authorizer/server/utils/auth_token.go

package utils

import (
	"encoding/json"
	"fmt"
	"log"
	"net/url"
	"os"
	"strings"
	"time"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/db/models"
	"github.com/authorizerdev/authorizer/server/envstore"
	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt"
	"github.com/robertkrimen/otto"
	"golang.org/x/crypto/bcrypt"
)

// CreateAuthToken util to create JWT token, based on
// user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
func CreateAuthToken(user models.User, tokenType string, roles []string) (string, int64, error) {
	t := jwt.New(jwt.GetSigningMethod(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)))
	expiryBound := time.Hour
	if tokenType == constants.TokenTypeRefreshToken {
		// expires in 1 year
		expiryBound = time.Hour * 8760
	}

	expiresAt := time.Now().Add(expiryBound).Unix()

	resUser := GetResponseUserData(user)
	userBytes, _ := json.Marshal(&resUser)
	var userMap map[string]interface{}
	json.Unmarshal(userBytes, &userMap)

	claimKey := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)
	customClaims := jwt.MapClaims{
		"exp":           expiresAt,
		"iat":           time.Now().Unix(),
		"token_type":    tokenType,
		"allowed_roles": strings.Split(user.Roles, ","),
		claimKey:        roles,
	}

	for k, v := range userMap {
		if k != "roles" {
			customClaims[k] = v
		}
	}

	// check for the extra access token script
	accessTokenScript := os.Getenv(constants.EnvKeyCustomAccessTokenScript)
	if accessTokenScript != "" {
		vm := otto.New()

		claimBytes, _ := json.Marshal(customClaims)
		vm.Run(fmt.Sprintf(`
			var user = %s;
			var tokenPayload = %s;
			var customFunction = %s;
			var functionRes = JSON.stringify(customFunction(user, tokenPayload));
		`, string(userBytes), string(claimBytes), accessTokenScript))

		val, err := vm.Get("functionRes")

		if err != nil {
			log.Println("error getting custom access token script:", err)
		} else {
			extraPayload := make(map[string]interface{})
			err = json.Unmarshal([]byte(fmt.Sprintf("%s", val)), &extraPayload)
			if err != nil {
				log.Println("error converting accessTokenScript response to map:", err)
			} else {
				for k, v := range extraPayload {
					customClaims[k] = v
				}
			}
		}
	}

	t.Claims = customClaims

	token, err := t.SignedString([]byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)))
	if err != nil {
		return "", 0, err
	}

	return token, expiresAt, nil
}

// GetAuthToken helps in getting the JWT token from the
// request cookie or authorization header
func GetAuthToken(gc *gin.Context) (string, error) {
	token, err := GetCookie(gc)
	if err != nil || token == "" {
		// try to check in auth header for cookie
		auth := gc.Request.Header.Get("Authorization")
		if auth == "" {
			return "", fmt.Errorf(`unauthorized`)
		}

		token = strings.TrimPrefix(auth, "Bearer ")
	}
	return token, nil
}

// VerifyAuthToken helps in verifying the JWT token
func VerifyAuthToken(token string) (map[string]interface{}, error) {
	var res map[string]interface{}
	claims := jwt.MapClaims{}

	_, err := jwt.ParseWithClaims(token, claims, func(token *jwt.Token) (interface{}, error) {
		return []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)), nil
	})
	if err != nil {
		return res, err
	}

	// claim parses exp & iat into float 64 with e^10,
	// but we expect it to be int64
	// hence we need to assert interface and convert to int64
	intExp := int64(claims["exp"].(float64))
	intIat := int64(claims["iat"].(float64))

	data, _ := json.Marshal(claims)
	json.Unmarshal(data, &res)
	res["exp"] = intExp
	res["iat"] = intIat

	return res, nil
}

// CreateAdminAuthToken creates the admin token based on secret key
func CreateAdminAuthToken(tokenType string, c *gin.Context) (string, error) {
	return EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
}

