improvement: to reissue long-lived refresh tokens, verify authID agai…

…nst db record
pilinux · Oct 7, 2024 · 30980f6 · 30980f6
1 parent 521e617
commit 30980f6
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 2 deletions.
diff --git a/controller/login.go b/controller/login.go
@@ -117,15 +117,39 @@ func Refresh(c *gin.Context) {
 
 	resp, statusCode := handler.Refresh(claims)
 
+	configSecurity := config.GetConfig().Security
+
 	// JWT verification failed
 	if statusCode != http.StatusOK {
+		// if cookie is enabled, delete the cookie from client browser
+		if configSecurity.AuthCookieActivate {
+			c.SetSameSite(configSecurity.AuthCookieSameSite)
+			c.SetCookie(
+				"accessJWT",
+				"",
+				-1,
+				configSecurity.AuthCookiePath,
+				configSecurity.AuthCookieDomain,
+				configSecurity.AuthCookieSecure,
+				configSecurity.AuthCookieHTTPOnly,
+			)
+			c.SetCookie(
+				"refreshJWT",
+				"",
+				-1,
+				configSecurity.AuthCookiePath,
+				configSecurity.AuthCookieDomain,
+				configSecurity.AuthCookieSecure,
+				configSecurity.AuthCookieHTTPOnly,
+			)
+		}
+
 		renderer.Render(c, resp, statusCode)
 		return
 	}
 
 	// JWT verification OK
 	// set cookie if the feature is enabled in app settings
-	configSecurity := config.GetConfig().Security
 	if configSecurity.AuthCookieActivate {
 		tokens, ok := resp.Message.(middleware.JWTPayload)
 		if ok {

diff --git a/service/auth.go b/service/auth.go
@@ -4,6 +4,7 @@ package service
 
 import (
 	"encoding/hex"
+	"strings"
 
 	"github.com/pilinux/crypt"
 	"golang.org/x/crypto/blake2b"
@@ -52,6 +53,34 @@ func GetUserByEmail(email string, decryptEmail bool) (*model.Auth, error) {
 	return nil, err
 }
 
+// GetEmailByAuthID fetches user email by authID
+func GetEmailByAuthID(authID uint64) (string, error) {
+	db := database.GetDB()
+	var auth model.Auth
+
+	err := db.Where("auth_id = ?", authID).First(&auth).Error
+	if err != nil {
+		return "", err
+	}
+
+	auth.Email = strings.TrimSpace(auth.Email)
+	if auth.Email != "" {
+		return auth.Email, nil
+	}
+
+	// decrypt email
+	return DecryptEmail(auth.EmailNonce, auth.EmailCipher)
+}
+
+// IsAuthIDValid checks if the given authID is available in the database
+func IsAuthIDValid(authID uint64) bool {
+	db := database.GetDB()
+	var auth model.Auth
+
+	err := db.Where("auth_id = ?", authID).First(&auth).Error
+	return err == nil
+}
+
 // CalcHash generates a fixed-sized BLAKE2b-256 hash of the given text
 func CalcHash(plaintext, keyOptional []byte) ([]byte, error) {
 	blake2b256Hash, err := blake2b.New256(keyOptional)

diff --git a/service/common.go b/service/common.go
@@ -41,7 +41,12 @@ func GetClaims(c *gin.Context) middleware.MyCustomClaims {
 
 // ValidateAuthID - check whether authID is missing
 func ValidateAuthID(authID uint64) bool {
-	return authID != 0
+	if authID == 0 {
+		return false
+	}
+
+	// does it exist in the database
+	return IsAuthIDValid(authID)
 }
 
 // ValidateUserID - check whether authID or email is missing