fix: user session access

server/handlers/authorize.go

@@ -222,10 +222,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		// based on the response type, generate the response
 		if isResponseTypeCode {
 			// rollover the session for security
-			err = memorystore.Provider.RemoveState(sessionToken)
-			if err != nil {
-				log.Debug("Failed to remove state: ", err)
-			}
+			go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce)
 			nonce := uuid.New().String()
 			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope)
 			if err != nil {
@@ -246,7 +243,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 				return
 			}
 
-			memorystore.Provider.SetUserSession(user.ID, newSessionToken, newSessionTokenData.Nonce)
+			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)
 			cookie.SetSession(gc, newSessionToken)
 			code := uuid.New().String()
 			memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken)
@@ -283,9 +280,9 @@ func AuthorizeHandler() gin.HandlerFunc {
 				}
 				return
 			}
-			memorystore.Provider.RemoveState(sessionToken)
-			memorystore.Provider.SetUserSession(user.ID, authToken.FingerPrintHash, authToken.FingerPrint)
-			memorystore.Provider.SetUserSession(user.ID, authToken.AccessToken.Token, authToken.FingerPrint)
+			go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce)
+			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 			cookie.SetSession(gc, authToken.FingerPrintHash)
 
 			expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
@@ -308,7 +305,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 			if authToken.RefreshToken != nil {
 				res["refresh_token"] = authToken.RefreshToken.Token
 				params += "&refresh_token=" + authToken.RefreshToken.Token
-				memorystore.Provider.SetUserSession(user.ID, authToken.RefreshToken.Token, authToken.FingerPrint)
+				memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 			}
 
 			if isQuery {

server/handlers/logout.go

@@ -1,6 +1,7 @@
 package handlers
 
 import (
+	"encoding/json"
 	"net/http"
 	"strings"
 
@@ -10,6 +11,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/memorystore"
+	"github.com/authorizerdev/authorizer/server/token"
 )
 
 // Handler to logout user
@@ -35,12 +37,17 @@ func LogoutHandler() gin.HandlerFunc {
 			return
 		}
 
-		fingerPrint := string(decryptedFingerPrint)
-
-		err = memorystore.Provider.RemoveState(fingerPrint)
+		var sessionData token.SessionData
+		err = json.Unmarshal([]byte(decryptedFingerPrint), &sessionData)
 		if err != nil {
-			log.Debug("Failed to remove state: ", err)
+			log.Debug("Failed to decrypt fingerprint: ", err)
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error": err.Error(),
+			})
+			return
 		}
+
+		memorystore.Provider.DeleteUserSession(sessionData.Subject, sessionData.Nonce)
 		cookie.DeleteSession(gc)
 
 		if redirectURL != "" {

server/handlers/oauth_callback.go

@@ -36,7 +36,6 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			log.Debug("Invalid oauth state: ", state)
 			c.JSON(400, gin.H{"error": "invalid oauth state"})
 		}
-		memorystore.Provider.GetState(state)
 		// contains random token, redirect url, role
 		sessionSplit := strings.Split(state, "___")
 
@@ -46,6 +45,9 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			return
 		}
 
+		// remove state from store
+		go memorystore.Provider.RemoveState(state)
+
 		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
 		inputRoles := strings.Split(sessionSplit[2], ",")
@@ -117,9 +119,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			user.EmailVerifiedAt = &now
 			user, _ = db.Provider.AddUser(user)
 		} else {
+			user = existingUser
 			if user.RevokedTimestamp != nil {
 				log.Debug("User access revoked at: ", user.RevokedTimestamp)
 				c.JSON(400, gin.H{"error": "user access has been revoked"})
+				return
 			}
 
