feat: implement get access tokens api

api/v2/acl.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/boojack/slash/api/auth"
 	"github.com/boojack/slash/internal/util"
@@ -170,7 +169,7 @@ func audienceContains(audience jwt.ClaimStrings, token string) bool {
 
 func validateAccessToken(accessTokenString string, userAccessTokens []*storepb.AccessTokensUserSetting_AccessToken) bool {
 	for _, userAccessToken := range userAccessTokens {
-		if accessTokenString == userAccessToken.AccessToken && userAccessToken.ExpiresTime.AsTime().After(time.Now()) {
+		if accessTokenString == userAccessToken.AccessToken {
 			return true
 		}
 	}

api/v2/user_service.go

@@ -5,20 +5,25 @@ import (
 
 	apiv2pb "github.com/boojack/slash/proto/gen/api/v2"
 	"github.com/boojack/slash/store"
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/pkg/errors"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 type UserService struct {
 	apiv2pb.UnimplementedUserServiceServer
 
-	Store *store.Store
+	Secret string
+	Store  *store.Store
 }
 
 // NewUserService creates a new UserService.
-func NewUserService(store *store.Store) *UserService {
+func NewUserService(secret string, store *store.Store) *UserService {
 	return &UserService{
-		Store: store,
+		Secret: secret,
+		Store:  store,
 	}
 }
 
@@ -40,6 +45,50 @@ func (s *UserService) GetUser(ctx context.Context, request *apiv2pb.GetUserReque
 	return response, nil
 }
 
+func (s *UserService) GetUserAccessTokens(ctx context.Context, request *apiv2pb.GetUserAccessTokensRequest) (*apiv2pb.GetUserAccessTokensResponse, error) {
+	userID := ctx.Value(UserIDContextKey).(int32)
+	if userID != request.Id {
+		return nil, status.Errorf(codes.PermissionDenied, "Permission denied")
+	}
+
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, userID)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
+	}
+
+	accessTokens := []*apiv2pb.GetUserAccessTokensResponse_AccessToken{}
+	for _, userAccessToken := range userAccessTokens {
+		claims := &claimsMessage{}
+		_, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) {
+			if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+				return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+			}
+			if kid, ok := t.Header["kid"].(string); ok {
+				if kid == "v1" {
+					return []byte(s.Secret), nil
+				}
+			}
+			return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+		})
+		if err != nil {
+			// If the access token is invalid or expired, just ignore it.
+			continue
+		}
+
+		accessTokens = append(accessTokens, &apiv2pb.GetUserAccessTokensResponse_AccessToken{
+			AccessToken: userAccessToken.AccessToken,
+			Description: userAccessToken.Description,
+			ExpiresTime: timestamppb.New(claims.ExpiresAt.Time),
+			CreatedTime: timestamppb.New(claims.IssuedAt.Time),
+		})
+	}
+
+	response := &apiv2pb.GetUserAccessTokensResponse{
+		AccessTokens: accessTokens,
+	}
+	return response, nil
+}
+
 func convertUserFromStore(user *store.User) *apiv2pb.User {
 	return &apiv2pb.User{
 		Id:        int32(user.ID),

api/v2/v2.go

@@ -29,7 +29,7 @@ func NewAPIV2Service(secret string, profile *profile.Profile, store *store.Store
 			authProvider.AuthenticationInterceptor,
 		),
 	)
-	apiv2pb.RegisterUserServiceServer(grpcServer, NewUserService(store))
+	apiv2pb.RegisterUserServiceServer(grpcServer, NewUserService(secret, store))
 
 	return &APIV2Service{
 		Secret:         secret,