Merge branch 'main' into dependabot/go_modules/github.com/stretchr/te…

…stify-1.8.4
Ptt-official-app · Aug 3, 2023 · ad1c7e4 · ad1c7e4
2 parents 6a16e63 + c426d60
commit ad1c7e4
Show file tree

Hide file tree

Showing 112 changed files with 614 additions and 251 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,6 +10,8 @@
 /swagger
 /02-config.run.ini
 /03-config.run-in-docker.ini
+/ptttype/00-config-production.go
+/ptttype/02-config-run.go
 **/cover.out
 /docker_compose.env
 

diff --git a/api/00-config.go b/api/00-config.go
@@ -6,14 +6,19 @@ import (
 
 var (
 	// Creating JWT Token
-	JWT_SECRET = []byte("jwt_secret")
 	JWT_ISSUER = "go-pttbbs"
 	GUEST      = "guest"
 
-	EMAIL_JWT_SECRET = []byte("email_jwt_secret")
+	JWT_SECRET                = []byte("jwt_secret")
+	JWT_TOKEN_EXPIRE_TS       = 86400 * 1 // 1 days
+	JWT_TOKEN_EXPIRE_DURATION = time.Duration(JWT_TOKEN_EXPIRE_TS) * time.Second
 
-	JWT_TOKEN_EXPIRE_TS             = 86400 * 1 // 1 days
-	JWT_TOKEN_EXPIRE_DURATION       = time.Duration(JWT_TOKEN_EXPIRE_TS) * time.Second
+	EMAIL_JWT_SECRET                = []byte("email_jwt_secret")
 	EMAIL_JWT_TOKEN_EXPIRE_TS       = 60 * 15 // 15 mins
 	EMAIL_JWT_TOKEN_EXPIRE_DURATION = time.Duration(EMAIL_JWT_TOKEN_EXPIRE_TS) * time.Second
+
+	REFRESH_JWT_CLAIM_TYPE            = "refresh"
+	REFRESH_JWT_SECRET                = []byte("refresh_jwt_secret")
+	REFRESH_JWT_TOKEN_EXPIRE_TS       = 86400 * 7 // 7 days
+	REFRESH_JWT_TOKEN_EXPIRE_DURATION = time.Duration(REFRESH_JWT_TOKEN_EXPIRE_TS) * time.Second
 )
diff --git a/api/api.go b/api/api.go
@@ -40,6 +40,6 @@ func process(theFunc APIFunc, params interface{}, c *gin.Context) {
 		return
 	}
 
-	result, err := theFunc(remoteAddr, params)
+	result, err := theFunc(remoteAddr, params, c)
 	processResult(c, result, err)
 }
diff --git a/api/api_login_required.go b/api/api_login_required.go
@@ -43,11 +43,11 @@ func loginRequiredProcess(theFunc LoginRequiredAPIFunc, params interface{}, c *g
 
 	jwt := GetJwt(c)
 
-	userID, _, err := VerifyJwt(jwt)
+	userID, _, _, err := VerifyJwt(jwt, true)
 	if err != nil {
 		userID = bbs.UUserID(GUEST)
 	}
 
-	result, err := theFunc(remoteAddr, userID, params)
+	result, err := theFunc(remoteAddr, userID, params, c)
 	processResult(c, result, err)
 }
diff --git a/api/api_login_required_path.go b/api/api_login_required_path.go
@@ -49,11 +49,11 @@ func loginRequiredPathProcess(theFunc LoginRequiredPathAPIFunc, params interface
 
 	jwt := GetJwt(c)
 
-	userID, _, err := VerifyJwt(jwt)
+	userID, _, _, err := VerifyJwt(jwt, true)
 	if err != nil {
 		userID = bbs.UUserID(GUEST)
 	}
 
-	result, err := theFunc(remoteAddr, userID, params, path)
+	result, err := theFunc(remoteAddr, userID, params, path, c)
 	processResult(c, result, err)
 }
diff --git a/api/attempt_change_email.go b/api/attempt_change_email.go
@@ -28,7 +28,7 @@ func AttemptChangeEmailWrapper(c *gin.Context) {
 	LoginRequiredPathJSON(AttemptChangeEmail, params, path, c)
 }
 
