2021-07-17 16:29:50 +00:00
|
|
|
package resolvers
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
2021-07-21 08:06:26 +00:00
|
|
|
"time"
|
2021-07-17 16:29:50 +00:00
|
|
|
|
2021-09-20 05:06:26 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/constants"
|
2021-07-23 16:27:44 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/db"
|
2022-01-17 06:02:13 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/envstore"
|
2021-07-23 16:27:44 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/graph/model"
|
|
|
|
|
"github.com/authorizerdev/authorizer/server/session"
|
|
|
|
|
"github.com/authorizerdev/authorizer/server/utils"
|
2021-07-17 16:29:50 +00:00
|
|
|
)
|
|
|
|
|
|
2022-01-17 06:02:13 +00:00
|
|
|
// SessionResolver is a resolver for session query
|
|
|
|
|
func SessionResolver(ctx context.Context, roles []string) (*model.AuthResponse, error) {
|
2021-07-28 10:13:08 +00:00
|
|
|
var res *model.AuthResponse
|
2021-07-28 07:55:52 +00:00
|
|
|
|
|
|
|
|
gc, err := utils.GinContextFromContext(ctx)
|
2021-07-17 16:29:50 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return res, err
|
|
|
|
|
}
|
|
|
|
|
token, err := utils.GetAuthToken(gc)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return res, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
claim, accessTokenErr := utils.VerifyAuthToken(token)
|
2021-09-20 05:06:26 +00:00
|
|
|
expiresAt := claim["exp"].(int64)
|
|
|
|
|
email := fmt.Sprintf("%v", claim["email"])
|
2021-07-17 16:29:50 +00:00
|
|
|
|
2022-01-21 08:04:04 +00:00
|
|
|
user, err := db.Provider.GetUserByEmail(email)
|
2021-07-17 16:29:50 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return res, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-07 08:41:26 +00:00
|
|
|
userIdStr := fmt.Sprintf("%v", user.ID)
|
2021-07-17 16:29:50 +00:00
|
|
|
|
2022-01-17 06:02:13 +00:00
|
|
|
sessionToken := session.GetUserSession(userIdStr, token)
|
2021-07-17 16:29:50 +00:00
|
|
|
|
|
|
|
|
if sessionToken == "" {
|
2021-07-18 03:55:20 +00:00
|
|
|
return res, fmt.Errorf(`unauthorized`)
|
2021-07-17 16:29:50 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-21 08:06:26 +00:00
|
|
|
expiresTimeObj := time.Unix(expiresAt, 0)
|
|
|
|
|
currentTimeObj := time.Now()
|
2021-10-13 16:41:41 +00:00
|
|
|
|
2022-01-20 11:22:37 +00:00
|
|
|
claimRoleInterface := claim[envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)].([]interface{})
|
2021-10-13 16:41:41 +00:00
|
|
|
claimRoles := make([]string, len(claimRoleInterface))
|
|
|
|
|
for i, v := range claimRoleInterface {
|
|
|
|
|
claimRoles[i] = v.(string)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(roles) > 0 {
|
|
|
|
|
for _, v := range roles {
|
2021-10-19 07:27:59 +00:00
|
|
|
if !utils.StringSliceContains(claimRoles, v) {
|
2021-10-13 16:41:41 +00:00
|
|
|
return res, fmt.Errorf(`unauthorized`)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-17 06:02:13 +00:00
|
|
|
// TODO change this logic to make it more secure
|
2021-07-21 08:06:26 +00:00
|
|
|
if accessTokenErr != nil || expiresTimeObj.Sub(currentTimeObj).Minutes() <= 5 {
|
2021-07-17 16:29:50 +00:00
|
|
|
// if access token has expired and refresh/session token is valid
|
|
|
|
|
// generate new accessToken
|
2022-01-17 06:02:13 +00:00
|
|
|
currentRefreshToken := session.GetUserSession(userIdStr, token)
|
|
|
|
|
session.DeleteUserSession(userIdStr, token)
|
|
|
|
|
token, expiresAt, _ = utils.CreateAuthToken(user, constants.TokenTypeAccessToken, claimRoles)
|
|
|
|
|
session.SetUserSession(userIdStr, token, currentRefreshToken)
|
|
|
|
|
utils.SaveSessionInDB(user.ID, gc)
|
2021-07-17 16:29:50 +00:00
|
|
|
}
|
2021-10-13 16:41:41 +00:00
|
|
|
|
2021-07-17 16:29:50 +00:00
|
|
|
utils.SetCookie(gc, token)
|
2021-07-28 10:13:08 +00:00
|
|
|
res = &model.AuthResponse{
|
2021-12-22 05:21:12 +00:00
|
|
|
Message: `Token verified`,
|
|
|
|
|
AccessToken: &token,
|
|
|
|
|
ExpiresAt: &expiresAt,
|
2021-12-24 01:05:02 +00:00
|
|
|
User: utils.GetResponseUserData(user),
|
2021-07-17 16:29:50 +00:00
|
|
|
}
|
|
|
|
|
return res, nil
|
|
|
|
|
}
|
