From 307c6f7d15d9e324a3b1c41f84fe1b3d95ac1a15 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Fri, 4 Nov 2022 01:40:18 +0530
Subject: [PATCH] fix: refresh token login method claim

---
 server/handlers/token.go   | 9 ++++++---
 server/token/auth_token.go | 1 -
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/handlers/token.go b/server/handlers/token.go
index 20be2ac..4d0064d 100644
--- a/server/handlers/token.go
+++ b/server/handlers/token.go
@@ -167,7 +167,7 @@ func TokenHandler() gin.HandlerFunc {
 				return
 			}
 			userID = claims["sub"].(string)
-			loginMethod := claims["login_method"]
+			claimLoginMethod := claims["login_method"]
 			rolesInterface := claims["roles"].([]interface{})
 			scopeInterface := claims["scope"].([]interface{})
 			for _, v := range rolesInterface {
@@ -178,9 +178,11 @@ func TokenHandler() gin.HandlerFunc {
 			}
 
 			sessionKey = userID
-			if loginMethod != nil && loginMethod != "" {
-				sessionKey = loginMethod.(string) + ":" + sessionKey
+			if claimLoginMethod != nil && claimLoginMethod != "" {
+				sessionKey = claimLoginMethod.(string) + ":" + sessionKey
+				loginMethod = claimLoginMethod.(string)
 			}
+
 			// remove older refresh token and rotate it for security
 			go memorystore.Provider.DeleteUserSession(sessionKey, claims["nonce"].(string))
 		}
@@ -213,6 +215,7 @@ func TokenHandler() gin.HandlerFunc {
 			})
 			return
 		}
+
 		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
 		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 		cookie.SetSession(gc, authToken.FingerPrintHash)
diff --git a/server/token/auth_token.go b/server/token/auth_token.go
index 4572b6b..4e947e2 100644
--- a/server/token/auth_token.go
+++ b/server/token/auth_token.go
@@ -256,7 +256,6 @@ func ValidateRefreshToken(gc *gin.Context, refreshToken string) (map[string]inte
 	if loginMethod != nil && loginMethod != "" {
 		sessionKey = loginMethod.(string) + ":" + userID
 	}
-
 	token, err := memorystore.Provider.GetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+nonce)
 	if nonce == "" || err != nil {
 		return res, fmt.Errorf(`unauthorized`)