-func AttemptChangeEmail(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}) (result interface{}, err error) {
+func AttemptChangeEmail(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}, c *gin.Context) (result interface{}, err error) {
 	theParams, ok := params.(*AttemptChangeEmailParams)
 	if !ok {
 		return nil, ErrInvalidParams

diff --git a/api/attempt_change_email_test.go b/api/attempt_change_email_test.go
@@ -51,7 +51,7 @@ func TestAttemptChangeEmail(t *testing.T) {
 		wg.Add(1)
 		t.Run(tt.name, func(t *testing.T) {
 			defer wg.Done()
-			gotResult, err := AttemptChangeEmail(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path)
+			gotResult, err := AttemptChangeEmail(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path, nil)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("AttemptChangeEmail() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/api/attempt_set_id_email.go b/api/attempt_set_id_email.go
@@ -28,7 +28,7 @@ func AttemptSetIDEmailWrapper(c *gin.Context) {
 	LoginRequiredPathJSON(AttemptSetIDEmail, params, path, c)
 }
 
-func AttemptSetIDEmail(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}) (result interface{}, err error) {
+func AttemptSetIDEmail(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}, c *gin.Context) (result interface{}, err error) {
 	theParams, ok := params.(*AttemptSetIDEmailParams)
 	if !ok {
 		return nil, ErrInvalidParams

diff --git a/api/attempt_set_id_email_test.go b/api/attempt_set_id_email_test.go
@@ -50,7 +50,7 @@ func TestAttemptSetIDEmail(t *testing.T) {
 		wg.Add(1)
 		t.Run(tt.name, func(t *testing.T) {
 			defer wg.Done()
-			gotResult, err := AttemptSetIDEmail(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path)
+			gotResult, err := AttemptSetIDEmail(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path, nil)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("AttemptSetIDEmail() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/api/auth_utils.go b/api/auth_utils.go
@@ -20,22 +20,24 @@ func GetJwt(c *gin.Context) (jwt string) {
 	return tokenList[1]
 }
 
-func VerifyJwt(raw string) (userID bbs.UUserID, clientInfo string, err error) {
+func VerifyJwt(raw string, isCheckExpire bool) (userID bbs.UUserID, expireTS int, clientInfo string, err error) {
 	if raw == "" {
-		return bbs.UUserID(GUEST), "", nil
+		return bbs.UUserID(GUEST), 0, "", nil
 	}
 
 	cl, err := parseJwtClaim(raw)
 	if err != nil {
-		return "", "", ErrInvalidToken
+		return "", 0, "", ErrInvalidToken
 	}
 
-	currentTS := int(types.NowTS())
-	if currentTS > cl.Expire {
-		return "", "", ErrInvalidToken
+	if isCheckExpire {
+		currentTS := int(types.NowTS())
+		if currentTS > cl.Expire {
+			return "", 0, "", ErrInvalidToken
+		}
 	}
 
-	return bbs.UUserID(cl.UUserID), cl.ClientInfo, nil
+	return bbs.UUserID(cl.UUserID), cl.Expire, cl.ClientInfo, nil
 }
 
 func parseJwtClaim(raw string) (cl *JwtClaim, err error) {
@@ -95,26 +97,26 @@ func CreateToken(userID bbs.UUserID, clientInfo string) (raw string, err error)
 	return raw, nil
 }
 
-func VerifyEmailJwt(raw string, context EmailTokenContext) (userID bbs.UUserID, clientInfo string, email string, err error) {
+func VerifyEmailJwt(raw string, context EmailTokenContext) (userID bbs.UUserID, expireTS int, clientInfo string, email string, err error) {
 	if raw == "" {
-		return "", "", "", ErrInvalidToken
+		return "", 0, "", "", ErrInvalidToken
 	}
 
 	cl, err := parseEmailJwtClaim(raw)
 	if err != nil {
-		return "", "", "", ErrInvalidToken
+		return "", 0, "", "", ErrInvalidToken
 	}
 
 	currentTS := int(types.NowTS())
 	if currentTS > cl.Expire {
-		return "", "", "", ErrInvalidToken
+		return "", 0, "", "", ErrInvalidToken
 	}
 
 	if cl.Context != string(context) {
-		return "", "", "", ErrInvalidToken
+		return "", 0, "", "", ErrInvalidToken
 	}
 
