feat: fully featured token checks

2025-12-06 06:25:21 +03:00 · 2025-12-06 06:25:21 +03:00 · 713c0adc14
commit 713c0adc14
parent 7956a8a961
6 changed files with 226 additions and 77 deletions
--- a/modules/auth/handlers/handlers.go
+++ b/modules/auth/handlers/handlers.go
@ -47,28 +47,35 @@ func CheckPassword(password, hash string) (bool, error) {
 	return argon2id.ComparePasswordAndHash(password, hash)
 }

-func (s Server) generateImpersonationToken(userID string, impersonated_by string) (accessToken string, err error) {
-	accessClaims := jwt.MapClaims{
-		"user_id": userID,
-		"exp":     time.Now().Add(15 * time.Minute).Unix(),
-		"imp_id":  impersonated_by,
+func (s *Server) generateImpersonationToken(userID string, impersonatedBy string) (string, error) {
+	now := time.Now()
+	claims := auth.TokenClaims{
+		UserID: userID,
+		ImpID:  &impersonatedBy,
+		Type:   "access",
+		RegisteredClaims: jwt.RegisteredClaims{
+			IssuedAt:  jwt.NewNumericDate(now),
+			ExpiresAt: jwt.NewNumericDate(now.Add(15 * time.Minute)),
+			ID:        generateJTI(),
+		},
 	}

-	at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
-
-	accessToken, err = at.SignedString([]byte(s.JwtPrivateKey))
-	if err != nil {
-		return "", err
-	}
-
-	return accessToken, nil
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString([]byte(s.JwtPrivateKey))
 }

-func (s Server) generateTokens(userID string) (accessToken string, refreshToken string, csrfToken string, err error) {
-	accessClaims := jwt.MapClaims{
-		"user_id": userID,
-		"exp":     time.Now().Add(15 * time.Minute).Unix(),
-		//TODO: add created_at
+func (s *Server) generateTokens(userID string) (accessToken string, refreshToken string, csrfToken string, err error) {
+	now := time.Now()
+
+	// Access token (15 мин)
+	accessClaims := auth.TokenClaims{
+		UserID: userID,
+		Type:   "access",
+		RegisteredClaims: jwt.RegisteredClaims{
+			IssuedAt:  jwt.NewNumericDate(now),
+			ExpiresAt: jwt.NewNumericDate(now.Add(15 * time.Minute)),
+			ID:        generateJTI(),
+		},
 	}
 	at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
 	accessToken, err = at.SignedString([]byte(s.JwtPrivateKey))
@ -76,9 +83,15 @@ func (s Server) generateTokens(userID string) (accessToken string, refreshToken
 		return "", "", "", err
 	}

-	refreshClaims := jwt.MapClaims{
-		"user_id": userID,
-		"exp":     time.Now().Add(7 * 24 * time.Hour).Unix(),
+	// Refresh token (7 дней)
+	refreshClaims := auth.TokenClaims{
+		UserID: userID,
+		Type:   "refresh",
+		RegisteredClaims: jwt.RegisteredClaims{
+			IssuedAt:  jwt.NewNumericDate(now),
+			ExpiresAt: jwt.NewNumericDate(now.Add(7 * 24 * time.Hour)),
+			ID:        generateJTI(),
+		},
 	}
 	rt := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)
 	refreshToken, err = rt.SignedString([]byte(s.JwtPrivateKey))
@ -86,6 +99,7 @@ func (s Server) generateTokens(userID string) (accessToken string, refreshToken
 		return "", "", "", err
 	}

+	// CSRF token
 	csrfBytes := make([]byte, 32)
 	_, err = rand.Read(csrfBytes)
 	if err != nil {
@ -219,56 +233,56 @@ func (s Server) GetImpersonationToken(ctx context.Context, req auth.GetImpersona
 	return auth.GetImpersonationToken200JSONResponse{AccessToken: accessToken}, nil
 }

-// func (s Server) PostAuthRefreshToken(ctx context.Context, req auth.PostAuthRefreshTokenRequestObject) (auth.PostAuthRefreshTokenResponseObject, error) {
-// 	valid := false
-// 	var userID *string
-// 	var errStr *string
+func (s Server) RefreshTokens(ctx context.Context, req auth.RefreshTokensRequestObject) (auth.RefreshTokensResponseObject, error) {
+	ginCtx, ok := ctx.Value(gin.ContextKey).(*gin.Context)
+	if !ok {
+		log.Print("failed to get gin context")
+		return auth.RefreshTokens500Response{}, fmt.Errorf("failed to get gin.Context from context.Context")
+	}

