Real feel-less refresh token

This commit is contained in:
LittleSheep 2024-02-18 15:51:27 +08:00
parent cc2aa8ef40
commit 00028cfce8
20 changed files with 250 additions and 210 deletions

View File

@ -7,20 +7,12 @@ import (
"time" "time"
) )
type AccountState = int8
const (
PendingAccountState = AccountState(iota)
ActiveAccountState
)
type Account struct { type Account struct {
BaseModel BaseModel
Name string `json:"name" gorm:"uniqueIndex"` Name string `json:"name" gorm:"uniqueIndex"`
Nick string `json:"nick"` Nick string `json:"nick"`
Avatar string `json:"avatar"` Avatar string `json:"avatar"`
State AccountState `json:"state"`
Profile AccountProfile `json:"profile"` Profile AccountProfile `json:"profile"`
Sessions []AuthSession `json:"sessions"` Sessions []AuthSession `json:"sessions"`
Challenges []AuthChallenge `json:"challenges"` Challenges []AuthChallenge `json:"challenges"`

View File

@ -2,6 +2,8 @@ package security
import ( import (
"fmt" "fmt"
"github.com/google/uuid"
"strings"
"time" "time"
"code.smartsheep.studio/hydrogen/identity/pkg/database" "code.smartsheep.studio/hydrogen/identity/pkg/database"
@ -83,5 +85,11 @@ func DoChallenge(challenge models.AuthChallenge, factor models.AuthFactor, code
return err return err
} }
// Revoke some factor passwords
if factor.Type == models.EmailPasswordFactor {
factor.Secret = strings.ReplaceAll(uuid.NewString(), "-", "")
database.C.Save(&factor)
}
return nil return nil
} }

View File

@ -2,12 +2,16 @@ package security
import ( import (
"fmt" "fmt"
"github.com/gofiber/fiber/v2"
"time" "time"
"github.com/golang-jwt/jwt/v5" "github.com/golang-jwt/jwt/v5"
"github.com/spf13/viper" "github.com/spf13/viper"
) )
var CookieAccessKey = "identity_auth_key"
var CookieRefreshKey = "identity_refresh_key"
type PayloadClaims struct { type PayloadClaims struct {
jwt.RegisteredClaims jwt.RegisteredClaims
@ -56,3 +60,22 @@ func DecodeJwt(str string) (PayloadClaims, error) {
return claims, fmt.Errorf("unexpected token payload: not payload claims type") return claims, fmt.Errorf("unexpected token payload: not payload claims type")
} }
} }
func SetJwtCookieSet(c *fiber.Ctx, access, refresh string) {
c.Cookie(&fiber.Cookie{
Name: CookieAccessKey,
Value: access,
Domain: viper.GetString("security.cookie_domain"),
SameSite: viper.GetString("security.cookie_samesite"),
Expires: time.Now().Add(60 * time.Minute),
Path: "/",
})
c.Cookie(&fiber.Cookie{
Name: CookieRefreshKey,
Value: refresh,
Domain: viper.GetString("security.cookie_domain"),
SameSite: viper.GetString("security.cookie_samesite"),
Expires: time.Now().Add(24 * 30 * time.Hour),
Path: "/",
})
}