-	return bbs.UUserID(cl.UUserID), cl.ClientInfo, cl.Email, nil
+	return bbs.UUserID(cl.UUserID), cl.Expire, cl.ClientInfo, cl.Email, nil
 }
 
 func parseEmailJwtClaim(raw string) (cl *EmailJwtClaim, err error) {
@@ -186,6 +188,91 @@ func CreateEmailToken(userID bbs.UUserID, clientInfo string, email string, conte
 	return raw, nil
 }
 
+func VerifyRefreshJwt(raw string) (userID bbs.UUserID, expireTS int, clientInfo string, err error) {
+	if raw == "" {
+		return bbs.UUserID(GUEST), 0, "", nil
+	}
+
+	cl, err := parseRefreshJwtClaim(raw)
+	if err != nil {
+		return "", 0, "", ErrInvalidToken
+	}
+
+	currentTS := int(types.NowTS())
+	if currentTS > cl.Expire {
+		return "", 0, "", ErrInvalidToken
+	}
+
+	if cl.TheType != REFRESH_JWT_CLAIM_TYPE {
+		return "", 0, "", ErrInvalidToken
+	}
+
+	return bbs.UUserID(cl.UUserID), cl.Expire, cl.ClientInfo, nil
+}
+
+func parseRefreshJwtClaim(raw string) (cl *RefreshJwtClaim, err error) {
+	tok, err := ParseJwt(raw, REFRESH_JWT_SECRET)
+	if err != nil {
+		return nil, err
+	}
+
+	claim, ok := tok.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, ErrInvalidToken
+	}
+
+	cli, err := ParseClaimString(claim, "cli")
+	if err != nil {
+		return nil, err
+	}
+	sub, err := ParseClaimString(claim, "sub")
+	if err != nil {
+		return nil, err
+	}
+	exp, err := ParseClaimInt(claim, "exp")
+	if err != nil {
+		return nil, err
+	}
+	typ, err := ParseClaimString(claim, "typ")
+	if err != nil {
+		return nil, err
+	}
+
+	cl = &RefreshJwtClaim{
+		ClientInfo: cli,
+		UUserID:    sub,
+		Expire:     exp,
+		TheType:    typ,
+	}
+
+	return cl, nil
+}
+
+func CreateRefreshToken(userID bbs.UUserID, clientInfo string) (raw string, err error) {
+	defer func() {
+		err2 := recover()
+		if err2 == nil {
+			return
+		}
+
+		err = types.ErrRecover(err2)
+	}()
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"cli": clientInfo,
+		"sub": userID,
+		"exp": int(types.NowTS()) + REFRESH_JWT_TOKEN_EXPIRE_TS,
+		"typ": REFRESH_JWT_CLAIM_TYPE,
+	})
+
+	raw, err = token.SignedString(REFRESH_JWT_SECRET)
+	if err != nil {
+		return "", err
+	}
+
+	return raw, nil
+}
+
 func ParseJwt(raw string, secret []byte) (tok *jwt.Token, err error) {
 	tok, err = jwt.Parse(raw, func(token *jwt.Token) (interface{}, error) {
 		return secret, nil

