✨ Real feel-less refresh token

2024-02-18 15:51:27 +08:00
parent cc2aa8ef40
commit 00028cfce8
20 changed files with 250 additions and 210 deletions
--- a/pkg/security/challanges.go
+++ b/pkg/security/challanges.go
@ -2,6 +2,8 @@ package security

 import (
 	"fmt"
+	"github.com/google/uuid"
+	"strings"
 	"time"

 	"code.smartsheep.studio/hydrogen/identity/pkg/database"
@ -83,5 +85,11 @@ func DoChallenge(challenge models.AuthChallenge, factor models.AuthFactor, code
 		return err
 	}

+	// Revoke some factor passwords
+	if factor.Type == models.EmailPasswordFactor {
+		factor.Secret = strings.ReplaceAll(uuid.NewString(), "-", "")
+		database.C.Save(&factor)
+	}
+
 	return nil
 }
--- a/pkg/security/jwt.go
+++ b/pkg/security/jwt.go
@ -2,12 +2,16 @@ package security

 import (
 	"fmt"
+	"github.com/gofiber/fiber/v2"
 	"time"

 	"github.com/golang-jwt/jwt/v5"
 	"github.com/spf13/viper"
 )

+var CookieAccessKey = "identity_auth_key"
+var CookieRefreshKey = "identity_refresh_key"
+
 type PayloadClaims struct {
 	jwt.RegisteredClaims

@ -56,3 +60,22 @@ func DecodeJwt(str string) (PayloadClaims, error) {
 		return claims, fmt.Errorf("unexpected token payload: not payload claims type")
 	}
 }
+
+func SetJwtCookieSet(c *fiber.Ctx, access, refresh string) {
+	c.Cookie(&fiber.Cookie{
+		Name:     CookieAccessKey,
+		Value:    access,
+		Domain:   viper.GetString("security.cookie_domain"),
+		SameSite: viper.GetString("security.cookie_samesite"),
+		Expires:  time.Now().Add(60 * time.Minute),
+		Path:     "/",
+	})
+	c.Cookie(&fiber.Cookie{
+		Name:     CookieRefreshKey,
+		Value:    refresh,
+		Domain:   viper.GetString("security.cookie_domain"),
+		SameSite: viper.GetString("security.cookie_samesite"),
+		Expires:  time.Now().Add(24 * 30 * time.Hour),
+		Path:     "/",
+	})
+}
--- a/pkg/security/sessions.go
+++ b/pkg/security/sessions.go
@ -2,6 +2,7 @@ package security

 import (
 	"fmt"
+	"github.com/spf13/viper"
 	"strconv"
 	"time"

@ -84,15 +85,17 @@ func GetToken(session models.AuthSession) (string, string, error) {
 		return refresh, access, err
 	}

-	var err error
+	accessDuration := time.Duration(viper.GetInt64("security.access_token_duration")) * time.Second
+	refreshDuration := time.Duration(viper.GetInt64("security.refresh_token_duration")) * time.Second

+	var err error
 	sub := strconv.Itoa(int(session.AccountID))
 	sed := strconv.Itoa(int(session.ID))
-	access, err = EncodeJwt(session.AccessToken, JwtAccessType, sub, sed, session.Audiences, time.Now().Add(30*time.Minute))
+	access, err = EncodeJwt(session.AccessToken, JwtAccessType, sub, sed, session.Audiences, time.Now().Add(accessDuration))
 	if err != nil {
 		return refresh, access, err
 	}
-	refresh, err = EncodeJwt(session.RefreshToken, JwtRefreshType, sub, sed, session.Audiences, time.Now().Add(30*24*time.Hour))
+	refresh, err = EncodeJwt(session.RefreshToken, JwtRefreshType, sub, sed, session.Audiences, time.Now().Add(refreshDuration))
 	if err != nil {
 		return refresh, access, err
 	}
@ -153,5 +156,9 @@ func RefreshToken(token string) (string, string, error) {
 		return "404", "403", err
 	}

-	return GetToken(session)
+	if session, err := RegenSession(session); err != nil {
+		return "404", "403", err
+	} else {
+		return GetToken(session)
+	}
 }