 			// user exists in db, check if method was google
@@ -128,7 +132,6 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			if !strings.Contains(signupMethod, provider) {
 				signupMethod = signupMethod + "," + provider
 			}
-			user = existingUser
 			user.SignupMethods = signupMethod
 
 			if user.EmailVerifiedAt == nil {
@@ -200,12 +203,12 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + stateValue + "&id_token=" + authToken.IDToken.Token
 
 		cookie.SetSession(c, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(user.ID, authToken.FingerPrintHash, authToken.FingerPrint)
-		memorystore.Provider.SetUserSession(user.ID, authToken.AccessToken.Token, authToken.FingerPrint)
+		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 
 		if authToken.RefreshToken != nil {
 			params = params + `&refresh_token=` + authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(user.ID, authToken.RefreshToken.Token, authToken.FingerPrint)
+			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 		}
 
 		go db.Provider.AddSession(models.Session{

server/handlers/revoke.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/memorystore"
+	"github.com/authorizerdev/authorizer/server/token"
 )
 
 // Revoke handler to revoke refresh token
@@ -45,7 +46,17 @@ func RevokeHandler() gin.HandlerFunc {
 			return
 		}
 
-		memorystore.Provider.RemoveState(refreshToken)
+		claims, err := token.ParseJWTToken(refreshToken)
+		if err != nil {
+			log.Debug("Client ID is invalid: ", clientID)
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             err.Error(),
+				"error_description": "Failed to parse jwt",
+			})
+			return
+		}
+
+		memorystore.Provider.DeleteUserSession(claims["sub"].(string), claims["nonce"].(string))
 
 		gc.JSON(http.StatusOK, gin.H{
 			"message": "Token revoked successfully",

server/handlers/token.go

@@ -107,6 +107,7 @@ func TokenHandler() gin.HandlerFunc {
 				return
 			}
 
+			go memorystore.Provider.RemoveState(encryptedCode)
 			// split session data
 			// it contains code@sessiontoken
 			sessionDataSplit := strings.Split(sessionData, "@")
@@ -130,11 +131,11 @@ func TokenHandler() gin.HandlerFunc {
 				})
 				return
 			}
-			// rollover the session for security
-			memorystore.Provider.RemoveState(sessionDataSplit[1])
 			userID = claims.Subject
 			roles = claims.Roles
 			scope = claims.Scope
+			// rollover the session for security
+			go memorystore.Provider.DeleteUserSession(userID, claims.Nonce)
 		} else {
 			// validate refresh token
 			if refreshToken == "" {
@@ -163,7 +164,7 @@ func TokenHandler() gin.HandlerFunc {
 				scope = append(scope, v.(string))
 			}
 			// remove older refresh token and rotate it for security
-			memorystore.Provider.RemoveState(refreshToken)
+			go memorystore.Provider.DeleteUserSession(userID, claims["nonce"].(string))
 		}
 
 		user, err := db.Provider.GetUserByID(userID)
@@ -185,8 +186,8 @@ func TokenHandler() gin.HandlerFunc {
 			})
 			return
 		}
-		memorystore.Provider.SetUserSession(user.ID, authToken.FingerPrintHash, authToken.FingerPrint)
-		memorystore.Provider.SetUserSession(user.ID, authToken.AccessToken.Token, authToken.FingerPrint)
+		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 		cookie.SetSession(gc, authToken.FingerPrintHash)
 
 		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
@@ -204,7 +205,7 @@ func TokenHandler() gin.HandlerFunc {
 
 		if authToken.RefreshToken != nil {
 			res["refresh_token"] = authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(user.ID, authToken.RefreshToken.Token, authToken.FingerPrint)
+			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 		}
 
 		gc.JSON(http.StatusOK, res)

server/handlers/verify_email.go

@@ -9,6 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	log "github.com/sirupsen/logrus"
 
+	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
@@ -107,12 +108,12 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
 
 		cookie.SetSession(c, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(user.ID, authToken.FingerPrintHash, authToken.FingerPrint)
-		memorystore.Provider.SetUserSession(user.ID, authToken.AccessToken.Token, authToken.FingerPrint)
+		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
+		memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 
 		if authToken.RefreshToken != nil {
-			params = params + `&refresh_token=${refresh_token}`
-			memorystore.Provider.SetUserSession(user.ID, authToken.RefreshToken.Token, authToken.FingerPrint)
+			params = params + `&refresh_token=` + authToken.RefreshToken.Token
+			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
 		}
 
 		if redirectURL == "" {