diff --git a/api/auth_utils_test.go b/api/auth_utils_test.go
@@ -45,7 +45,7 @@ func TestVerifyJwt(t *testing.T) {
 		wg.Add(1)
 		t.Run(tt.name, func(t *testing.T) {
 			defer wg.Done()
-			gotUserID, _, err := VerifyJwt(tt.args.raw)
+			gotUserID, _, _, err := VerifyJwt(tt.args.raw, true)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("VerifyJwt() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -88,7 +88,7 @@ func TestVerifyEmailJwt(t *testing.T) {
 		wg.Add(1)
 		t.Run(tt.name, func(t *testing.T) {
 			defer wg.Done()
-			gotUserID, gotClientInfo, gotEmail, err := VerifyEmailJwt(tt.args.raw, CONTEXT_CHANGE_EMAIL)
+			gotUserID, _, gotClientInfo, gotEmail, err := VerifyEmailJwt(tt.args.raw, CONTEXT_CHANGE_EMAIL)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("VerifyEmailJwt() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/api/change_email.go b/api/change_email.go
@@ -30,7 +30,7 @@ func ChangeEmailWrapper(c *gin.Context) {
 //
 // Sysop initiates only attempt-change-mail.
 // Sysop does not change email directly.
-func ChangeEmail(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}) (result interface{}, err error) {
+func ChangeEmail(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}, c *gin.Context) (result interface{}, err error) {
 	theParams, ok := params.(*ChangeEmailParams)
 	if !ok {
 		return nil, ErrInvalidParams

diff --git a/api/change_email_test.go b/api/change_email_test.go
@@ -49,7 +49,7 @@ func TestChangeEmail(t *testing.T) {
 		wg.Add(1)
 		t.Run(tt.name, func(t *testing.T) {
 			defer wg.Done()
-			gotResult, err := ChangeEmail(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path)
+			gotResult, err := ChangeEmail(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path, nil)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ChangeEmail() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/api/change_passwd.go b/api/change_passwd.go
@@ -29,7 +29,7 @@ func ChangePasswdWrapper(c *gin.Context) {
 	LoginRequiredPathJSON(ChangePasswd, params, path, c)
 }
 
-func ChangePasswd(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}) (result interface{}, err error) {
+func ChangePasswd(remoteAddr string, uuserID bbs.UUserID, params interface{}, path interface{}, c *gin.Context) (result interface{}, err error) {
 	theParams, ok := params.(*ChangePasswdParams)
 	if !ok {
 		return nil, ErrInvalidParams

diff --git a/api/change_passwd_test.go b/api/change_passwd_test.go
@@ -69,7 +69,7 @@ func TestChangePasswd(t *testing.T) {
 		wg.Add(1)
 		t.Run(tt.name, func(t *testing.T) {
 			defer wg.Done()
-			gotResult, err := ChangePasswd(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path)
+			gotResult, err := ChangePasswd(tt.args.remoteAddr, tt.args.uuserID, tt.args.params, tt.args.path, nil)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ChangePasswd() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/api/check_exists_user.go b/api/check_exists_user.go
@@ -21,7 +21,7 @@ func CheckExistsUserWrapper(c *gin.Context) {
 	JSON(CheckExistsUser, params, c)
 }
 
-func CheckExistsUser(remoteAddr string, params interface{}) (result interface{}, err error) {
+func CheckExistsUser(remoteAddr string, params interface{}, c *gin.Context) (result interface{}, err error) {
 	theParams, ok := params.(*CheckExistsUserParams)
 	if !ok {
 		return nil, ErrInvalidParams

diff --git a/api/check_exists_user_test.go b/api/check_exists_user_test.go
@@ -47,7 +47,7 @@ func TestCheckExistsUser(t *testing.T) {
 		wg.Add(1)
 		t.Run(tt.name, func(t *testing.T) {
 			defer wg.Done()
-			gotResult, err := CheckExistsUser(tt.args.remoteAddr, tt.args.params)
+			gotResult, err := CheckExistsUser(tt.args.remoteAddr, tt.args.params, nil)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("CheckExistsUser() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/api/config.go b/api/config.go
@@ -1,13 +1,16 @@
 package api
 
 func config() {
-	JWT_SECRET = setBytesConfig("JWT_SECRET", JWT_SECRET)
 	JWT_ISSUER = setStringConfig("JWT_ISSUER", JWT_ISSUER)
 	GUEST = setStringConfig("GUEST", GUEST)
 
