From 08b2c12a45c2e829253dee29c1303b04cb0ac0ee Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Mon, 20 Sep 2021 10:34:09 +0530 Subject: [PATCH] feat: validate role for a given token --- TODO.md | 2 +- server/graph/schema.resolvers.go | 8 +++++--- server/handlers/oauthCallback.go | 2 -- server/resolvers/token.go | 11 ++++++++--- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/TODO.md b/TODO.md index 889f10b..461d024 100644 --- a/TODO.md +++ b/TODO.md @@ -13,4 +13,4 @@ For the first version we will only support setting roles master list via env - [x] Return roles to user - [x] Return roles in users list for super admin - [x] Add roles to the JWT token generation -- [ ] Validate token should also validate the role, if roles to validate again is present in request +- [x] Validate token should also validate the role, if roles to validate again is present in request diff --git a/server/graph/schema.resolvers.go b/server/graph/schema.resolvers.go index f1d0519..448346c 100644 --- a/server/graph/schema.resolvers.go +++ b/server/graph/schema.resolvers.go @@ -56,7 +56,7 @@ func (r *queryResolver) Users(ctx context.Context) ([]*model.User, error) { } func (r *queryResolver) Token(ctx context.Context, role *string) (*model.AuthResponse, error) { - return resolvers.Token(ctx) + return resolvers.Token(ctx, role) } func (r *queryResolver) Profile(ctx context.Context) (*model.User, error) { @@ -73,5 +73,7 @@ func (r *Resolver) Mutation() generated.MutationResolver { return &mutationResol // Query returns generated.QueryResolver implementation. func (r *Resolver) Query() generated.QueryResolver { return &queryResolver{r} } -type mutationResolver struct{ *Resolver } -type queryResolver struct{ *Resolver } +type ( + mutationResolver struct{ *Resolver } + queryResolver struct{ *Resolver } +) diff --git a/server/handlers/oauthCallback.go b/server/handlers/oauthCallback.go index 2c15104..76201c2 100644 --- a/server/handlers/oauthCallback.go +++ b/server/handlers/oauthCallback.go @@ -61,9 +61,7 @@ func processGoogleUserInfo(code string, role string, c *gin.Context) error { } user.SignupMethod = signupMethod user.Password = existingUser.Password - log.Println("=> checking roles...", utils.IsValidRole(strings.Split(existingUser.Roles, ","), role)) if !utils.IsValidRole(strings.Split(existingUser.Roles, ","), role) { - log.Println("=> invalid role from google oauth") return fmt.Errorf("invalid role") } diff --git a/server/resolvers/token.go b/server/resolvers/token.go index a8ea886..892b268 100644 --- a/server/resolvers/token.go +++ b/server/resolvers/token.go @@ -14,7 +14,7 @@ import ( "github.com/authorizerdev/authorizer/server/utils" ) -func Token(ctx context.Context) (*model.AuthResponse, error) { +func Token(ctx context.Context, role *string) (*model.AuthResponse, error) { var res *model.AuthResponse gc, err := utils.GinContextFromContext(ctx) @@ -29,12 +29,17 @@ func Token(ctx context.Context) (*model.AuthResponse, error) { claim, accessTokenErr := utils.VerifyAuthToken(token) expiresAt := claim["exp"].(int64) email := fmt.Sprintf("%v", claim["email"]) - role := fmt.Sprintf("%v", claim[constants.JWT_ROLE_CLAIM]) + + claimRole := fmt.Sprintf("%v", claim[constants.JWT_ROLE_CLAIM]) user, err := db.Mgr.GetUserByEmail(email) if err != nil { return res, err } + if role != nil && role != &claimRole { + return res, fmt.Errorf(`unauthorized. invalid role for a given token`) + } + userIdStr := fmt.Sprintf("%v", user.ID) sessionToken := session.GetToken(userIdStr) @@ -49,7 +54,7 @@ func Token(ctx context.Context) (*model.AuthResponse, error) { if accessTokenErr != nil || expiresTimeObj.Sub(currentTimeObj).Minutes() <= 5 { // if access token has expired and refresh/session token is valid // generate new accessToken - token, expiresAt, _ = utils.CreateAuthToken(user, enum.AccessToken, role) + token, expiresAt, _ = utils.CreateAuthToken(user, enum.AccessToken, claimRole) } utils.SetCookie(gc, token) res = &model.AuthResponse{