View File

@ -2,6 +2,7 @@ package security
import ( import (
"fmt" "fmt"
"github.com/spf13/viper"
"strconv" "strconv"
"time" "time"
@ -84,15 +85,17 @@ func GetToken(session models.AuthSession) (string, string, error) {
return refresh, access, err return refresh, access, err
} }
var err error accessDuration := time.Duration(viper.GetInt64("security.access_token_duration")) * time.Second
refreshDuration := time.Duration(viper.GetInt64("security.refresh_token_duration")) * time.Second
var err error
sub := strconv.Itoa(int(session.AccountID)) sub := strconv.Itoa(int(session.AccountID))
sed := strconv.Itoa(int(session.ID)) sed := strconv.Itoa(int(session.ID))
access, err = EncodeJwt(session.AccessToken, JwtAccessType, sub, sed, session.Audiences, time.Now().Add(30*time.Minute)) access, err = EncodeJwt(session.AccessToken, JwtAccessType, sub, sed, session.Audiences, time.Now().Add(accessDuration))
if err != nil { if err != nil {
return refresh, access, err return refresh, access, err
} }
refresh, err = EncodeJwt(session.RefreshToken, JwtRefreshType, sub, sed, session.Audiences, time.Now().Add(30*24*time.Hour)) refresh, err = EncodeJwt(session.RefreshToken, JwtRefreshType, sub, sed, session.Audiences, time.Now().Add(refreshDuration))
if err != nil { if err != nil {
return refresh, access, err return refresh, access, err
} }
@ -153,5 +156,9 @@ func RefreshToken(token string) (string, string, error) {
return "404", "403", err return "404", "403", err
} }
return GetToken(session) if session, err := RegenSession(session); err != nil {
return "404", "403", err
} else {
return GetToken(session)
}
} }

View File

@ -137,12 +137,12 @@ func doRegister(c *fiber.Ctx) error {
return err return err
} else if viper.GetBool("use_registration_magic_token") && len(data.MagicToken) <= 0 { } else if viper.GetBool("use_registration_magic_token") && len(data.MagicToken) <= 0 {
return fmt.Errorf("missing magic token in request") return fmt.Errorf("missing magic token in request")
} } else if viper.GetBool("use_registration_magic_token") {
if tk, err := services.ValidateMagicToken(data.MagicToken, models.RegistrationMagicToken); err != nil {
if tk, err := services.ValidateMagicToken(data.MagicToken, models.RegistrationMagicToken); err != nil { return err
return err } else {
} else { database.C.Delete(&tk)
database.C.Delete(&tk) }
} }
if user, err := services.CreateAccount( if user, err := services.CreateAccount(

View File

@ -1,36 +0,0 @@
package server
import (
"code.smartsheep.studio/hydrogen/identity/pkg/security"
"code.smartsheep.studio/hydrogen/identity/pkg/services"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/keyauth"
)
var auth = keyauth.New(keyauth.Config{
KeyLookup: "header:Authorization",
AuthScheme: "Bearer",
Validator: func(c *fiber.Ctx, token string) (bool, error) {
claims, err := security.DecodeJwt(token)
if err != nil {
return false, err
}
session, err := services.LookupSessionWithToken(claims.ID)
if err != nil {
return false, err
} else if err := session.IsAvailable(); err != nil {
return false, err
}
user, err := services.GetAccount(session.AccountID)
if err != nil {
return false, err
}
c.Locals("principal", user)
return true, nil
},
ContextKey: "token",
})

View File

@ -0,0 +1,72 @@
package server
import (
"code.smartsheep.studio/hydrogen/identity/pkg/security"
"code.smartsheep.studio/hydrogen/identity/pkg/services"
"fmt"
"github.com/gofiber/fiber/v2"
"strings"
)
func authMiddleware(c *fiber.Ctx) error {
var token string
if cookie := c.Cookies(security.CookieAccessKey); len(cookie) > 0 {
token = cookie
}
if header := c.Get(fiber.HeaderAuthorization); len(header) > 0 {
tk := strings.Replace(header, "Bearer", "", 1)
token = strings.TrimSpace(tk)
}
c.Locals("token", token)
if err := authFunc(c); err != nil {
fmt.Println(err)
return err
}
return c.Next()
}
func authFunc(c *fiber.Ctx, overrides ...string) error {
var token string
if len(overrides) > 0 {
token = overrides[0]
} else {
if tk, ok := c.Locals("token").(string); !ok {
return fiber.NewError(fiber.StatusUnauthorized)
} else {
token = tk
}
}
claims, err := security.DecodeJwt(token)
if err != nil {
rtk := c.Cookies(security.CookieRefreshKey)
if len(rtk) > 0 && len(overrides) < 1 {
// Auto refresh and retry
access, refresh, err := security.RefreshToken(rtk)
if err == nil {
security.SetJwtCookieSet(c, access, refresh)
return authFunc(c, access)
}
}
return fiber.NewError(fiber.StatusUnauthorized, fmt.Sprintf("invalid auth key: %v", err))
}
session, err := services.LookupSessionWithToken(claims.ID)
if err != nil {
return fiber.NewError(fiber.StatusUnauthorized, fmt.Sprintf("invalid auth session: %v", err))
} else if err := session.IsAvailable(); err != nil {
return fiber.NewError(fiber.StatusUnauthorized, fmt.Sprintf("unavailable auth session: %v", err))
}
user, err := services.GetAccount(session.AccountID)
if err != nil {
return fiber.NewError(fiber.StatusUnauthorized, fmt.Sprintf("invalid account: %v", err))
}
c.Locals("principal", user)
return nil
}

