From 26aa00e20bda849eb20c2bb224837b6ad5d117bb Mon Sep 17 00:00:00 2001 From: Steven Date: Tue, 21 May 2024 20:34:06 +0800 Subject: [PATCH] chore: update auth checks --- server/route/api/v1/acl.go | 9 ++++----- server/route/{auth => api/v1}/auth.go | 2 +- server/route/api/v1/auth_service.go | 11 +++++------ server/route/api/v1/user_service.go | 7 +++---- 4 files changed, 13 insertions(+), 16 deletions(-) rename server/route/{auth => api/v1}/auth.go (99%) diff --git a/server/route/api/v1/acl.go b/server/route/api/v1/acl.go index bd5fddc..3b9dcc6 100644 --- a/server/route/api/v1/acl.go +++ b/server/route/api/v1/acl.go @@ -14,7 +14,6 @@ import ( "github.com/yourselfhosted/slash/internal/util" storepb "github.com/yourselfhosted/slash/proto/gen/store" - "github.com/yourselfhosted/slash/server/route/auth" "github.com/yourselfhosted/slash/store" ) @@ -81,7 +80,7 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken str if accessToken == "" { return 0, status.Errorf(codes.Unauthenticated, "access token not found") } - claims := &auth.ClaimsMessage{} + claims := &ClaimsMessage{} _, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) { if t.Method.Alg() != jwt.SigningMethodHS256.Name { return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256) @@ -96,11 +95,11 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken str if err != nil { return 0, status.Errorf(codes.Unauthenticated, "Invalid or expired access token") } - if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) { + if !audienceContains(claims.Audience, AccessTokenAudienceName) { return 0, status.Errorf(codes.Unauthenticated, "invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment", claims.Audience, - auth.AccessTokenAudienceName, + AccessTokenAudienceName, ) } @@ -148,7 +147,7 @@ func getTokenFromMetadata(md metadata.MD) (string, error) { header := http.Header{} header.Add("Cookie", t) request := http.Request{Header: header} - if v, _ := request.Cookie(auth.AccessTokenCookieName); v != nil { + if v, _ := request.Cookie(AccessTokenCookieName); v != nil { accessToken = v.Value } } diff --git a/server/route/auth/auth.go b/server/route/api/v1/auth.go similarity index 99% rename from server/route/auth/auth.go rename to server/route/api/v1/auth.go index 458fa55..57eb0a3 100644 --- a/server/route/auth/auth.go +++ b/server/route/api/v1/auth.go @@ -1,4 +1,4 @@ -package auth +package v1 import ( "fmt" diff --git a/server/route/api/v1/auth_service.go b/server/route/api/v1/auth_service.go index 3469bc4..2332f51 100644 --- a/server/route/api/v1/auth_service.go +++ b/server/route/api/v1/auth_service.go @@ -14,7 +14,6 @@ import ( apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1" storepb "github.com/yourselfhosted/slash/proto/gen/store" "github.com/yourselfhosted/slash/server/metric" - "github.com/yourselfhosted/slash/server/route/auth" "github.com/yourselfhosted/slash/server/service/license" "github.com/yourselfhosted/slash/store" ) @@ -50,7 +49,7 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *apiv1pb.SignInReques return nil, status.Errorf(codes.InvalidArgument, "unmatched email and password") } - accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret)) + accessToken, err := GenerateAccessToken(user.Email, user.ID, time.Now().Add(AccessTokenDuration), []byte(s.Secret)) if err != nil { return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err)) } @@ -59,7 +58,7 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *apiv1pb.SignInReques } if err := grpc.SetHeader(ctx, metadata.New(map[string]string{ - "Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName, accessToken, time.Now().Add(auth.AccessTokenDuration).Format(time.RFC1123)), + "Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", AccessTokenCookieName, accessToken, time.Now().Add(AccessTokenDuration).Format(time.RFC1123)), })); err != nil { return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err) } @@ -117,7 +116,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err)) } - accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret)) + accessToken, err := GenerateAccessToken(user.Email, user.ID, time.Now().Add(AccessTokenDuration), []byte(s.Secret)) if err != nil { return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err)) } @@ -126,7 +125,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques } if err := grpc.SetHeader(ctx, metadata.New(map[string]string{ - "Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName, accessToken, time.Now().Add(auth.AccessTokenDuration).Format(time.RFC1123)), + "Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", AccessTokenCookieName, accessToken, time.Now().Add(AccessTokenDuration).Format(time.RFC1123)), })); err != nil { return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err) } @@ -140,7 +139,7 @@ func (s *APIV1Service) SignUp(ctx context.Context, request *apiv1pb.SignUpReques func (*APIV1Service) SignOut(ctx context.Context, _ *apiv1pb.SignOutRequest) (*apiv1pb.SignOutResponse, error) { // Set the cookie header to expire access token. if err := grpc.SetHeader(ctx, metadata.New(map[string]string{ - "Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName), + "Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", AccessTokenCookieName), })); err != nil { return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err) } diff --git a/server/route/api/v1/user_service.go b/server/route/api/v1/user_service.go index f9970c3..48dbc54 100644 --- a/server/route/api/v1/user_service.go +++ b/server/route/api/v1/user_service.go @@ -14,7 +14,6 @@ import ( apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1" storepb "github.com/yourselfhosted/slash/proto/gen/store" - "github.com/yourselfhosted/slash/server/route/auth" "github.com/yourselfhosted/slash/server/service/license" "github.com/yourselfhosted/slash/store" ) @@ -152,7 +151,7 @@ func (s *APIV1Service) ListUserAccessTokens(ctx context.Context, request *apiv1p accessTokens := []*apiv1pb.UserAccessToken{} for _, userAccessToken := range userAccessTokens { - claims := &auth.ClaimsMessage{} + claims := &ClaimsMessage{} _, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) { if t.Method.Alg() != jwt.SigningMethodHS256.Name { return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256) @@ -203,12 +202,12 @@ func (s *APIV1Service) CreateUserAccessToken(ctx context.Context, request *apiv1 if request.ExpiresAt != nil { expiresAt = request.ExpiresAt.AsTime() } - accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, expiresAt, []byte(s.Secret)) + accessToken, err := GenerateAccessToken(user.Email, user.ID, expiresAt, []byte(s.Secret)) if err != nil { return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err) } - claims := &auth.ClaimsMessage{} + claims := &ClaimsMessage{} _, err = jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) { if t.Method.Alg() != jwt.SigningMethodHS256.Name { return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)