authorizer/server/resolvers/validate_jwt_token.go

package resolvers

import (
	"context"
	"errors"
	"fmt"

	"github.com/golang-jwt/jwt"
	log "github.com/sirupsen/logrus"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/graph/model"
	"github.com/authorizerdev/authorizer/server/memorystore"
	"github.com/authorizerdev/authorizer/server/parsers"
	"github.com/authorizerdev/authorizer/server/token"
	"github.com/authorizerdev/authorizer/server/utils"
)

// ValidateJwtTokenResolver is used to validate a jwt token without its rotation
// this can be used at API level (backend)
// it can validate:
// access_token
// id_token
// refresh_token
func ValidateJwtTokenResolver(ctx context.Context, params model.ValidateJWTTokenInput) (*model.ValidateJWTTokenResponse, error) {
	gc, err := utils.GinContextFromContext(ctx)
	if err != nil {
		log.Debug("Failed to get GinContext: ", err)
		return nil, err
	}

	tokenType := params.TokenType
	if tokenType != constants.TokenTypeAccessToken && tokenType != constants.TokenTypeRefreshToken && tokenType != constants.TokenTypeIdentityToken {
		log.Debug("Invalid token type: ", tokenType)
		return nil, errors.New("invalid token type")
	}

	var claimRoles []string
	var claims jwt.MapClaims
	userID := ""
	nonce := ""

	claims, err = token.ParseJWTToken(params.Token)
	if err != nil {
		log.Debug("Failed to parse JWT token: ", err)
		return nil, err
	}
	userID = claims["sub"].(string)

	// access_token and refresh_token should be validated from session store as well
	if tokenType == constants.TokenTypeAccessToken || tokenType == constants.TokenTypeRefreshToken {
		nonce = claims["nonce"].(string)
		loginMethod := claims["login_method"]
		sessionKey := userID
		if loginMethod != nil && loginMethod != "" {
			sessionKey = loginMethod.(string) + ":" + userID
		}
		token, err := memorystore.Provider.GetUserSession(sessionKey, tokenType+"_"+claims["nonce"].(string))
		if err != nil || token == "" {
			log.Debug("Failed to get user session: ", err)
			return nil, errors.New("invalid token")
		}
	}

	hostname := parsers.GetHost(gc)

	// we cannot validate nonce in case of id_token as that token is not persisted in session store
	if nonce != "" {
		if ok, err := token.ValidateJWTClaims(claims, hostname, nonce, userID); !ok || err != nil {
			log.Debug("Failed to parse jwt token: ", err)
			return nil, errors.New("invalid claims")
		}
	} else {
		if ok, err := token.ValidateJWTTokenWithoutNonce(claims, hostname, userID); !ok || err != nil {
			log.Debug("Failed to parse jwt token without nonce: ", err)
			return nil, errors.New("invalid claims")
		}
	}

	claimKey := "roles"

	if tokenType == constants.TokenTypeIdentityToken {
		claimKey, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)
		if err != nil {
			claimKey = "roles"
		}
	}

	claimRolesInterface := claims[claimKey]
	roleSlice := utils.ConvertInterfaceToSlice(claimRolesInterface)
	for _, v := range roleSlice {
		claimRoles = append(claimRoles, v.(string))
	}

	if params.Roles != nil && len(params.Roles) > 0 {
		for _, v := range params.Roles {
			if !utils.StringSliceContains(claimRoles, v) {
				log.Debug("Token does not have required role: ", v)
				return nil, fmt.Errorf(`unauthorized`)
			}
		}
	}
	return &model.ValidateJWTTokenResponse{
		IsValid: true,
		Claims:  claims,
	}, nil
}
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`package resolvers`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`

feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`"github.com/golang-jwt/jwt"`
			`log "github.com/sirupsen/logrus"`

fix: user session access 2022-06-11 18:57:21 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`"github.com/authorizerdev/authorizer/server/graph/model"`
fix: move sessionstore -> memstore 2022-05-27 17:50:38 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`"github.com/authorizerdev/authorizer/server/parsers"`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`"github.com/authorizerdev/authorizer/server/token"`
			`"github.com/authorizerdev/authorizer/server/utils"`
			`)`

