Merge pull request #71 from COS301-SE-2024/fix/backend/logout-session…

…-management chore: Add some more edge cases to session management for users login and logout sessions
COS301-SE-2024 · Jun 19, 2024 · cf246e5 · cf246e5
2 parents ae2eea8 + 0984420
commit cf246e5
Show file tree

Hide file tree

Showing 9 changed files with 291 additions and 17 deletions.
diff --git a/occupi-backend/.dev.env.gpg b/occupi-backend/.dev.env.gpg
diff --git a/occupi-backend/.env.gpg b/occupi-backend/.env.gpg
diff --git a/occupi-backend/.prod.env.gpg b/occupi-backend/.prod.env.gpg
diff --git a/occupi-backend/configs/config.go b/occupi-backend/configs/config.go
@@ -165,3 +165,12 @@ func GetSessionSecret() string {
 	}
 	return secret
 }
+
+func GetOccupiDomains() []string {
+	domains := os.Getenv("OCCUPI_DOMAINS")
+	if domains != "" {
+		domainList := strings.Split(domains, ",")
+		return domainList
+	}
+	return []string{""}
+}
diff --git a/occupi-backend/pkg/authenticator/auth.go b/occupi-backend/pkg/authenticator/auth.go
@@ -17,8 +17,15 @@ type Claims struct {
 }
 
 // GenerateToken generates a JWT token for the user
-func GenerateToken(email string, role string) (string, time.Time, error) {
-	expirationTime := time.Now().Add(5 * time.Minute)
+func GenerateToken(email string, role string, optionalExpiryTime ...time.Duration) (string, time.Time, error) {
+	var expirationTime time.Time
+
+	if len(optionalExpiryTime) == 0 {
+		expirationTime = time.Now().Add(24 * 7 * time.Hour)
+	} else {
+		expirationTime = time.Now().Add(optionalExpiryTime[0])
+	}
+
 	claims := &Claims{
 		Email: email,
 		Role:  role,

diff --git a/occupi-backend/pkg/handlers/auth_handlers.go b/occupi-backend/pkg/handlers/auth_handlers.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/COS301-SE-2024/occupi/occupi-backend/configs"
 	"github.com/COS301-SE-2024/occupi/occupi-backend/pkg/authenticator"
 	"github.com/COS301-SE-2024/occupi/occupi-backend/pkg/constants"
 	"github.com/COS301-SE-2024/occupi/occupi-backend/pkg/database"
@@ -149,7 +150,7 @@ func Login(ctx *gin.Context, appsession *models.AppSession, role string) {
 	if role == constants.Admin {
 		token, expirationTime, err = authenticator.GenerateToken(requestUser.Email, constants.Admin)
 	} else {
-		token, expirationTime, err = authenticator.GenerateToken(requestUser.Email, "user")
+		token, expirationTime, err = authenticator.GenerateToken(requestUser.Email, constants.Basic)
 	}
 
 	if err != nil {
@@ -389,7 +390,7 @@ func ResetPassword(ctx *gin.Context, appsession *models.AppSession) {
 	// this will contain reset password logic
 }
 
-// handler for logging out a user on occupi /auth/logout TODO: complete implementation
+// handler for logging out a user
 func Logout(ctx *gin.Context) {
 	session := sessions.Default(ctx)
 	session.Clear()
@@ -399,7 +400,15 @@ func Logout(ctx *gin.Context) {
 		return
 	}
 
-	ctx.SetCookie("token", "", -1, "/", "localhost", false, true)
+	// List of domains to clear cookies from
+	domains := configs.GetOccupiDomains()
+
+	// Iterate over each domain and clear the "token" and "occupi-sessions-store" cookies
+	for _, domain := range domains {
+		ctx.SetCookie("token", "", -1, "/", domain, false, true)
+		ctx.SetCookie("occupi-sessions-store", "", -1, "/", domain, false, true)
+	}
+
 	ctx.JSON(http.StatusOK, utils.SuccessResponse(
 		http.StatusOK,
 		"Logged out successfully!",

diff --git a/occupi-backend/pkg/middleware/middleware.go b/occupi-backend/pkg/middleware/middleware.go
@@ -39,21 +39,38 @@ func ProtectedRoute(ctx *gin.Context) {
 				http.StatusUnauthorized,
 				"Bad Request",
 				constants.InvalidAuthCode,
-				"User not authorized",
+				"Invalid token",
 				nil))
 		ctx.Abort()
 		return
 	}
 