-	EMAIL_JWT_SECRET = setBytesConfig("EMAIL_JWT_SECRET", EMAIL_JWT_SECRET)
-
+	JWT_SECRET = setBytesConfig("JWT_SECRET", JWT_SECRET)
 	JWT_TOKEN_EXPIRE_TS = setIntConfig("JWT_TOKEN_EXPIRE_TS", JWT_TOKEN_EXPIRE_TS)
 
+	EMAIL_JWT_SECRET = setBytesConfig("EMAIL_JWT_SECRET", EMAIL_JWT_SECRET)
 	EMAIL_JWT_TOKEN_EXPIRE_TS = setIntConfig("EMAIL_JWT_TOKEN_EXPIRE_TS", EMAIL_JWT_TOKEN_EXPIRE_TS)
+
+	REFRESH_JWT_CLAIM_TYPE = setStringConfig("REFRESH_JWT_CLAIM_TYPE", REFRESH_JWT_CLAIM_TYPE)
+	REFRESH_JWT_SECRET = setBytesConfig("REFRESH_JWT_SECRET", REFRESH_JWT_SECRET)
+	REFRESH_JWT_TOKEN_EXPIRE_TS = setIntConfig("REFRESH_JWT_TOKEN_EXPIRE_TS", REFRESH_JWT_TOKEN_EXPIRE_TS)
 }
diff --git a/api/config_util.go b/api/config_util.go
@@ -29,22 +29,32 @@ func setIntConfig(idx string, orig int) int {
 func postInitConfig() {
 	_ = setJwtTokenExpireTS(JWT_TOKEN_EXPIRE_TS)
 	_ = setEmailJwtTokenExpireTS(EMAIL_JWT_TOKEN_EXPIRE_TS)
+	_ = setRefreshJwtTokenExpireTS(REFRESH_JWT_TOKEN_EXPIRE_TS)
 }
 
-func setJwtTokenExpireTS(JwtTokenExpireTS int) (origJwtTokenExpireTS int) {
+func setJwtTokenExpireTS(jwtTokenExpireTS int) (origJwtTokenExpireTS int) {
 	origJwtTokenExpireTS = JWT_TOKEN_EXPIRE_TS
 
-	JWT_TOKEN_EXPIRE_TS = JwtTokenExpireTS
+	JWT_TOKEN_EXPIRE_TS = jwtTokenExpireTS
 	JWT_TOKEN_EXPIRE_DURATION = time.Duration(JWT_TOKEN_EXPIRE_TS) * time.Second
 
 	return origJwtTokenExpireTS
 }
 
-func setEmailJwtTokenExpireTS(EmailJwtTokenExpireTS int) (origEmailJwtTokenExpireTS int) {
+func setEmailJwtTokenExpireTS(emailJwtTokenExpireTS int) (origEmailJwtTokenExpireTS int) {
 	origEmailJwtTokenExpireTS = EMAIL_JWT_TOKEN_EXPIRE_TS
 
-	EMAIL_JWT_TOKEN_EXPIRE_TS = EmailJwtTokenExpireTS
+	EMAIL_JWT_TOKEN_EXPIRE_TS = emailJwtTokenExpireTS
 	EMAIL_JWT_TOKEN_EXPIRE_DURATION = time.Duration(EMAIL_JWT_TOKEN_EXPIRE_TS) * time.Second
 
 	return origEmailJwtTokenExpireTS
 }
+
+func setRefreshJwtTokenExpireTS(refreshJwtTokenExpireTS int) (origRefreshJwtTokenExpireTS int) {
+	origRefreshJwtTokenExpireTS = REFRESH_JWT_TOKEN_EXPIRE_TS
+
+	REFRESH_JWT_TOKEN_EXPIRE_TS = refreshJwtTokenExpireTS
+	REFRESH_JWT_TOKEN_EXPIRE_DURATION = time.Duration(REFRESH_JWT_TOKEN_EXPIRE_TS) * time.Second
+
+	return origRefreshJwtTokenExpireTS
+}
diff --git a/api/const.go b/api/const.go
@@ -1 +1,5 @@
 package api
+
+const (
+	EPSILON_EXPIRE_TS = 2
+)