View File

@ -127,6 +127,8 @@ func exchangeToken(c *fiber.Ctx) error {
return fiber.NewError(fiber.StatusBadRequest, "unsupported exchange token type") return fiber.NewError(fiber.StatusBadRequest, "unsupported exchange token type")
} }
security.SetJwtCookieSet(c, access, refresh)
return c.JSON(fiber.Map{ return c.JSON(fiber.Map{
"id_token": access, "id_token": access,
"access_token": access, "access_token": access,

View File

@ -58,18 +58,18 @@ func NewServer() {
api := A.Group("/api").Name("API") api := A.Group("/api").Name("API")
{ {
api.Get("/avatar/:avatarId", getAvatar) api.Get("/avatar/:avatarId", getAvatar)
api.Put("/avatar", auth, setAvatar) api.Put("/avatar", authMiddleware, setAvatar)
api.Get("/notifications", auth, getNotifications) api.Get("/notifications", authMiddleware, getNotifications)
api.Put("/notifications/:notificationId/read", auth, markNotificationRead) api.Put("/notifications/:notificationId/read", authMiddleware, markNotificationRead)
api.Post("/notifications/subscribe", auth, addNotifySubscriber) api.Post("/notifications/subscribe", authMiddleware, addNotifySubscriber)
api.Get("/users/me", auth, getUserinfo) api.Get("/users/me", authMiddleware, getUserinfo)
api.Put("/users/me", auth, editUserinfo) api.Put("/users/me", authMiddleware, editUserinfo)
api.Get("/users/me/events", auth, getEvents) api.Get("/users/me/events", authMiddleware, getEvents)
api.Get("/users/me/challenges", auth, getChallenges) api.Get("/users/me/challenges", authMiddleware, getChallenges)
api.Get("/users/me/sessions", auth, getSessions) api.Get("/users/me/sessions", authMiddleware, getSessions)
api.Delete("/users/me/sessions/:sessionId", auth, killSession) api.Delete("/users/me/sessions/:sessionId", authMiddleware, killSession)
api.Post("/users", doRegister) api.Post("/users", doRegister)
api.Post("/users/me/confirm", doRegisterConfirm) api.Post("/users/me/confirm", doRegisterConfirm)
@ -79,8 +79,8 @@ func NewServer() {
api.Post("/auth/token", exchangeToken) api.Post("/auth/token", exchangeToken)
api.Post("/auth/factors/:factorId", requestFactorToken) api.Post("/auth/factors/:factorId", requestFactorToken)
api.Get("/auth/o/connect", auth, preConnect) api.Get("/auth/o/connect", authMiddleware, preConnect)
api.Post("/auth/o/connect", auth, doConnect) api.Post("/auth/o/connect", authMiddleware, doConnect)
developers := api.Group("/dev").Name("Developers API") developers := api.Group("/dev").Name("Developers API")
{ {