			`// ValidateJwtTokenResolver is used to validate a jwt token without its rotation`
			`// this can be used at API level (backend)`
			`// it can validate:`
			`// access_token`
			`// id_token`
			`// refresh_token`
			`func ValidateJwtTokenResolver(ctx context.Context, params model.ValidateJWTTokenInput) (*model.ValidateJWTTokenResponse, error) {`
			`gc, err := utils.GinContextFromContext(ctx)`
			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to get GinContext: ", err)`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`return nil, err`
			`}`

			`tokenType := params.TokenType`
fix: user session access 2022-06-11 18:57:21 +00:00			`if tokenType != constants.TokenTypeAccessToken && tokenType != constants.TokenTypeRefreshToken && tokenType != constants.TokenTypeIdentityToken {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Invalid token type: ", tokenType)`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`return nil, errors.New("invalid token type")`
			`}`

fix: session invalidation 2022-06-11 13:40:39 +00:00			`var claimRoles []string`
			`var claims jwt.MapClaims`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`userID := ""`
			`nonce := ""`
fix: user session access 2022-06-11 18:57:21 +00:00
			`claims, err = token.ParseJWTToken(params.Token)`
			`if err != nil {`
			`log.Debug("Failed to parse JWT token: ", err)`
			`return nil, err`
			`}`
			`userID = claims["sub"].(string)`

feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`// access_token and refresh_token should be validated from session store as well`
fix: user session access 2022-06-11 18:57:21 +00:00			`if tokenType == constants.TokenTypeAccessToken \|\| tokenType == constants.TokenTypeRefreshToken {`
			`nonce = claims["nonce"].(string)`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`loginMethod := claims["login_method"]`
			`sessionKey := userID`
			`if loginMethod != nil && loginMethod != "" {`
			`sessionKey = loginMethod.(string) + ":" + userID`
			`}`
			`token, err := memorystore.Provider.GetUserSession(sessionKey, tokenType+"_"+claims["nonce"].(string))`
fix: user session access 2022-06-11 18:57:21 +00:00			`if err != nil \|\| token == "" {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`log.Debug("Failed to get user session: ", err)`
			`return nil, errors.New("invalid token")`
			`}`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`}`

fix: import cycle issues 2022-05-30 06:24:16 +00:00			`hostname := parsers.GetHost(gc)`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00
fix: user session access 2022-06-11 18:57:21 +00:00			`// we cannot validate nonce in case of id_token as that token is not persisted in session store`
			`if nonce != "" {`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`if ok, err := token.ValidateJWTClaims(claims, hostname, nonce, userID); !ok \|\| err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to parse jwt token: ", err)`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return nil, errors.New("invalid claims")`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`}`
			`} else {`
fix: user session access 2022-06-11 18:57:21 +00:00			`if ok, err := token.ValidateJWTTokenWithoutNonce(claims, hostname, userID); !ok \|\| err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to parse jwt token without nonce: ", err)`
fix: session invalidation 2022-06-11 13:40:39 +00:00			`return nil, errors.New("invalid claims")`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`}`
			`}`

fix: validating id_token 2022-11-23 16:33:08 +00:00			`claimKey := "roles"`

			`if tokenType == constants.TokenTypeIdentityToken {`
			`claimKey, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)`
			`if err != nil {`
			`claimKey = "roles"`
			`}`
			`}`

			`claimRolesInterface := claims[claimKey]`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`roleSlice := utils.ConvertInterfaceToSlice(claimRolesInterface)`
			`for _, v := range roleSlice {`
			`claimRoles = append(claimRoles, v.(string))`
			`}`

			`if params.Roles != nil && len(params.Roles) > 0 {`
			`for _, v := range params.Roles {`
			`if !utils.StringSliceContains(claimRoles, v) {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Token does not have required role: ", v)`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			return nil, fmt.Errorf(`unauthorized`)
			`}`
			`}`
			`}`
			`return &model.ValidateJWTTokenResponse{`
			`IsValid: true,`
add jwt claims as part of validation endpoint 2022-11-01 04:42:01 +00:00			`Claims: claims,`
feat: add validate_jwt_token query Resolves #149 2022-03-24 08:01:56 +00:00			`}, nil`
			`}`