-// 	token, err := jwt.Parse(req.Body.Token, func(t *jwt.Token) (interface{}, error) {
-// 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
-// 			return nil, fmt.Errorf("unexpected signing method")
-// 		}
-// 		return refreshSecret, nil
-// 	})
+	rtCookie, err := ginCtx.Request.Cookie("refresh_token")
+	if err != nil {
+		log.Print("failed to get refresh_token cookie")
+		return auth.RefreshTokens400Response{}, fmt.Errorf("failed to get refresh_token cookie")
+	}

-// 	if err != nil {
-// 		e := err.Error()
-// 		errStr = &e
-// 		return auth.PostAuthVerifyToken200JSONResponse{
-// 			Valid:  &valid,
-// 			UserId: userID,
-// 			Error:  errStr,
-// 		}, nil
-// 	}
+	refreshToken := rtCookie.Value

-// 	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
-// 		if uid, ok := claims["user_id"].(string); ok {
-// 			// Refresh token is valid, generate new tokens
-// 			newAccessToken, newRefreshToken, _ := generateTokens(uid)
-// 			valid = true
-// 			userID = &uid
-// 			return auth.PostAuthVerifyToken200JSONResponse{
-// 				Valid:  &valid,
-// 				UserId: userID,
-// 				Error:  nil,
-// 				Token:  &newAccessToken, // return new access token
-// 				// optionally return newRefreshToken as well
-// 			}, nil
-// 		} else {
-// 			e := "user_id not found in refresh token"
-// 			errStr = &e
-// 		}
-// 	} else {
-// 		e := "invalid refresh token claims"
-// 		errStr = &e
-// 	}
+	token, err := jwt.ParseWithClaims(refreshToken, &auth.TokenClaims{}, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return []byte(s.JwtPrivateKey), nil
+	})
+	if err != nil || !token.Valid {
+		log.Print("invalid refresh token")
+		return auth.RefreshTokens401Response{}, nil
+	}

-// 	return auth.PostAuthVerifyToken200JSONResponse{
-// 		Valid:  &valid,
-// 		UserId: userID,
-// 		Error:  errStr,
-// 	}, nil
-// }
+	claims, ok := token.Claims.(*auth.TokenClaims)
+	if !ok || claims.UserID == "" {
+		log.Print("invalid refresh token claims")
+		return auth.RefreshTokens401Response{}, nil
+	}
+	if claims.Type != "refresh" {
+		log.Errorf("token is not a refresh token")
+		return auth.RefreshTokens401Response{}, nil
+	}
+
+	accessToken, refreshToken, csrfToken, err := s.generateTokens(claims.UserID)
+	if err != nil {
+		log.Errorf("failed to generate tokens for user %s: %v", claims.UserID, err)
+		return auth.RefreshTokens500Response{}, nil
+	}
+
+	// TODO: check cookie settings carefully
+	ginCtx.SetSameSite(http.SameSiteStrictMode)
+	ginCtx.SetCookie("access_token", accessToken, 900, "/api", "", false, true)
+	ginCtx.SetCookie("refresh_token", refreshToken, 1209600, "/auth", "", false, true)
+	ginCtx.SetCookie("xsrf_token", csrfToken, 1209600, "/", "", false, false)
+
+	return auth.RefreshTokens200Response{}, nil
+}

 func ExtractBearerToken(header string) (string, error) {
 	const prefix = "Bearer "
@ -277,3 +291,9 @@ func ExtractBearerToken(header string) (string, error) {
 	}
 	return header[len(prefix):], nil
 }
+
+func generateJTI() string {
+	b := make([]byte, 16)
+	_, _ = rand.Read(b)
+	return base64.RawURLEncoding.EncodeToString(b)
+}
--- a/modules/auth/main.go
+++ b/modules/auth/main.go
@ -46,7 +46,7 @@ func main() {

 	log.Info("allow origins:", AppConfig.ServiceAddress)
 	r.Use(cors.New(cors.Config{
-		AllowOrigins:     []string{"*"},
+		AllowOrigins:     []string{AppConfig.ServiceAddress},
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE"},
 		AllowHeaders:     []string{"Origin", "Content-Type", "Accept"},
 		ExposeHeaders:    []string{"Content-Length"},