View File

@ -21,8 +21,8 @@ func getOidcConfiguration(c *fiber.Ctx) error {
return c.JSON(fiber.Map{ return c.JSON(fiber.Map{
"issuer": basepath, "issuer": basepath,
"authorization_endpoint": fmt.Sprintf("%s/auth/o/connect", basepath), "authorization_endpoint": fmt.Sprintf("%s/authMiddleware/o/connect", basepath),
"token_endpoint": fmt.Sprintf("%s/api/auth/token", basepath), "token_endpoint": fmt.Sprintf("%s/api/authMiddleware/token", basepath),
"userinfo_endpoint": fmt.Sprintf("%s/api/users/me", basepath), "userinfo_endpoint": fmt.Sprintf("%s/api/users/me", basepath),
"response_types_supported": []string{"code", "token"}, "response_types_supported": []string{"code", "token"},
"grant_types_supported": []string{"authorization_code", "implicit", "refresh_token"}, "grant_types_supported": []string{"authorization_code", "implicit", "refresh_token"},

View File

@ -43,9 +43,8 @@ func LookupAccount(id string) (models.Account, error) {
func CreateAccount(name, nick, email, password string) (models.Account, error) { func CreateAccount(name, nick, email, password string) (models.Account, error) {
user := models.Account{ user := models.Account{
Name: name, Name: name,
Nick: nick, Nick: nick,
State: models.PendingAccountState,
Profile: models.AccountProfile{ Profile: models.AccountProfile{
Experience: 100, Experience: 100,
}, },

View File

@ -9,6 +9,7 @@
"preview": "vite preview" "preview": "vite preview"
}, },
"dependencies": { "dependencies": {
"@fortawesome/fontawesome-free": "^6.5.1",
"@solidjs/router": "^0.10.10", "@solidjs/router": "^0.10.10",
"solid-js": "^1.8.7", "solid-js": "^1.8.7",
"universal-cookie": "^7.0.2" "universal-cookie": "^7.0.2"

View File

@ -8,6 +8,8 @@ import "./assets/fonts/fonts.css";
import { lazy } from "solid-js"; import { lazy } from "solid-js";
import { Route, Router } from "@solidjs/router"; import { Route, Router } from "@solidjs/router";
import "@fortawesome/fontawesome-free/css/all.min.css";
import RootLayout from "./layouts/RootLayout.tsx"; import RootLayout from "./layouts/RootLayout.tsx";
import { UserinfoProvider } from "./stores/userinfo.tsx"; import { UserinfoProvider } from "./stores/userinfo.tsx";
import { WellKnownProvider } from "./stores/wellKnown.tsx"; import { WellKnownProvider } from "./stores/wellKnown.tsx";

View File

@ -1,4 +1,4 @@
import Navbar from "./shared/Navbar.tsx"; import Navigatior from "./shared/Navigatior.tsx";
import { readProfiles, useUserinfo } from "../stores/userinfo.tsx"; import { readProfiles, useUserinfo } from "../stores/userinfo.tsx";
import { createEffect, createMemo, createSignal, Show } from "solid-js"; import { createEffect, createMemo, createSignal, Show } from "solid-js";
import { readWellKnown } from "../stores/wellKnown.tsx"; import { readWellKnown } from "../stores/wellKnown.tsx";
@ -52,7 +52,7 @@ export default function RootLayout(props: any) {
</div> </div>
}> }>
<Show when={!searchParams["embedded"]}> <Show when={!searchParams["embedded"]}>
<Navbar /> <Navigatior />
</Show> </Show>
<main class={`${mainContentStyles()} px-5`}>{props.children}</main> <main class={`${mainContentStyles()} px-5`}>{props.children}</main>

View File

@ -8,7 +8,7 @@ interface MenuItem {
children?: MenuItem[]; children?: MenuItem[];
} }
export default function Navbar() { export default function Navigatior() {
const nav: MenuItem[] = [ const nav: MenuItem[] = [
{ {
label: "You", children: [ label: "You", children: [

