authorizer/server/resolvers/validate_session.go

package resolvers

import (
	"context"
	"errors"
	"fmt"

	"github.com/authorizerdev/authorizer/server/cookie"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/graph/model"
	"github.com/authorizerdev/authorizer/server/token"
	"github.com/authorizerdev/authorizer/server/utils"
	log "github.com/sirupsen/logrus"
)

// ValidateSessionResolver is used to validate a cookie session without its rotation
func ValidateSessionResolver(ctx context.Context, params *model.ValidateSessionInput) (*model.ValidateSessionResponse, error) {
	gc, err := utils.GinContextFromContext(ctx)
	if err != nil {
		log.Debug("Failed to get GinContext: ", err)
		return nil, err
	}
	sessionToken := params.Cookie
	if sessionToken == "" {
		sessionToken, err = cookie.GetSession(gc)
		if err != nil {
			log.Debug("Failed to get session token: ", err)
			return nil, errors.New("unauthorized")
		}
	}
	claims, err := token.ValidateBrowserSession(gc, sessionToken)
	if err != nil {
		log.Debug("Failed to validate session token", err)
		return nil, errors.New("unauthorized")
	}
	userID := claims.Subject
	log := log.WithFields(log.Fields{
		"user_id": userID,
	})
	_, err = db.Provider.GetUserByID(ctx, userID)
	if err != nil {
		return nil, err
	}
	// refresh token has "roles" as claim
	claimRoleInterface := claims.Roles
	claimRoles := []string{}
	claimRoles = append(claimRoles, claimRoleInterface...)
	if params != nil && params.Roles != nil && len(params.Roles) > 0 {
		for _, v := range params.Roles {
			if !utils.StringSliceContains(claimRoles, v) {
				log.Debug("User does not have required role: ", claimRoles, v)
				return nil, fmt.Errorf(`unauthorized`)
			}
		}
	}
	return &model.ValidateSessionResponse{
		IsValid: true,
	}, nil
}
feat: add resolver to validate browser session 2023-07-12 16:42:17 +00:00			`package resolvers`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`

			`"github.com/authorizerdev/authorizer/server/cookie"`
			`"github.com/authorizerdev/authorizer/server/db"`
			`"github.com/authorizerdev/authorizer/server/graph/model"`
			`"github.com/authorizerdev/authorizer/server/token"`
			`"github.com/authorizerdev/authorizer/server/utils"`
			`log "github.com/sirupsen/logrus"`
			`)`

			`// ValidateSessionResolver is used to validate a cookie session without its rotation`
			`func ValidateSessionResolver(ctx context.Context, params model.ValidateSessionInput) (model.ValidateSessionResponse, error) {`
			`gc, err := utils.GinContextFromContext(ctx)`
			`if err != nil {`
			`log.Debug("Failed to get GinContext: ", err)`
			`return nil, err`
			`}`
			`sessionToken := params.Cookie`
			`if sessionToken == "" {`
			`sessionToken, err = cookie.GetSession(gc)`
			`if err != nil {`
			`log.Debug("Failed to get session token: ", err)`
			`return nil, errors.New("unauthorized")`
			`}`
			`}`
			`claims, err := token.ValidateBrowserSession(gc, sessionToken)`
			`if err != nil {`
			`log.Debug("Failed to validate session token", err)`
			`return nil, errors.New("unauthorized")`
			`}`
			`userID := claims.Subject`
			`log := log.WithFields(log.Fields{`
			`"user_id": userID,`
			`})`
			`_, err = db.Provider.GetUserByID(ctx, userID)`
			`if err != nil {`
			`return nil, err`
			`}`
			`// refresh token has "roles" as claim`
			`claimRoleInterface := claims.Roles`
			`claimRoles := []string{}`
			`claimRoles = append(claimRoles, claimRoleInterface...)`
			`if params != nil && params.Roles != nil && len(params.Roles) > 0 {`
			`for _, v := range params.Roles {`
			`if !utils.StringSliceContains(claimRoles, v) {`
			`log.Debug("User does not have required role: ", claimRoles, v)`
			return nil, fmt.Errorf(`unauthorized`)
			`}`
			`}`
			`}`
			`return &model.ValidateSessionResponse{`
			`IsValid: true,`
			`}, nil`
			`}`