+	// check if email and role session variables are set
 	session := sessions.Default(ctx)
-	session.Set("email", claims.Email)
-	session.Set("role", claims.Role)
-	if err := session.Save(); err != nil {
-		ctx.JSON(http.StatusInternalServerError, utils.InternalServerError())
-		logrus.Error(err)
+	if session.Get("email") == nil || session.Get("role") == nil {
+		session.Set("email", claims.Email)
+		session.Set("role", claims.Role)
+		if err := session.Save(); err != nil {
+			ctx.JSON(http.StatusInternalServerError, utils.InternalServerError())
+			logrus.Error(err)
+			ctx.Abort()
+			return
+		}
+	}
+
+	// check that session variables and token claims match
+	if session.Get("email") != claims.Email || session.Get("role") != claims.Role {
+		ctx.JSON(http.StatusUnauthorized,
+			utils.ErrorResponse(
+				http.StatusUnauthorized,
+				"Bad Request",
+				constants.InvalidAuthCode,
+				"Inalid auth session",
+				nil))
 		ctx.Abort()
 		return
 	}
+
 	ctx.Next()
 }
 
@@ -77,6 +94,19 @@ func UnProtectedRoute(ctx *gin.Context) {
 		}
 	}
 
+	// check if email and role session variables are set
+	session := sessions.Default(ctx)
+	if session.Get("email") != nil || session.Get("role") != nil {
+		session.Delete("email")
+		session.Delete("role")
+		if err := session.Save(); err != nil {
+			ctx.JSON(http.StatusInternalServerError, utils.InternalServerError())
+			logrus.Error(err)
+			ctx.Abort()
+			return
+		}
+	}
+
 	ctx.Next()
 }
 

diff --git a/occupi-backend/tests/authenticator_test.go b/occupi-backend/tests/authenticator_test.go
@@ -18,13 +18,13 @@ func TestGenerateToken(t *testing.T) {
 		t.Fatal("Error loading .env file: ", err)
 	}
 
-	email := "test@example.com"
+	email := "test1@example.com"
 	role := constants.Admin
 	tokenString, expirationTime, err := authenticator.GenerateToken(email, role)
 
 	require.NoError(t, err)
 	require.NotEmpty(t, tokenString)
-	require.WithinDuration(t, time.Now().Add(5*time.Minute), expirationTime, time.Second)
+	require.WithinDuration(t, time.Now().Add(24*7*time.Hour), expirationTime, time.Second)
 
 	// Validate the token
 	claims, err := authenticator.ValidateToken(tokenString)
@@ -40,7 +40,7 @@ func TestValidateToken(t *testing.T) {
 		t.Fatal("Error loading .env file: ", err)
 	}
 
-	email := "test@example.com"
+	email := "test2@example.com"
 	role := constants.Admin
 	tokenString, _, err := authenticator.GenerateToken(email, role)
 
@@ -60,3 +60,26 @@ func TestValidateToken(t *testing.T) {
 	require.Error(t, err)
 	assert.Nil(t, claims)
 }
+
+func TestValidateTokenExpired(t *testing.T) {
+	// Load environment variables from .env file
+	if err := godotenv.Load("../.env"); err != nil {
+		t.Fatal("Error loading .env file: ", err)
+	}
+
+	email := "[email protected]"
+	role := constants.Admin
+
+	// Generate a token that expires in 1 second
+	tokenString, _, err := authenticator.GenerateToken(email, role, 1*time.Second)
+	require.NoError(t, err)
+	require.NotEmpty(t, tokenString)
+
+	// Wait for the token to expire
+	time.Sleep(2 * time.Second)
+
+	// Validate the token
+	claims, err := authenticator.ValidateToken(tokenString)
+	require.Error(t, err)
+	assert.Nil(t, claims)
+}