authorizer/server/utils/auth_token.go

package utils

import (
	"encoding/json"
	"fmt"
	"log"
	"os"
	"strings"
	"time"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/enum"
	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt"
	"github.com/robertkrimen/otto"
)

func CreateAuthToken(user db.User, tokenType enum.TokenType, roles []string) (string, int64, error) {
	t := jwt.New(jwt.GetSigningMethod(constants.JWT_TYPE))
	expiryBound := time.Hour
	if tokenType == enum.RefreshToken {
		// expires in 1 year
		expiryBound = time.Hour * 8760
	}

	expiresAt := time.Now().Add(expiryBound).Unix()

	resUser := GetResponseUserData(user)
	userBytes, _ := json.Marshal(&resUser)
	var userMap map[string]interface{}
	json.Unmarshal(userBytes, &userMap)

	customClaims := jwt.MapClaims{
		"exp":                    expiresAt,
		"iat":                    time.Now().Unix(),
		"token_type":             tokenType.String(),
		"allowed_roles":          strings.Split(user.Roles, ","),
		constants.JWT_ROLE_CLAIM: roles,
	}

	for k, v := range userMap {
		if k != "roles" {
			customClaims[k] = v
		}
	}

	// check for the extra access token script
	accessTokenScript := os.Getenv("CUSTOM_ACCESS_TOKEN_SCRIPT")
	if accessTokenScript != "" {
		vm := otto.New()

		claimBytes, _ := json.Marshal(customClaims)
		vm.Run(fmt.Sprintf(`
			var user = %s;
			var tokenPayload = %s;
			var customFunction = %s;
			var functionRes = JSON.stringify(customFunction(user, tokenPayload));
		`, string(userBytes), string(claimBytes), accessTokenScript))

		val, err := vm.Get("functionRes")

		if err != nil {
			log.Println("error getting custom access token script:", err)
		} else {
			extraPayload := make(map[string]interface{})
			err = json.Unmarshal([]byte(fmt.Sprintf("%s", val)), &extraPayload)
			if err != nil {
				log.Println("error converting accessTokenScript response to map:", err)
			} else {
				for k, v := range extraPayload {
					customClaims[k] = v
				}
			}
		}
	}

	t.Claims = customClaims

	token, err := t.SignedString([]byte(constants.JWT_SECRET))
	if err != nil {
		return "", 0, err
	}

	return token, expiresAt, nil
}

func GetAuthToken(gc *gin.Context) (string, error) {
	token, err := GetCookie(gc)
	if err != nil || token == "" {
		// try to check in auth header for cookie
		log.Println("cookie not found checking headers")
		auth := gc.Request.Header.Get("Authorization")
		if auth == "" {
			return "", fmt.Errorf(`unauthorized`)
		}

		token = strings.TrimPrefix(auth, "Bearer ")
	}
	return token, nil
}

func VerifyAuthToken(token string) (map[string]interface{}, error) {
	var res map[string]interface{}
	claims := jwt.MapClaims{}

	_, err := jwt.ParseWithClaims(token, claims, func(token *jwt.Token) (interface{}, error) {
		return []byte(constants.JWT_SECRET), nil
	})
	if err != nil {
		return res, err
	}

	// claim parses exp & iat into float 64 with e^10,
	// but we expect it to be int64
	// hence we need to assert interface and convert to int64
	intExp := int64(claims["exp"].(float64))
	intIat := int64(claims["iat"].(float64))

	data, _ := json.Marshal(claims)
	json.Unmarshal(data, &res)
	res["exp"] = intExp
	res["iat"] = intIat

	return res, nil
}
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`package utils`

			`import (`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`"encoding/json"`
Add resolver to update profile Resolves #12 #11 2021-07-18 03:55:20 +00:00			`"fmt"`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`"log"`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`"os"`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`"strings"`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`"time"`

chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`"github.com/authorizerdev/authorizer/server/db"`
chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/enum"`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`"github.com/gin-gonic/gin"`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`"github.com/golang-jwt/jwt"`
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			`"github.com/robertkrimen/otto"`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`)`

feat: use multi roles login (#60) * feat: use multi roles login - add support for protected roles - refactor oauth code * fix: adminUpdate role validation * fix: update app 2021-10-13 16:41:41 +00:00			`func CreateAuthToken(user db.User, tokenType enum.TokenType, roles []string) (string, int64, error) {`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`t := jwt.New(jwt.GetSigningMethod(constants.JWT_TYPE))`
			`expiryBound := time.Hour`
			`if tokenType == enum.RefreshToken {`
Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`// expires in 1 year`
			`expiryBound = time.Hour * 8760`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`}`

Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`expiresAt := time.Now().Add(expiryBound).Unix()`

fix: rename getresuser util 2021-12-24 01:05:02 +00:00			`resUser := GetResponseUserData(user)`
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`userBytes, _ := json.Marshal(&resUser)`
			`var userMap map[string]interface{}`
			`json.Unmarshal(userBytes, &userMap)`

feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`customClaims := jwt.MapClaims{`
			`"exp": expiresAt,`
			`"iat": time.Now().Unix(),`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`"token_type": tokenType.String(),`
			`"allowed_roles": strings.Split(user.Roles, ","),`
feat: use multi roles login (#60) * feat: use multi roles login - add support for protected roles - refactor oauth code * fix: adminUpdate role validation * fix: update app 2021-10-13 16:41:41 +00:00			`constants.JWT_ROLE_CLAIM: roles,`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`}`

fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`for k, v := range userMap {`
			`if k != "roles" {`
			`customClaims[k] = v`
			`}`
			`}`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`// check for the extra access token script`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`accessTokenScript := os.Getenv("CUSTOM_ACCESS_TOKEN_SCRIPT")`
			`if accessTokenScript != "" {`
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			`vm := otto.New()`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`claimBytes, _ := json.Marshal(customClaims)`
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			vm.Run(fmt.Sprintf(`
			`var user = %s;`
			`var tokenPayload = %s;`
			`var customFunction = %s;`
			`var functionRes = JSON.stringify(customFunction(user, tokenPayload));`
			`, string(userBytes), string(claimBytes), accessTokenScript))
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			`val, err := vm.Get("functionRes")`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
			`if err != nil {`
feat/add arangodb support (#80) feat: add arangodb init fix: dao for sql + arangodb * fix: update error logs * fix: use db name dynamically 2021-12-17 15:55:07 +00:00			`log.Println("error getting custom access token script:", err)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`} else {`
			`extraPayload := make(map[string]interface{})`
			`err = json.Unmarshal([]byte(fmt.Sprintf("%s", val)), &extraPayload)`
			`if err != nil {`
feat/add arangodb support (#80) feat: add arangodb init fix: dao for sql + arangodb * fix: update error logs * fix: use db name dynamically 2021-12-17 15:55:07 +00:00			`log.Println("error converting accessTokenScript response to map:", err)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`} else {`
			`for k, v := range extraPayload {`
			`customClaims[k] = v`
			`}`
			`}`
			`}`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`}`

feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`t.Claims = customClaims`

Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`token, err := t.SignedString([]byte(constants.JWT_SECRET))`
			`if err != nil {`
			`return "", 0, err`
			`}`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`return token, expiresAt, nil`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`}`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00
			`func GetAuthToken(gc *gin.Context) (string, error) {`
fix: update docker file 2021-07-27 12:16:02 +00:00			`token, err := GetCookie(gc)`
			`if err != nil \|\| token == "" {`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`// try to check in auth header for cookie`
			`log.Println("cookie not found checking headers")`
			`auth := gc.Request.Header.Get("Authorization")`
			`if auth == "" {`
feat/add meta query (#38) * feat: add meta query * fix: readme 2021-07-28 07:55:52 +00:00			return "", fmt.Errorf(`unauthorized`)
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`}`

			`token = strings.TrimPrefix(auth, "Bearer ")`
			`}`
			`return token, nil`
			`}`

feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`func VerifyAuthToken(token string) (map[string]interface{}, error) {`
			`var res map[string]interface{}`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`claims := jwt.MapClaims{}`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`_, err := jwt.ParseWithClaims(token, claims, func(token *jwt.Token) (interface{}, error) {`
			`return []byte(constants.JWT_SECRET), nil`
			`})`
			`if err != nil {`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`return res, err`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`}`

feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`// claim parses exp & iat into float 64 with e^10,`
			`// but we expect it to be int64`
			`// hence we need to assert interface and convert to int64`
			`intExp := int64(claims["exp"].(float64))`
			`intIat := int64(claims["iat"].(float64))`

			`data, _ := json.Marshal(claims)`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`json.Unmarshal(data, &res)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`res["exp"] = intExp`
			`res["iat"] = intIat`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00
			`return res, nil`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`}`