
 		return 0, status.Errorf(codes.Unauthenticated,
 			"invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",
 			claims.Audience,
-			auth.AccessTokenAudienceName,
+			AccessTokenAudienceName,
 		)
 	}

@ -148,7 +147,7 @@ func getTokenFromMetadata(md metadata.MD) (string, error) {
 		header := http.Header{}
 		header.Add("Cookie", t)
 		request := http.Request{Header: header}
-		if v, _ := request.Cookie(auth.AccessTokenCookieName); v != nil {
+		if v, _ := request.Cookie(AccessTokenCookieName); v != nil {
 			accessToken = v.Value
 		}
 	}
--- a/server/route/api/v1/auth.go
+++ b/server/route/api/v1/auth.go
@ -0,0 +1,64 @@
+package v1
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+const (
+	// issuer is the issuer of the jwt token.
+	Issuer = "slash"
+	// Signing key section. For now, this is only used for signing, not for verifying since we only
+	// have 1 version. But it will be used to maintain backward compatibility if we change the signing mechanism.
+	KeyID = "v1"
+	// AccessTokenAudienceName is the audience name of the access token.
+	AccessTokenAudienceName = "user.access-token"
+	AccessTokenDuration     = 7 * 24 * time.Hour
+
+	// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
+	// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
+	CookieExpDuration = AccessTokenDuration - 1*time.Minute
+	// AccessTokenCookieName is the cookie name of access token.
+	AccessTokenCookieName = "slash.access-token"
+)
+
+type ClaimsMessage struct {
+	Name string `json:"name"`
+	jwt.RegisteredClaims
+}
+
+// GenerateAccessToken generates an access token.
+// username is the email of the user.
+func GenerateAccessToken(username string, userID int32, expirationTime time.Time, secret []byte) (string, error) {
+	return generateToken(username, userID, AccessTokenAudienceName, expirationTime, secret)
+}
+
+// generateToken generates a jwt token.
+func generateToken(username string, userID int32, audience string, expirationTime time.Time, secret []byte) (string, error) {
+	registeredClaims := jwt.RegisteredClaims{
+		Issuer:   Issuer,
+		Audience: jwt.ClaimStrings{audience},
+		IssuedAt: jwt.NewNumericDate(time.Now()),
+		Subject:  fmt.Sprint(userID),
+	}
+	if !expirationTime.IsZero() {
+		registeredClaims.ExpiresAt = jwt.NewNumericDate(expirationTime)
+	}
+
+	// Declare the token with the HS256 algorithm used for signing, and the claims.
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, &ClaimsMessage{
+		Name:             username,
+		RegisteredClaims: registeredClaims,
+	})
+	token.Header["kid"] = KeyID
+
+	// Create the JWT string.
+	tokenString, err := token.SignedString(secret)
+	if err != nil {
+		return "", err
+	}
+
+	return tokenString, nil
+}
--- a/server/route/api/v1/auth_service.go
+++ b/server/route/api/v1/auth_service.go
@ -14,7 +14,6 @@ import (
 	apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1"
 	storepb "github.com/yourselfhosted/slash/proto/gen/store"
 	"github.com/yourselfhosted/slash/server/metric"
-	"github.com/yourselfhosted/slash/server/route/auth"
 	"github.com/yourselfhosted/slash/server/service/license"
 	"github.com/yourselfhosted/slash/store"
 )
@ -50,7 +49,7 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *apiv1pb.SignInReques
 		return nil, status.Errorf(codes.InvalidArgument, "unmatched email and password")
 	}

-	accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret))
+	accessToken, err := GenerateAccessToken(user.Email, user.ID, time.Now().Add(AccessTokenDuration), []byte(s.Secret))
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err))
 	}
@ -59,7 +58,7 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *apiv1pb.SignInReques
 	}

 	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
-		"Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName, accessToken, time.Now().Add(auth.AccessTokenDuration).Format(time.RFC1123)),
+		"Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", AccessTokenCookieName, accessToken, time.Now().Add(AccessTokenDuration).Format(time.RFC1123)),
 	})); err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
 	}
@ -117,7 +116,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques
 		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))
 	}

-	accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret))
+	accessToken, err := GenerateAccessToken(user.Email, user.ID, time.Now().Add(AccessTokenDuration), []byte(s.Secret))
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err))
 	}
@ -126,7 +125,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques
 	}

 	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
-		"Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName, accessToken, time.Now().Add(auth.AccessTokenDuration).Format(time.RFC1123)),
+		"Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", AccessTokenCookieName, accessToken, time.Now().Add(AccessTokenDuration).Format(time.RFC1123)),
 	})); err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
 	}
@ -140,7 +139,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques
 func (*APIV1Service) SignOut(ctx context.Context, _ *apiv1pb.SignOutRequest) (*apiv1pb.SignOutResponse, error) {
 	// Set the cookie header to expire access token.
 	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
-		"Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName),
+		"Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", AccessTokenCookieName),
 	})); err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
 	}
--- a/server/route/api/v1/user_service.go
+++ b/server/route/api/v1/user_service.go
@ -14,7 +14,6 @@ import (

 	apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1"
 	storepb "github.com/yourselfhosted/slash/proto/gen/store"
-	"github.com/yourselfhosted/slash/server/route/auth"
 	"github.com/yourselfhosted/slash/server/service/license"
 	"github.com/yourselfhosted/slash/store"
 )
@ -152,7 +151,7 @@ func (s *APIV1Service) ListUserAccessTokens(ctx context.Context, request *apiv1p

 	accessTokens := []*apiv1pb.UserAccessToken{}
 	for _, userAccessToken := range userAccessTokens {
-		claims := &auth.ClaimsMessage{}
+		claims := &ClaimsMessage{}
 		_, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) {
 			if t.Method.Alg() != jwt.SigningMethodHS256.Name {
 				return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
@ -203,12 +202,12 @@ func (s *APIV1Service) CreateUserAccessToken(ctx context.Context, request *apiv1
 	if request.ExpiresAt != nil {
 		expiresAt = request.ExpiresAt.AsTime()
 	}
-	accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, expiresAt, []byte(s.Secret))
+	accessToken, err := GenerateAccessToken(user.Email, user.ID, expiresAt, []byte(s.Secret))
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err)
 	}

-	claims := &auth.ClaimsMessage{}
+	claims := &ClaimsMessage{}
 	_, err = jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
 		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
 			return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)