View File

@ -1,7 +1,6 @@
import { readProfiles } from "../../stores/userinfo.tsx"; import { readProfiles } from "../../stores/userinfo.tsx";
import { useNavigate, useSearchParams } from "@solidjs/router"; import { useNavigate, useSearchParams } from "@solidjs/router";
import { createSignal, For, Match, Show, Switch } from "solid-js"; import { createSignal, For, Match, Show, Switch } from "solid-js";
import Cookie from "universal-cookie";
export default function LoginPage() { export default function LoginPage() {
const [title, setTitle] = createSignal("Sign in"); const [title, setTitle] = createSignal("Sign in");
@ -116,9 +115,6 @@ export default function LoginPage() {
setError(err); setError(err);
throw new Error(err); throw new Error(err);
} else { } else {
const data = await res.json();
new Cookie().set("access_token", data["access_token"], { path: "/", maxAge: undefined });
new Cookie().set("refresh_token", data["refresh_token"], { path: "/", maxAge: undefined });
setError(null); setError(null);
} }
} }

View File

@ -1,5 +1,5 @@
import { getAtk } from "../stores/userinfo.tsx"; import { getAtk } from "../stores/userinfo.tsx";
import { createSignal, For, Show } from "solid-js"; import { createSignal, For, Match, Show, Switch } from "solid-js";
export default function DashboardPage() { export default function DashboardPage() {
const [challenges, setChallenges] = createSignal<any[]>([]); const [challenges, setChallenges] = createSignal<any[]>([]);
@ -12,6 +12,8 @@ export default function DashboardPage() {
const [error, setError] = createSignal<string | null>(null); const [error, setError] = createSignal<string | null>(null);
const [submitting, setSubmitting] = createSignal(false); const [submitting, setSubmitting] = createSignal(false);
const [contentTab, setContentTab] = createSignal(0);
async function readChallenges() { async function readChallenges() {
const res = await fetch("/api/users/me/challenges?take=10", { const res = await fetch("/api/users/me/challenges?take=10", {
headers: { Authorization: `Bearer ${getAtk()}` } headers: { Authorization: `Bearer ${getAtk()}` }
@ -94,11 +96,7 @@ export default function DashboardPage() {
<div class="stats shadow w-full"> <div class="stats shadow w-full">
<div class="stat"> <div class="stat">
<div class="stat-figure text-secondary"> <div class="stat-figure text-secondary">
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" <i class="fa-solid fa-door-open inline-block text-[28px] w-8 h-8 stroke-current"></i>
class="inline-block w-8 h-8 stroke-current">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"></path>
</svg>
</div> </div>
<div class="stat-title">Challenges</div> <div class="stat-title">Challenges</div>
<div class="stat-value">{challengeCount()}</div> <div class="stat-value">{challengeCount()}</div>
@ -106,11 +104,7 @@ export default function DashboardPage() {
<div class="stat"> <div class="stat">
<div class="stat-figure text-secondary"> <div class="stat-figure text-secondary">
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" <i class="fa-solid fa-key inline-block text-[28px] w-8 h-8 stroke-current"></i>
class="inline-block w-8 h-8 stroke-current">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
d="M12 6V4m0 2a2 2 0 100 4m0-4a2 2 0 110 4m-6 8a2 2 0 100-4m0 4a2 2 0 110-4m0 4v2m0-6V4m6 6v10m6-2a2 2 0 100-4m0 4a2 2 0 110-4m0 4v2m0-6V4"></path>
</svg>
</div> </div>
<div class="stat-title">Sessions</div> <div class="stat-title">Sessions</div>
<div class="stat-value">{sessionCount()}</div> <div class="stat-value">{sessionCount()}</div>
@ -118,11 +112,7 @@ export default function DashboardPage() {
<div class="stat"> <div class="stat">
<div class="stat-figure text-secondary"> <div class="stat-figure text-secondary">
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" <i class="fa-solid fa-person-walking inline-block text-[28px] w-8 h-8 stroke-current"></i>
class="inline-block w-8 h-8 stroke-current">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
d="M5 8h14M5 8a2 2 0 110-4h14a2 2 0 110 4M5 8v10a2 2 0 002 2h10a2 2 0 002-2V8m-9 4h4"></path>
</svg>
</div> </div>
<div class="stat-title">Events</div> <div class="stat-title">Events</div>
<div class="stat-value">{eventCount()}</div> <div class="stat-value">{eventCount()}</div>
@ -130,50 +120,52 @@ export default function DashboardPage() {
</div> </div>
</div> </div>
<div id="data-area" class="mt-5 shadow"> <div id="switch-area" class="mt-5">
