From 6a4568dcf3258cbf04baaaf0d8774d70b29e3fb0 Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Fri, 13 Oct 2023 08:11:55 +0530 Subject: [PATCH] fix: use session / access_token for profile related queries or mutation --- dashboard/yarn.lock | 6 ++--- server/handlers/userinfo.go | 2 -- server/resolvers/deactivate_account.go | 10 ++------ server/resolvers/profile.go | 14 ++--------- server/resolvers/update_profile.go | 12 ++-------- server/token/auth_token.go | 32 ++++++++++++++++++++++++++ 6 files changed, 41 insertions(+), 35 deletions(-) diff --git a/dashboard/yarn.lock b/dashboard/yarn.lock index f3225976f..bfaa9629b 100644 --- a/dashboard/yarn.lock +++ b/dashboard/yarn.lock @@ -1222,10 +1222,10 @@ error-ex@^1.3.1: dependencies: is-arrayish "^0.2.1" -esbuild-linux-64@0.14.9: +esbuild-darwin-arm64@0.14.9: version "0.14.9" - resolved "https://registry.npmjs.org/esbuild-linux-64/-/esbuild-linux-64-0.14.9.tgz" - integrity sha512-WoEI+R6/PLZAxS7XagfQMFgRtLUi5cjqqU9VCfo3tnWmAXh/wt8QtUfCVVCcXVwZLS/RNvI19CtfjlrJU61nOg== + resolved "https://registry.npmjs.org/esbuild-darwin-arm64/-/esbuild-darwin-arm64-0.14.9.tgz" + integrity sha512-3ue+1T4FR5TaAu4/V1eFMG8Uwn0pgAwQZb/WwL1X78d5Cy8wOVQ67KNH1lsjU+y/9AcwMKZ9x0GGNxBB4a1Rbw== esbuild@^0.14.9: version "0.14.9" diff --git a/server/handlers/userinfo.go b/server/handlers/userinfo.go index 0af837c3a..1512e41bb 100644 --- a/server/handlers/userinfo.go +++ b/server/handlers/userinfo.go @@ -21,7 +21,6 @@ func UserInfoHandler() gin.HandlerFunc { }) return } - claims, err := token.ValidateAccessToken(gc, accessToken) if err != nil { log.Debug("Error validating access token: ", err) @@ -30,7 +29,6 @@ func UserInfoHandler() gin.HandlerFunc { }) return } - userID := claims["sub"].(string) user, err := db.Provider.GetUserByID(gc, userID) if err != nil { diff --git a/server/resolvers/deactivate_account.go b/server/resolvers/deactivate_account.go index e6f7be9f5..0773e5d87 100644 --- a/server/resolvers/deactivate_account.go +++ b/server/resolvers/deactivate_account.go @@ -21,17 +21,11 @@ func DeactivateAccountResolver(ctx context.Context) (*model.Response, error) { log.Debug("Failed to get GinContext: ", err) return res, err } - accessToken, err := token.GetAccessToken(gc) + userID, err := token.GetUserIDFromSessionOrAccessToken(gc) if err != nil { - log.Debug("Failed to get access token: ", err) + log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err) return res, err } - claims, err := token.ValidateAccessToken(gc, accessToken) - if err != nil { - log.Debug("Failed to validate access token: ", err) - return res, err - } - userID := claims["sub"].(string) log := log.WithFields(log.Fields{ "user_id": userID, }) diff --git a/server/resolvers/profile.go b/server/resolvers/profile.go index 78af46a0c..521ce4443 100644 --- a/server/resolvers/profile.go +++ b/server/resolvers/profile.go @@ -20,21 +20,11 @@ func ProfileResolver(ctx context.Context) (*model.User, error) { log.Debug("Failed to get GinContext: ", err) return res, err } - - accessToken, err := token.GetAccessToken(gc) + userID, err := token.GetUserIDFromSessionOrAccessToken(gc) if err != nil { - log.Debug("Failed to get access token: ", err) + log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err) return res, err } - - claims, err := token.ValidateAccessToken(gc, accessToken) - if err != nil { - log.Debug("Failed to validate access token: ", err) - return res, err - } - - userID := claims["sub"].(string) - log := log.WithFields(log.Fields{ "user_id": userID, }) diff --git a/server/resolvers/update_profile.go b/server/resolvers/update_profile.go index c47818268..34275df03 100644 --- a/server/resolvers/update_profile.go +++ b/server/resolvers/update_profile.go @@ -35,15 +35,9 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput) log.Debug("Failed to get GinContext: ", err) return res, err } - - accessToken, err := token.GetAccessToken(gc) + userID, err := token.GetUserIDFromSessionOrAccessToken(gc) if err != nil { - log.Debug("Failed to get access token: ", err) - return res, err - } - claims, err := token.ValidateAccessToken(gc, accessToken) - if err != nil { - log.Debug("Failed to validate access token: ", err) + log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err) return res, err } @@ -52,8 +46,6 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput) log.Debug("All params are empty") return res, fmt.Errorf("please enter at least one param to update") } - - userID := claims["sub"].(string) log := log.WithFields(log.Fields{ "user_id": userID, }) diff --git a/server/token/auth_token.go b/server/token/auth_token.go index f482db845..707865f59 100644 --- a/server/token/auth_token.go +++ b/server/token/auth_token.go @@ -15,6 +15,7 @@ import ( "github.com/robertkrimen/otto" "github.com/authorizerdev/authorizer/server/constants" + "github.com/authorizerdev/authorizer/server/cookie" "github.com/authorizerdev/authorizer/server/crypto" "github.com/authorizerdev/authorizer/server/db/models" "github.com/authorizerdev/authorizer/server/memorystore" @@ -480,3 +481,34 @@ func GetIDToken(gc *gin.Context) (string, error) { token := strings.TrimPrefix(auth, "Bearer ") return token, nil } + +// GetUserIDFromSessionOrAccessToken returns the user id from the session or access token +func GetUserIDFromSessionOrAccessToken(gc *gin.Context) (string, error) { + // First try to get the user id from the session + isSession := true + token, err := cookie.GetSession(gc) + if err != nil || token == "" { + log.Debug("Failed to get session token: ", err) + isSession = false + token, err = GetAccessToken(gc) + if err != nil || token == "" { + log.Debug("Failed to get access token: ", err) + return "", fmt.Errorf(`unauthorized`) + } + } + if isSession { + claims, err := ValidateBrowserSession(gc, token) + if err != nil { + log.Debug("Failed to validate session token: ", err) + return "", fmt.Errorf(`unauthorized`) + } + return claims.Subject, nil + } + // If not session, then validate the access token + claims, err := ValidateAccessToken(gc, token) + if err != nil { + log.Debug("Failed to validate access token: ", err) + return "", fmt.Errorf(`unauthorized`) + } + return claims["sub"].(string), nil +}