Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4afd544c41 | ||
|
|
307c6f7d15 | ||
|
|
bbc6394cf3 | ||
|
|
63c8e2e55f | ||
|
|
b224892a39 |
@@ -26,7 +26,6 @@ func NewProvider() (*provider, error) {
|
||||
config := aws.Config{
|
||||
MaxRetries: aws.Int(3),
|
||||
CredentialsChainVerboseErrors: aws.Bool(true), // for full error logs
|
||||
|
||||
}
|
||||
|
||||
if awsRegion != "" {
|
||||
|
||||
@@ -154,6 +154,7 @@ func TokenHandler() gin.HandlerFunc {
|
||||
"error": "invalid_refresh_token",
|
||||
"error_description": "The refresh token is invalid",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
claims, err := token.ValidateRefreshToken(gc, refreshToken)
|
||||
@@ -163,9 +164,10 @@ func TokenHandler() gin.HandlerFunc {
|
||||
"error": "unauthorized",
|
||||
"error_description": err.Error(),
|
||||
})
|
||||
return
|
||||
}
|
||||
userID = claims["sub"].(string)
|
||||
loginMethod := claims["login_method"]
|
||||
claimLoginMethod := claims["login_method"]
|
||||
rolesInterface := claims["roles"].([]interface{})
|
||||
scopeInterface := claims["scope"].([]interface{})
|
||||
for _, v := range rolesInterface {
|
||||
@@ -176,9 +178,11 @@ func TokenHandler() gin.HandlerFunc {
|
||||
}
|
||||
|
||||
sessionKey = userID
|
||||
if loginMethod != nil && loginMethod != "" {
|
||||
sessionKey = loginMethod.(string) + ":" + sessionKey
|
||||
if claimLoginMethod != nil && claimLoginMethod != "" {
|
||||
sessionKey = claimLoginMethod.(string) + ":" + sessionKey
|
||||
loginMethod = claimLoginMethod.(string)
|
||||
}
|
||||
|
||||
// remove older refresh token and rotate it for security
|
||||
go memorystore.Provider.DeleteUserSession(sessionKey, claims["nonce"].(string))
|
||||
}
|
||||
@@ -211,6 +215,7 @@ func TokenHandler() gin.HandlerFunc {
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||
cookie.SetSession(gc, authToken.FingerPrintHash)
|
||||
|
||||
@@ -114,16 +114,17 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc
|
||||
return "", 0, err
|
||||
}
|
||||
customClaims := jwt.MapClaims{
|
||||
"iss": hostname,
|
||||
"aud": clientID,
|
||||
"sub": user.ID,
|
||||
"exp": expiresAt,
|
||||
"iat": time.Now().Unix(),
|
||||
"token_type": constants.TokenTypeRefreshToken,
|
||||
"roles": roles,
|
||||
"scope": scopes,
|
||||
"nonce": nonce,
|
||||
"login_method": loginMethod,
|
||||
"iss": hostname,
|
||||
"aud": clientID,
|
||||
"sub": user.ID,
|
||||
"exp": expiresAt,
|
||||
"iat": time.Now().Unix(),
|
||||
"token_type": constants.TokenTypeRefreshToken,
|
||||
"roles": roles,
|
||||
"scope": scopes,
|
||||
"nonce": nonce,
|
||||
"login_method": loginMethod,
|
||||
"allowed_roles": strings.Split(user.Roles, ","),
|
||||
}
|
||||
|
||||
token, err := SignJWTToken(customClaims)
|
||||
@@ -153,16 +154,17 @@ func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce
|
||||
return "", 0, err
|
||||
}
|
||||
customClaims := jwt.MapClaims{
|
||||
"iss": hostName,
|
||||
"aud": clientID,
|
||||
"nonce": nonce,
|
||||
"sub": user.ID,
|
||||
"exp": expiresAt,
|
||||
"iat": time.Now().Unix(),
|
||||
"token_type": constants.TokenTypeAccessToken,
|
||||
"scope": scopes,
|
||||
"roles": roles,
|
||||
"login_method": loginMethod,
|
||||
"iss": hostName,
|
||||
"aud": clientID,
|
||||
"nonce": nonce,
|
||||
"sub": user.ID,
|
||||
"exp": expiresAt,
|
||||
"iat": time.Now().Unix(),
|
||||
"token_type": constants.TokenTypeAccessToken,
|
||||
"scope": scopes,
|
||||
"roles": roles,
|
||||
"login_method": loginMethod,
|
||||
"allowed_roles": strings.Split(user.Roles, ","),
|
||||
}
|
||||
|
||||
token, err := SignJWTToken(customClaims)
|
||||
@@ -256,7 +258,6 @@ func ValidateRefreshToken(gc *gin.Context, refreshToken string) (map[string]inte
|
||||
if loginMethod != nil && loginMethod != "" {
|
||||
sessionKey = loginMethod.(string) + ":" + userID
|
||||
}
|
||||
|
||||
token, err := memorystore.Provider.GetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+nonce)
|
||||
if nonce == "" || err != nil {
|
||||
return res, fmt.Errorf(`unauthorized`)
|
||||
|
||||
Reference in New Issue
Block a user