feat: xsrf_token set

2025-12-04 06:29:20 +03:00 · 2025-12-04 06:29:20 +03:00 · b79a6b9117
commit b79a6b9117
parent 31e55c0539
5 changed files with 117 additions and 20 deletions
--- a/modules/auth/handlers/handlers.go
+++ b/modules/auth/handlers/handlers.go
@ -2,6 +2,8 @@ package handlers

 import (
 	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	auth "nyanimedb/auth"
@ -15,15 +17,13 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-var accessSecret = []byte("my_access_secret_key")
-var refreshSecret = []byte("my_refresh_secret_key")
-
 type Server struct {
-	db *sqlc.Queries
+	db            *sqlc.Queries
+	JwtPrivateKey string
 }

-func NewServer(db *sqlc.Queries) Server {
-	return Server{db: db}
+func NewServer(db *sqlc.Queries, JwtPrivatekey string) Server {
+	return Server{db: db, JwtPrivateKey: JwtPrivatekey}
 }

 func parseInt64(s string) (int32, error) {
@ -47,15 +47,15 @@ func CheckPassword(password, hash string) (bool, error) {
 	return argon2id.ComparePasswordAndHash(password, hash)
 }

-func generateTokens(userID string) (accessToken string, refreshToken string, err error) {
+func (s Server) generateTokens(userID string) (accessToken string, refreshToken string, csrfToken string, err error) {
 	accessClaims := jwt.MapClaims{
 		"user_id": userID,
 		"exp":     time.Now().Add(15 * time.Minute).Unix(),
 	}
 	at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
-	accessToken, err = at.SignedString(accessSecret)
+	accessToken, err = at.SignedString(s.JwtPrivateKey)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}

 	refreshClaims := jwt.MapClaims{
@ -63,12 +63,19 @@ func generateTokens(userID string) (accessToken string, refreshToken string, err
 		"exp":     time.Now().Add(7 * 24 * time.Hour).Unix(),
 	}
 	rt := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)
-	refreshToken, err = rt.SignedString(refreshSecret)
+	refreshToken, err = rt.SignedString(s.JwtPrivateKey)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}

-	return accessToken, refreshToken, nil
+	csrfBytes := make([]byte, 32)
+	_, err = rand.Read(csrfBytes)
+	if err != nil {
+		return "", "", "", err
+	}
+	csrfToken = base64.RawURLEncoding.EncodeToString(csrfBytes)
+
+	return accessToken, refreshToken, csrfToken, nil
 }

 func (s Server) PostAuthSignUp(ctx context.Context, req auth.PostAuthSignUpRequestObject) (auth.PostAuthSignUpResponseObject, error) {
@ -118,7 +125,7 @@ func (s Server) PostAuthSignIn(ctx context.Context, req auth.PostAuthSignInReque
 		}, nil
 	}

-	accessToken, refreshToken, err := generateTokens(req.Body.Nickname)
+	accessToken, refreshToken, csrfToken, err := s.generateTokens(req.Body.Nickname)
 	if err != nil {
 		log.Errorf("failed to generate tokens for user %s: %v", req.Body.Nickname, err)
 		// TODO: return 500
@ -126,8 +133,9 @@ func (s Server) PostAuthSignIn(ctx context.Context, req auth.PostAuthSignInReque

 	// TODO: check cookie settings carefully
 	ginCtx.SetSameSite(http.SameSiteStrictMode)
-	ginCtx.SetCookie("access_token", accessToken, 604800, "/auth", "", false, true)
-	ginCtx.SetCookie("refresh_token", refreshToken, 604800, "/api", "", false, true)
+	ginCtx.SetCookie("access_token", accessToken, 900, "/api", "", false, true)
+	ginCtx.SetCookie("refresh_token", refreshToken, 1209600, "/auth", "", false, true)
+	ginCtx.SetCookie("xsrf_token", csrfToken, 1209600, "/api", "", false, false)