<div class="join join-vertical w-full"> <div role="tablist" class="tabs tabs-boxed">
<input type="radio" name="content-switch" role="tab" class="tab" aria-label="Challenges"
checked={contentTab() === 0} onChange={() => setContentTab(0)} />
<input type="radio" name="content-switch" role="tab" class="tab" aria-label="Sessions"
checked={contentTab() === 1} onChange={() => setContentTab(1)} />
<input type="radio" name="content-switch" role="tab" class="tab" aria-label="Events"
checked={contentTab() === 2} onChange={() => setContentTab(2)} />
</div>
</div>
<details class="collapse collapse-plus join-item border-b border-base-200"> <div id="data-area" class="mt-5 shadow">
<summary class="collapse-title text-lg font-medium"> <Switch>
Challenges <Match when={contentTab() === 0}>
</summary> <div class="overflow-x-auto">
<div class="collapse-content mx-[-16px]"> <table class="table">
<div class="overflow-x-auto"> <thead>
<table class="table"> <tr>
<thead> <th></th>
<tr> <th>State</th>
<th></th> <th>IP Address</th>
<th>State</th> <th>User Agent</th>
<th>IP Address</th> <th>Date</th>
<th>User Agent</th> </tr>
<th>Date</th> </thead>
</tr> <tbody>
</thead> <For each={challenges()}>
<tbody> {item => <tr>
<For each={challenges()}> <th>{item.id}</th>
{item => <tr> <td>{item.state}</td>
<th>{item.id}</th> <td>{item.ip_address}</td>
<td>{item.state}</td> <td>
<td>{item.ip_address}</td>
<td>
<span class="tooltip" data-tip={item.user_agent}> <span class="tooltip" data-tip={item.user_agent}>
{item.user_agent.substring(0, 10) + "..."} {item.user_agent.substring(0, 10) + "..."}
</span> </span>
</td> </td>
<td>{new Date(item.created_at).toLocaleString()}</td> <td>{new Date(item.created_at).toLocaleString()}</td>
</tr>} </tr>}
</For> </For>
</tbody> </tbody>
</table> </table>
</div>
</div> </div>
</details> </Match>
<details class="collapse collapse-plus join-item border-b border-base-200"> <Match when={contentTab() === 1}>
<summary class="collapse-title text-lg font-medium"> <div class="overflow-x-auto">
Sessions
</summary>
<div class="collapse-content mx-[-16px]">
<table class="table"> <table class="table">
<thead> <thead>
<tr> <tr>
@ -192,13 +184,8 @@ export default function DashboardPage() {
<td>{item.audiences?.join(", ")}</td> <td>{item.audiences?.join(", ")}</td>
<td>{new Date(item.created_at).toLocaleString()}</td> <td>{new Date(item.created_at).toLocaleString()}</td>
<td class="py-0"> <td class="py-0">
<button class="btn btn-sm btn-square btn-error" disabled={submitting()} <button disabled={submitting()} onClick={() => killSession(item)}>
onClick={() => killSession(item)}> <i class="fa-solid fa-right-from-bracket"></i>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" class="h-5 w-5">
<path
d="M256 48C141.31 48 48 141.31 48 256s93.31 208 208 208s208-93.31 208-208S370.69 48 256 48zm80 224H176a16 16 0 0 1 0-32h160a16 16 0 0 1 0 32z"
fill="currentColor"></path>
</svg>
</button> </button>
</td> </td>
</tr>} </tr>}
@ -206,47 +193,41 @@ export default function DashboardPage() {
</tbody> </tbody>
</table> </table>
</div> </div>
</details> </Match>
<details class="collapse collapse-plus join-item"> <Match when={contentTab() === 2}>
<summary class="collapse-title text-lg font-medium"> <div class="overflow-x-auto">
Events <table class="table">
</summary> <thead>
<div class="collapse-content mx-[-16px]"> <tr>
<div class="overflow-x-auto"> <th></th>
<table class="table"> <th>Type</th>
<thead> <th>Target</th>
<tr> <th>IP Address</th>
<th></th> <th>User Agent</th>
<th>Type</th> <th>Date</th>
<th>Target</th> </tr>
<th>IP Address</th> </thead>
<th>User Agent</th> <tbody>
<th>Date</th> <For each={events()}>
</tr> {item => <tr>
</thead> <th>{item.id}</th>
<tbody> <td>{item.type}</td>
<For each={events()}> <td>{item.target}</td>
{item => <tr> <td>{item.ip_address}</td>
<th>{item.id}</th> <td>
<td>{item.type}</td>
<td>{item.target}</td>
<td>{item.ip_address}</td>
<td>
<span class="tooltip" data-tip={item.user_agent}> <span class="tooltip" data-tip={item.user_agent}>
{item.user_agent.substring(0, 10) + "..."} {item.user_agent.substring(0, 10) + "..."}
</span> </span>
</td> </td>
<td>{new Date(item.created_at).toLocaleString()}</td> <td>{new Date(item.created_at).toLocaleString()}</td>
</tr>} </tr>}
</For> </For>
</tbody> </tbody>
</table> </table>
</div>
</div> </div>
</details> </Match>
</Switch>
</div>
</div> </div>
</div> </div>
); );

