package security import ( "fmt" "strconv" "time" "github.com/spf13/viper" "git.solsynth.dev/hydrogen/passport/pkg/database" "git.solsynth.dev/hydrogen/passport/pkg/models" "github.com/google/uuid" "github.com/samber/lo" ) func GrantSession(challenge models.AuthChallenge, claims, audiences []string, expired, available *time.Time) (models.AuthSession, error) { var session models.AuthSession if err := challenge.IsAvailable(); err != nil { return session, err } if challenge.Progress < challenge.Requirements { return session, fmt.Errorf("challenge haven't passed") } challenge.State = models.FinishChallengeState session = models.AuthSession{ Claims: claims, Audiences: audiences, Challenge: challenge, GrantToken: uuid.NewString(), AccessToken: uuid.NewString(), RefreshToken: uuid.NewString(), ExpiredAt: expired, AvailableAt: available, AccountID: challenge.AccountID, } if err := database.C.Save(&challenge).Error; err != nil { return session, err } else if err := database.C.Save(&session).Error; err != nil { return session, err } return session, nil } func GrantOauthSession(user models.Account, client models.ThirdClient, claims, audiences []string, expired, available *time.Time, ip, ua string) (models.AuthSession, error) { session := models.AuthSession{ Claims: claims, Audiences: audiences, Challenge: models.AuthChallenge{ IpAddress: ip, UserAgent: ua, RiskLevel: CalcRisk(user, ip, ua), State: models.FinishChallengeState, AccountID: user.ID, }, GrantToken: uuid.NewString(), AccessToken: uuid.NewString(), RefreshToken: uuid.NewString(), ExpiredAt: expired, AvailableAt: available, ClientID: &client.ID, AccountID: user.ID, } if err := database.C.Save(&session).Error; err != nil { return session, err } return session, nil } func RegenSession(session models.AuthSession) (models.AuthSession, error) { session.GrantToken = uuid.NewString() session.AccessToken = uuid.NewString() session.RefreshToken = uuid.NewString() err := database.C.Save(&session).Error return session, err } func GetToken(session models.AuthSession) (string, string, error) { var refresh, access string if err := session.IsAvailable(); err != nil { return refresh, access, err } accessDuration := time.Duration(viper.GetInt64("security.access_token_duration")) * time.Second refreshDuration := time.Duration(viper.GetInt64("security.refresh_token_duration")) * time.Second var err error sub := strconv.Itoa(int(session.AccountID)) sed := strconv.Itoa(int(session.ID)) access, err = EncodeJwt(session.AccessToken, JwtAccessType, sub, sed, session.Audiences, time.Now().Add(accessDuration)) if err != nil { return refresh, access, err } refresh, err = EncodeJwt(session.RefreshToken, JwtRefreshType, sub, sed, session.Audiences, time.Now().Add(refreshDuration)) if err != nil { return refresh, access, err } session.LastGrantAt = lo.ToPtr(time.Now()) database.C.Save(&session) return access, refresh, nil } func ExchangeToken(token string) (string, string, error) { var session models.AuthSession if err := database.C.Where(models.AuthSession{GrantToken: token}).First(&session).Error; err != nil { return "404", "403", err } else if session.LastGrantAt != nil { return "404", "403", fmt.Errorf("session was granted the first token, use refresh token instead") } else if len(session.Audiences) > 1 { return "404", "403", fmt.Errorf("should use authorization code grant type") } return GetToken(session) } func ExchangeOauthToken(clientId, clientSecret, redirectUri, token string) (string, string, error) { var client models.ThirdClient if err := database.C.Where(models.ThirdClient{Alias: clientId}).First(&client).Error; err != nil { return "404", "403", err } else if client.Secret != clientSecret { return "404", "403", fmt.Errorf("invalid client secret") } else if !client.IsDraft && !lo.Contains(client.Callbacks, redirectUri) { return "404", "403", fmt.Errorf("invalid redirect uri") } var session models.AuthSession if err := database.C.Where(models.AuthSession{GrantToken: token}).First(&session).Error; err != nil { return "404", "403", err } else if session.LastGrantAt != nil { return "404", "403", fmt.Errorf("session was granted the first token, use refresh token instead") } return GetToken(session) } func RefreshToken(token string) (string, string, error) { parseInt := func(str string) int { val, _ := strconv.Atoi(str) return val } var session models.AuthSession if claims, err := DecodeJwt(token); err != nil { return "404", "403", err } else if claims.Type != JwtRefreshType { return "404", "403", fmt.Errorf("invalid token type, expected refresh token") } else if err := database.C.Where(models.AuthSession{ BaseModel: models.BaseModel{ID: uint(parseInt(claims.SessionID))}, }).First(&session).Error; err != nil { return "404", "403", err } if session, err := RegenSession(session); err != nil { return "404", "403", err } else { return GetToken(session) } }