aykhans/slash-e
1
0
Fork 0
mirror of https://github.com/aykhans/slash-e.git synced 2025-04-19 05:25:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

chore: update auth checks

Browse Source
This commit is contained in:
Steven 2024-05-21 20:34:06 +08:00
parent 0602b2475a
commit 26aa00e20b
4 changed files with 13 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
server/route/api/v1/acl.go
View File

@ -14,7 +14,6 @@ import (
"github.com/yourselfhosted/slash/internal/util" "github.com/yourselfhosted/slash/internal/util"
storepb "github.com/yourselfhosted/slash/proto/gen/store" storepb "github.com/yourselfhosted/slash/proto/gen/store"
"github.com/yourselfhosted/slash/server/route/auth"
"github.com/yourselfhosted/slash/store" "github.com/yourselfhosted/slash/store"
) )
@ -81,7 +80,7 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken str
if accessToken == "" { if accessToken == "" {
return 0, status.Errorf(codes.Unauthenticated, "access token not found") return 0, status.Errorf(codes.Unauthenticated, "access token not found")
} }
claims := &auth.ClaimsMessage{} claims := &ClaimsMessage{}
_, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) { _, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
if t.Method.Alg() != jwt.SigningMethodHS256.Name { if t.Method.Alg() != jwt.SigningMethodHS256.Name {
return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256) return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
@ -96,11 +95,11 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken str
if err != nil { if err != nil {
return 0, status.Errorf(codes.Unauthenticated, "Invalid or expired access token") return 0, status.Errorf(codes.Unauthenticated, "Invalid or expired access token")
} }
if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) { if !audienceContains(claims.Audience, AccessTokenAudienceName) {
return 0, status.Errorf(codes.Unauthenticated, return 0, status.Errorf(codes.Unauthenticated,
"invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment", "invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",
claims.Audience, claims.Audience,
auth.AccessTokenAudienceName, AccessTokenAudienceName,
) )
} }
@ -148,7 +147,7 @@ func getTokenFromMetadata(md metadata.MD) (string, error) {
header := http.Header{} header := http.Header{}
header.Add("Cookie", t) header.Add("Cookie", t)
request := http.Request{Header: header} request := http.Request{Header: header}
if v, _ := request.Cookie(auth.AccessTokenCookieName); v != nil { if v, _ := request.Cookie(AccessTokenCookieName); v != nil {
accessToken = v.Value accessToken = v.Value
} }
} }

2
server/route/auth/auth.go → server/route/api/v1/auth.go
View File

@ -1,4 +1,4 @@
package auth package v1
import ( import (
"fmt" "fmt"

11
server/route/api/v1/auth_service.go
View File

@ -14,7 +14,6 @@ import (
apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1" apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1"
storepb "github.com/yourselfhosted/slash/proto/gen/store" storepb "github.com/yourselfhosted/slash/proto/gen/store"
"github.com/yourselfhosted/slash/server/metric" "github.com/yourselfhosted/slash/server/metric"
"github.com/yourselfhosted/slash/server/route/auth"
"github.com/yourselfhosted/slash/server/service/license" "github.com/yourselfhosted/slash/server/service/license"
"github.com/yourselfhosted/slash/store" "github.com/yourselfhosted/slash/store"
) )
@ -50,7 +49,7 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *apiv1pb.SignInReques
return nil, status.Errorf(codes.InvalidArgument, "unmatched email and password") return nil, status.Errorf(codes.InvalidArgument, "unmatched email and password")
} }
accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret)) accessToken, err := GenerateAccessToken(user.Email, user.ID, time.Now().Add(AccessTokenDuration), []byte(s.Secret))
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err)) return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err))
} }
@ -59,7 +58,7 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *apiv1pb.SignInReques
} }
if err := grpc.SetHeader(ctx, metadata.New(map[string]string{ if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
"Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName, accessToken, time.Now().Add(auth.AccessTokenDuration).Format(time.RFC1123)), "Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", AccessTokenCookieName, accessToken, time.Now().Add(AccessTokenDuration).Format(time.RFC1123)),
})); err != nil { })); err != nil {
return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err) return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
} }
@ -117,7 +116,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques
return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err)) return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))
} }
accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret)) accessToken, err := GenerateAccessToken(user.Email, user.ID, time.Now().Add(AccessTokenDuration), []byte(s.Secret))
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err)) return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err))
} }
@ -126,7 +125,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques
} }
if err := grpc.SetHeader(ctx, metadata.New(map[string]string{ if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
"Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName, accessToken, time.Now().Add(auth.AccessTokenDuration).Format(time.RFC1123)), "Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", AccessTokenCookieName, accessToken, time.Now().Add(AccessTokenDuration).Format(time.RFC1123)),
})); err != nil { })); err != nil {
return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err) return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
} }
@ -140,7 +139,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques
func (*APIV1Service) SignOut(ctx context.Context, _ *apiv1pb.SignOutRequest) (*apiv1pb.SignOutResponse, error) { func (*APIV1Service) SignOut(ctx context.Context, _ *apiv1pb.SignOutRequest) (*apiv1pb.SignOutResponse, error) {
// Set the cookie header to expire access token. // Set the cookie header to expire access token.
if err := grpc.SetHeader(ctx, metadata.New(map[string]string{ if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
"Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName), "Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", AccessTokenCookieName),
})); err != nil { })); err != nil {
return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err) return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
} }

7
server/route/api/v1/user_service.go
View File

@ -14,7 +14,6 @@ import (
apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1" apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1"
storepb "github.com/yourselfhosted/slash/proto/gen/store" storepb "github.com/yourselfhosted/slash/proto/gen/store"
"github.com/yourselfhosted/slash/server/route/auth"
"github.com/yourselfhosted/slash/server/service/license" "github.com/yourselfhosted/slash/server/service/license"
"github.com/yourselfhosted/slash/store" "github.com/yourselfhosted/slash/store"
) )
@ -152,7 +151,7 @@ func (s *APIV1Service) ListUserAccessTokens(ctx context.Context, request *apiv1p
accessTokens := []*apiv1pb.UserAccessToken{} accessTokens := []*apiv1pb.UserAccessToken{}
for _, userAccessToken := range userAccessTokens { for _, userAccessToken := range userAccessTokens {
claims := &auth.ClaimsMessage{} claims := &ClaimsMessage{}
_, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) { _, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) {
if t.Method.Alg() != jwt.SigningMethodHS256.Name { if t.Method.Alg() != jwt.SigningMethodHS256.Name {
return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256) return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
@ -203,12 +202,12 @@ func (s *APIV1Service) CreateUserAccessToken(ctx context.Context, request *apiv1
if request.ExpiresAt != nil { if request.ExpiresAt != nil {
expiresAt = request.ExpiresAt.AsTime() expiresAt = request.ExpiresAt.AsTime()
} }
accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, expiresAt, []byte(s.Secret)) accessToken, err := GenerateAccessToken(user.Email, user.ID, expiresAt, []byte(s.Secret))
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err) return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err)
} }
claims := &auth.ClaimsMessage{} claims := &ClaimsMessage{}
_, err = jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) { _, err = jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
if t.Method.Alg() != jwt.SigningMethodHS256.Name { if t.Method.Alg() != jwt.SigningMethodHS256.Name {
return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256) return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)