View File

@ -21,49 +21,23 @@ const defaultUserinfo: Userinfo = {
const [userinfo, setUserinfo] = createStore<Userinfo>(structuredClone(defaultUserinfo)); const [userinfo, setUserinfo] = createStore<Userinfo>(structuredClone(defaultUserinfo));
export function getAtk(): string { export function getAtk(): string {
return new Cookie().get("access_token"); return new Cookie().get("identity_auth_key");
}
export async function refreshAtk() {
const rtk = new Cookie().get("refresh_token");
const res = await fetch("/api/auth/token", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
refresh_token: rtk,
grant_type: "refresh_token"
})
});
if (res.status !== 200) {
console.error(await res.text())
} else {
const data = await res.json();
new Cookie().set("access_token", data["access_token"], { path: "/", maxAge: undefined });
new Cookie().set("refresh_token", data["refresh_token"], { path: "/", maxAge: undefined });
}
} }
function checkLoggedIn(): boolean { function checkLoggedIn(): boolean {
return new Cookie().get("access_token"); return new Cookie().get("identity_auth_key");
} }
export async function readProfiles(recovering = true) { export async function readProfiles() {
if (!checkLoggedIn()) return; if (!checkLoggedIn()) return;
const res = await fetch("/api/users/me", { const res = await fetch("/api/users/me", {
headers: { "Authorization": `Bearer ${getAtk()}` } credentials: "include"
}); });
if (res.status !== 200) { if (res.status !== 200) {
if (recovering) { clearUserinfo();
// Auto retry after refresh access token window.location.reload();
await refreshAtk();
return await readProfiles(false);
} else {
clearUserinfo();
window.location.reload();
}
} }
const data = await res.json(); const data = await res.json();
@ -77,8 +51,14 @@ export async function readProfiles(recovering = true) {
} }
export function clearUserinfo() { export function clearUserinfo() {
new Cookie().remove("access_token", { path: "/", maxAge: undefined }); const cookies = document.cookie.split(";");
new Cookie().remove("refresh_token", { path: "/", maxAge: undefined }); for (let i = 0; i < cookies.length; i++) {
const cookie = cookies[i];
const eqPos = cookie.indexOf("=");
const name = eqPos > -1 ? cookie.substring(0, eqPos) : cookie;
document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";
}
setUserinfo(defaultUserinfo); setUserinfo(defaultUserinfo);
} }