 	result := auth.PostAuthSignIn200JSONResponse{
 		UserId:   user.ID,
--- a/modules/auth/helpers.go
+++ b/modules/auth/helpers.go
@ -0,0 +1,33 @@
+package main
+
+import (
+	"fmt"
+	"reflect"
+)
+
+func setField(obj interface{}, name string, value interface{}) error {
+	v := reflect.ValueOf(obj)
+
+	if v.Kind() != reflect.Ptr || v.Elem().Kind() != reflect.Struct {
+		return fmt.Errorf("expected pointer to a struct")
+	}
+
+	v = v.Elem()
+	field := v.FieldByName(name)
+
+	if !field.IsValid() {
+		return fmt.Errorf("no such field: %s", name)
+	}
+	if !field.CanSet() {
+		return fmt.Errorf("cannot set field: %s", name)
+	}
+
+	val := reflect.ValueOf(value)
+
+	if field.Type() != val.Type() {
+		return fmt.Errorf("provided value type (%s) doesn't match field type (%s)", val.Type(), field.Type())
+	}
+
+	field.Set(val)
+	return nil
+}
--- a/modules/auth/main.go
+++ b/modules/auth/main.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"reflect"
 	"time"

 	auth "nyanimedb/auth"
@ -13,12 +14,24 @@ import (
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
 	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/pelletier/go-toml/v2"
+	log "github.com/sirupsen/logrus"
 )

 var AppConfig Config

 func main() {
-	// TODO: env args
+	if len(os.Args) != 2 {
+		AppConfig.Mode = "env"
+	} else {
+		AppConfig.Mode = "argv"
+	}
+
+	err := InitConfig()
+	if err != nil {
+		log.Fatalf("Failed to init config: %v\n", err)
+	}
+
 	r := gin.Default()

 	pool, err := pgxpool.New(context.Background(), os.Getenv("DATABASE_URL"))
@ -29,10 +42,10 @@ func main() {

 	var queries *sqlc.Queries = sqlc.New(pool)

-	server := handlers.NewServer(queries)
+	server := handlers.NewServer(queries, AppConfig.JwtPrivateKey)

 	r.Use(cors.New(cors.Config{
-		AllowOrigins:     []string{"*"}, // allow all origins, change to specific domains in production
+		AllowOrigins:     []string{AppConfig.ServiceAddress},
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE"},
 		AllowHeaders:     []string{"Origin", "Content-Type", "Accept"},
 		ExposeHeaders:    []string{"Content-Length"},
@ -47,3 +60,41 @@ func main() {

 	r.Run(":8082")
 }
+
+func InitConfig() error {
+	if AppConfig.Mode == "argv" {
+		content, err := os.ReadFile(os.Args[1])
+		if err != nil {
+			return err
+		}
+
+		toml.Unmarshal(content, &AppConfig)
+
+		fmt.Printf("%+v\n", AppConfig)
+
+		return nil
+	} else if AppConfig.Mode == "env" {
+		f := reflect.ValueOf(AppConfig)
+
+		for i := 0; i < f.NumField(); i++ {
+			field := f.Type().Field(i)
+			tag := field.Tag
+			env_var := tag.Get("env")
+			fmt.Printf("Field: %v.\nEnvironment variable: %v.\n", field.Name, env_var)
+			if env_var != "" {
+				env_value, exists := os.LookupEnv(env_var)
+				if !exists {
+					return fmt.Errorf("there is no env variable %s", env_var)
+				}
+				err := setField(&AppConfig, field.Name, env_value)
+				if err != nil {
+					return fmt.Errorf("failed to set config field %s: %v", field.Name, err)
+				}
+			}
+		}
+
+		return nil
+	} else {
+		return fmt.Errorf("incorrect config mode")
+	}
+}
--- a/modules/auth/types.go
+++ b/modules/auth/types.go
@ -1,6 +1,9 @@
 package main

 type Config struct {
-	JwtPrivateKey string
-	LogLevel      string `toml:"LogLevel" env:"LOG_LEVEL"`
+	Mode           string
+	ServiceAddress string `toml:"ServiceAddress" env:"SERVICE_ADDRESS"`
+	DdUrl          string `toml:"DbUrl" env:"DATABASE_URL"`
+	JwtPrivateKey  string `toml:"JwtPrivateKey" env:"JWT_PRIVATE_KEY"`
+	LogLevel       string `toml:"LogLevel" env:"LOG_LEVEL"`
 }