feat: allow to generate access token without expires time

2025-04-21 06:13:33 +00:00 · 2023-08-07 19:52:13 +08:00 · 2023-08-07 19:52:13 +08:00 · dadf42c09b
commit dadf42c09b
parent e855f8c5ad
5 changed files with 44 additions and 32 deletions
--- a/api/auth/auth.go
+++ b/api/auth/auth.go
@ -37,21 +37,21 @@ func GenerateAccessToken(username string, userID int32, expirationTime time.Time

 // generateToken generates a jwt token.
 func generateToken(username string, userID int32, audience string, expirationTime time.Time, secret []byte) (string, error) {
-	// Create the JWT claims, which includes the username and expiry time.
-	claims := &ClaimsMessage{
-		Name: username,
-		RegisteredClaims: jwt.RegisteredClaims{
+	registeredClaims := jwt.RegisteredClaims{
 		Issuer:   Issuer,
 		Audience: jwt.ClaimStrings{audience},
-			// In JWT, the expiry time is expressed as unix milliseconds.
-			ExpiresAt: jwt.NewNumericDate(expirationTime),
 		IssuedAt: jwt.NewNumericDate(time.Now()),
 		Subject:  fmt.Sprint(userID),
-		},
+	}
+	if expirationTime.After(time.Now()) {
+		registeredClaims.ExpiresAt = jwt.NewNumericDate(expirationTime)
 	}

 	// Declare the token with the HS256 algorithm used for signing, and the claims.
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, &ClaimsMessage{
+		Name:             username,
+		RegisteredClaims: registeredClaims,
+	})
 	token.Header["kid"] = KeyID

 	// Create the JWT string.
--- a/api/v2/acl.go
+++ b/api/v2/acl.go
@ -17,9 +17,7 @@ import (
 	"google.golang.org/grpc/status"
 )

-var authenticationAllowlistMethods = map[string]bool{
-	"/memos.api.v2.UserService/GetUser": true,
-}
+var authenticationAllowlistMethods = map[string]bool{}

 // IsAuthenticationAllowed returns whether the method is exempted from authentication.
 func IsAuthenticationAllowed(fullMethodName string) bool {
@ -60,7 +58,7 @@ func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, re
 	}
 	accessToken, err := getTokenFromMetadata(md)
 	if err != nil {
-		return nil, status.Errorf(codes.Unauthenticated, err.Error())
+		return nil, status.Errorf(codes.Unauthenticated, "failed to get access token from metadata: %v", err)
 	}

 	userID, err := in.authenticate(ctx, accessToken)
@ -71,11 +69,11 @@ func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, re
 		return nil, err
 	}

-	accessTokens, err := in.Store.GetUserAccessTokens(ctx, userID)
+	userAccessTokens, err := in.Store.GetUserAccessTokens(ctx, userID)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get user access tokens")
 	}
-	if !validateAccessToken(accessToken, accessTokens) {
+	if !validateAccessToken(accessToken, userAccessTokens) {
 		return nil, status.Errorf(codes.Unauthenticated, "invalid access token")
 	}

@ -132,15 +130,16 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessTokenStr
 }

 func getTokenFromMetadata(md metadata.MD) (string, error) {
+	// Try to get the token from the authorization header first.
 	authorizationHeaders := md.Get("Authorization")
-	if len(md.Get("Authorization")) > 0 {
+	if len(authorizationHeaders) > 0 {
 		authHeaderParts := strings.Fields(authorizationHeaders[0])
 		if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
 			return "", errors.Errorf("authorization header format must be Bearer {token}")
 		}
 		return authHeaderParts[1], nil
 	}
-	// check the HTTP cookie
+	// Try to get the token from the cookie header.
 	var accessToken string
 	for _, t := range append(md.Get("grpcgateway-cookie"), md.Get("cookie")...) {
 		header := http.Header{}
--- a/api/v2/user_service.go
+++ b/api/v2/user_service.go
@ -9,6 +9,7 @@ import (
 	"github.com/boojack/slash/store"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/pkg/errors"
+	"golang.org/x/exp/slices"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/timestamppb"
@ -77,14 +78,21 @@ func (s *UserService) ListUserAccessTokens(ctx context.Context, request *apiv2pb
 			continue
 		}

-		accessTokens = append(accessTokens, &apiv2pb.UserAccessToken{
+		userAccessToken := &apiv2pb.UserAccessToken{
 			AccessToken: userAccessToken.AccessToken,
 			Description: userAccessToken.Description,
 			IssuedAt:    timestamppb.New(claims.IssuedAt.Time),
-			ExpiresAt:   timestamppb.New(claims.ExpiresAt.Time),
-		})
+		}
+		if claims.ExpiresAt != nil {
+			userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
+		}
+		accessTokens = append(accessTokens, userAccessToken)
 	}

+	// Sort by issued time in descending order.
+	slices.SortFunc(accessTokens, func(i, j *apiv2pb.UserAccessToken) bool {
+		return i.IssuedAt.Seconds > j.IssuedAt.Seconds
+	})
 	response := &apiv2pb.ListUserAccessTokensResponse{
 		AccessTokens: accessTokens,
 	}
@ -133,13 +141,16 @@ func (s *UserService) CreateUserAccessToken(ctx context.Context, request *apiv2p
 		return nil, status.Errorf(codes.Internal, "failed to upsert access token to store: %v", err)
 	}

-	response := &apiv2pb.CreateUserAccessTokenResponse{
-		AccessToken: &apiv2pb.UserAccessToken{
+	userAccessToken := &apiv2pb.UserAccessToken{
 		AccessToken: accessToken,
 		Description: request.UserAccessToken.Description,
 		IssuedAt:    timestamppb.New(claims.IssuedAt.Time),
-			ExpiresAt:   timestamppb.New(claims.ExpiresAt.Time),
-		},
+	}
+	if claims.ExpiresAt != nil {
+		userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
+	}
+	response := &apiv2pb.CreateUserAccessTokenResponse{
+		AccessToken: userAccessToken,
 	}
 	return response, nil
 }
--- a/web/src/components/CreateAccessTokenDialog.tsx
+++ b/web/src/components/CreateAccessTokenDialog.tsx
@ -25,8 +25,8 @@ const expirationOptions = [
    value: 3600 * 24 * 7,
  },
  {
-    label: "Life time",
-    value: 3600 * 24 * 365 * 100,
+    label: "Never",
+    value: 0,
  },
 ];

--- a/web/src/components/setting/AccessTokenSection.tsx
+++ b/web/src/components/setting/AccessTokenSection.tsx
@ -95,7 +95,9 @@ const AccessTokenSection = () => {
                          {getFormatedAccessToken(userAccessToken.accessToken)}
                        </td>
                        <td className="whitespace-nowrap px-3 py-4 text-sm text-gray-500">{String(userAccessToken.issuedAt)}</td>
-                        <td className="whitespace-nowrap px-3 py-4 text-sm text-gray-500">{String(userAccessToken.expiresAt)}</td>
+                        <td className="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
+                          {String(userAccessToken.expiresAt ?? "Never")}
+                        </td>
                        <td className="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium">
                          <button
                            className="text-indigo-600 hover:text-indigo-900"