// GetAdminAuthToken helps in getting the admin token from the request cookie
func GetAdminAuthToken(gc *gin.Context) (string, error) {
	token, err := GetAdminCookie(gc)
	if err != nil || token == "" {
		return "", fmt.Errorf("unauthorized")
	}

	// cookie escapes special characters like $
	// hence we need to unescape before comparing
	decodedValue, err := url.QueryUnescape(token)
	if err != nil {
		return "", err
	}

	err = bcrypt.CompareHashAndPassword([]byte(decodedValue), []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)))
	log.Println("error comparing hash:", err)
	if err != nil {
		return "", fmt.Errorf(`unauthorized`)
	}

	return token, nil
}
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`package utils`

			`import (`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`"encoding/json"`
Add resolver to update profile Resolves #12 #11 2021-07-18 03:55:20 +00:00			`"fmt"`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`"log"`
feat: add _update_config mutation 2021-12-31 11:33:37 +00:00			`"net/url"`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`"os"`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`"strings"`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`"time"`

chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`"github.com/authorizerdev/authorizer/server/db/models"`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`"github.com/authorizerdev/authorizer/server/envstore"`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`"github.com/gin-gonic/gin"`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`"github.com/golang-jwt/jwt"`
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			`"github.com/robertkrimen/otto"`
feat: add admin session api 2021-12-31 08:58:00 +00:00			`"golang.org/x/crypto/bcrypt"`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`)`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// CreateAuthToken util to create JWT token, based on`
			`// user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`func CreateAuthToken(user models.User, tokenType string, roles []string) (string, int64, error) {`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`t := jwt.New(jwt.GetSigningMethod(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)))`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`expiryBound := time.Hour`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`if tokenType == constants.TokenTypeRefreshToken {`
Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`// expires in 1 year`
			`expiryBound = time.Hour * 8760`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`}`

Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`expiresAt := time.Now().Add(expiryBound).Unix()`

fix: rename getresuser util 2021-12-24 01:05:02 +00:00			`resUser := GetResponseUserData(user)`
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`userBytes, _ := json.Marshal(&resUser)`
			`var userMap map[string]interface{}`
			`json.Unmarshal(userBytes, &userMap)`

fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`claimKey := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`customClaims := jwt.MapClaims{`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`"exp": expiresAt,`
			`"iat": time.Now().Unix(),`
			`"token_type": tokenType,`
			`"allowed_roles": strings.Split(user.Roles, ","),`
			`claimKey: roles,`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`}`

fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`for k, v := range userMap {`
			`if k != "roles" {`
			`customClaims[k] = v`
			`}`
			`}`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`// check for the extra access token script`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`accessTokenScript := os.Getenv(constants.EnvKeyCustomAccessTokenScript)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`if accessTokenScript != "" {`
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			`vm := otto.New()`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`claimBytes, _ := json.Marshal(customClaims)`
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			vm.Run(fmt.Sprintf(`
			`var user = %s;`
			`var tokenPayload = %s;`
			`var customFunction = %s;`
			`var functionRes = JSON.stringify(customFunction(user, tokenPayload));`
			`, string(userBytes), string(claimBytes), accessTokenScript))
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
fix: use otto instead of v8go 2021-10-29 16:11:47 +00:00			`val, err := vm.Get("functionRes")`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
			`if err != nil {`
feat/add arangodb support (#80) feat: add arangodb init fix: dao for sql + arangodb * fix: update error logs * fix: use db name dynamically 2021-12-17 15:55:07 +00:00			`log.Println("error getting custom access token script:", err)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`} else {`
			`extraPayload := make(map[string]interface{})`
			`err = json.Unmarshal([]byte(fmt.Sprintf("%s", val)), &extraPayload)`
			`if err != nil {`
feat/add arangodb support (#80) feat: add arangodb init fix: dao for sql + arangodb * fix: update error logs * fix: use db name dynamically 2021-12-17 15:55:07 +00:00			`log.Println("error converting accessTokenScript response to map:", err)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`} else {`
			`for k, v := range extraPayload {`
			`customClaims[k] = v`
			`}`
			`}`
			`}`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`}`

feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`t.Claims = customClaims`

fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`token, err := t.SignedString([]byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)))`
Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`if err != nil {`
			`return "", 0, err`
			`}`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00
Add query to get token Resolves #16 2021-07-15 12:02:55 +00:00			`return token, expiresAt, nil`
Implement login resolver (#15) * add sign_up_method to users table * add session store * implement login resolver 2021-07-14 18:43:19 +00:00			`}`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// GetAuthToken helps in getting the JWT token from the`
			`// request cookie or authorization header`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`func GetAuthToken(gc *gin.Context) (string, error) {`
fix: update docker file 2021-07-27 12:16:02 +00:00			`token, err := GetCookie(gc)`
			`if err != nil \|\| token == "" {`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`// try to check in auth header for cookie`
			`auth := gc.Request.Header.Get("Authorization")`
			`if auth == "" {`
feat/add meta query (#38) * feat: add meta query * fix: readme 2021-07-28 07:55:52 +00:00			return "", fmt.Errorf(`unauthorized`)
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`}`

			`token = strings.TrimPrefix(auth, "Bearer ")`
			`}`
			`return token, nil`
			`}`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// VerifyAuthToken helps in verifying the JWT token`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`func VerifyAuthToken(token string) (map[string]interface{}, error) {`
			`var res map[string]interface{}`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`claims := jwt.MapClaims{}`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`_, err := jwt.ParseWithClaims(token, claims, func(token *jwt.Token) (interface{}, error) {`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`return []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)), nil`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`})`
			`if err != nil {`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`return res, err`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`}`

feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`// claim parses exp & iat into float 64 with e^10,`
			`// but we expect it to be int64`
			`// hence we need to assert interface and convert to int64`
			`intExp := int64(claims["exp"].(float64))`
			`intIat := int64(claims["iat"].(float64))`

			`data, _ := json.Marshal(claims)`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00			`json.Unmarshal(data, &res)`
feat: add ability to write custom script for access token (#63) Resolves #54 2021-10-24 00:54:12 +00:00			`res["exp"] = intExp`
			`res["iat"] = intIat`
feat/role based access (#50) * feat: add roles based access * feat: update roles env + todo * feat: add roles to update profile * feat: add role based oauth * feat: validate role for a given token 2021-09-20 05:06:26 +00:00
			`return res, nil`
Add logout resolver Resolves #8 2021-07-15 09:43:00 +00:00			`}`
feat: add api for admin login 2021-12-30 04:31:51 +00:00
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// CreateAdminAuthToken creates the admin token based on secret key`
			`func CreateAdminAuthToken(tokenType string, c *gin.Context) (string, error) {`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`return EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))`
feat: add api for admin login 2021-12-30 04:31:51 +00:00			`}`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// GetAdminAuthToken helps in getting the admin token from the request cookie`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`func GetAdminAuthToken(gc *gin.Context) (string, error) {`
			`token, err := GetAdminCookie(gc)`
			`if err != nil \|\| token == "" {`
Add _admin_signup mutation 2022-01-09 12:05:37 +00:00			`return "", fmt.Errorf("unauthorized")`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`}`
feat: add _update_config mutation 2021-12-31 11:33:37 +00:00
			`// cookie escapes special characters like $`
			`// hence we need to unescape before comparing`
			`decodedValue, err := url.QueryUnescape(token)`
			`if err != nil {`
			`return "", err`
			`}`

fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`err = bcrypt.CompareHashAndPassword([]byte(decodedValue), []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)))`
feat: add _update_config mutation 2021-12-31 11:33:37 +00:00			`log.Println("error comparing hash:", err)`
			`if err != nil {`
			return "", fmt.Errorf(`unauthorized`)
			`}`

feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`return token, nil`
			`}`