View File

@ -335,6 +335,11 @@
resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.19.12.tgz#c57c8afbb4054a3ab8317591a0b7320360b444ae" resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.19.12.tgz#c57c8afbb4054a3ab8317591a0b7320360b444ae"
integrity sha512-T1QyPSDCyMXaO3pzBkF96E8xMkiRYbUEZADd29SyPGabqxMViNoii+NcK7eWJAEoU6RZyEm5lVSIjTmcdoB9HA== integrity sha512-T1QyPSDCyMXaO3pzBkF96E8xMkiRYbUEZADd29SyPGabqxMViNoii+NcK7eWJAEoU6RZyEm5lVSIjTmcdoB9HA==
"@fortawesome/fontawesome-free@^6.5.1":
version "6.5.1"
resolved "https://registry.yarnpkg.com/@fortawesome/fontawesome-free/-/fontawesome-free-6.5.1.tgz#55cc8410abf1003b726324661ce5b0d1c10de258"
integrity sha512-CNy5vSwN3fsUStPRLX7fUYojyuzoEMSXPl7zSLJ8TgtRfjv24LOnOWKT2zYwaHZCJGkdyRnTmstR0P+Ah503Gw==
"@isaacs/cliui@^8.0.2": "@isaacs/cliui@^8.0.2":
version "8.0.2" version "8.0.2"
resolved "https://registry.yarnpkg.com/@isaacs/cliui/-/cliui-8.0.2.tgz#b37667b7bc181c168782259bab42474fbf52b550" resolved "https://registry.yarnpkg.com/@isaacs/cliui/-/cliui-8.0.2.tgz#b37667b7bc181c168782259bab42474fbf52b550"
@ -1472,6 +1477,7 @@ source-map-js@^1.0.2:
integrity sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw== integrity sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==
"string-width-cjs@npm:string-width@^4.2.0", string-width@^4.1.0: "string-width-cjs@npm:string-width@^4.2.0", string-width@^4.1.0:
name string-width-cjs
version "4.2.3" version "4.2.3"
resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010" resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g== integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@ -1490,6 +1496,7 @@ string-width@^5.0.1, string-width@^5.1.2:
strip-ansi "^7.0.1" strip-ansi "^7.0.1"
"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1: "strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1:
name strip-ansi-cjs
version "6.0.1" version "6.0.1"
resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9" resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A== integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==

View File

@ -9,7 +9,7 @@ secret = "LtTjzAGFLshwXhN4ZD4nG5KlMv1MWcsvfv03TSZYnT1VhiAnLIZFTnHUwR0XhGgi"
content = "uploads" content = "uploads"
use_registration_magic_token = true use_registration_magic_token = false
[external.firebase] [external.firebase]
credentials = "dist/firebase-certs.json" credentials = "dist/firebase-certs.json"
@ -21,6 +21,12 @@ smtp_port = 465
username = "alphabot@smartsheep.studio" username = "alphabot@smartsheep.studio"
password = "gz937Zxxzfcd9SeH" password = "gz937Zxxzfcd9SeH"
[security]
cookie_domain = "localhost"
cookie_samesite = "Lax"
access_token_duration = 300
refresh_token_duration = 2592000
[database] [database]
dsn = "host=localhost dbname=hy_identity port=5432 sslmode=disable" dsn = "host=localhost dbname=hy_identity port=5432 sslmode=disable"
prefix = "identity_" prefix = "identity_"