store oauth 2.0 user info in token context instead of being passed through frontend parameters
This commit is contained in:
MaysWind
+19
-11
@@ -1,6 +1,8 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
|
||||
"github.com/pquerna/otp/totp"
|
||||
|
||||
"github.com/mayswind/ezbookkeeping/pkg/avatars"
|
||||
@@ -147,6 +149,7 @@ func (a *AuthorizationsApi) AuthorizeHandler(c *core.WebContext) (any, *errs.Err
|
||||
}
|
||||
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
userApplicationCloudSettings, err := a.userAppCloudSettings.GetUserApplicationCloudSettingsByUid(c, user.Uid)
|
||||
var applicationCloudSettingSlice *models.ApplicationCloudSettingSlice = nil
|
||||
@@ -238,6 +241,7 @@ func (a *AuthorizationsApi) TwoFactorAuthorizeHandler(c *core.WebContext) (any,
|
||||
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
userApplicationCloudSettings, err := a.userAppCloudSettings.GetUserApplicationCloudSettingsByUid(c, user.Uid)
|
||||
var applicationCloudSettingSlice *models.ApplicationCloudSettingSlice = nil
|
||||
@@ -336,6 +340,7 @@ func (a *AuthorizationsApi) TwoFactorAuthorizeByRecoveryCodeHandler(c *core.WebC
|
||||
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
userApplicationCloudSettings, err := a.userAppCloudSettings.GetUserApplicationCloudSettingsByUid(c, user.Uid)
|
||||
var applicationCloudSettingSlice *models.ApplicationCloudSettingSlice = nil
|
||||
@@ -366,10 +371,16 @@ func (a *AuthorizationsApi) OAuth2CallbackAuthorizeHandler(c *core.WebContext) (
|
||||
return nil, errs.NewIncompleteOrIncorrectSubmissionError(err)
|
||||
}
|
||||
|
||||
userExternalAuthType := core.UserExternalAuthType(credential.Provider)
|
||||
var tokenContext models.OAuth2CallbackTokenContext
|
||||
err = json.Unmarshal([]byte(c.GetTokenContext()), &tokenContext)
|
||||
|
||||
if !userExternalAuthType.IsValid() {
|
||||
log.Warnf(c, "[authorizations.OAuth2CallbackAuthorizeHandler] provider \"%s\" is invalid", credential.Provider)
|
||||
if err != nil {
|
||||
log.Warnf(c, "[authorizations.OAuth2CallbackAuthorizeHandler] parse token context failed, because %s", err.Error())
|
||||
return nil, errs.ErrOperationFailed
|
||||
}
|
||||
|
||||
if !tokenContext.ExternalAuthType.IsValid() {
|
||||
log.Warnf(c, "[authorizations.OAuth2CallbackAuthorizeHandler] external auth type \"%s\" is invalid", tokenContext.ExternalAuthType)
|
||||
return nil, errs.ErrInvalidOAuth2Provider
|
||||
}
|
||||
|
||||
@@ -418,13 +429,9 @@ func (a *AuthorizationsApi) OAuth2CallbackAuthorizeHandler(c *core.WebContext) (
|
||||
|
||||
userExternalAuth := &models.UserExternalAuth{
|
||||
Uid: user.Uid,
|
||||
ExternalAuthType: userExternalAuthType,
|
||||
}
|
||||
|
||||
if a.CurrentConfig().OAuth2UserIdentifier == settings.OAuth2UserIdentifierEmail {
|
||||
userExternalAuth.ExternalEmail = user.Email
|
||||
} else if a.CurrentConfig().OAuth2UserIdentifier == settings.OAuth2UserIdentifierUsername {
|
||||
userExternalAuth.ExternalUsername = user.Username
|
||||
ExternalAuthType: tokenContext.ExternalAuthType,
|
||||
ExternalUsername: tokenContext.ExternalUsername,
|
||||
ExternalEmail: tokenContext.ExternalEmail,
|
||||
}
|
||||
|
||||
err = a.userExternalAuths.CreateUserExternalAuth(c, userExternalAuth)
|
||||
@@ -436,7 +443,7 @@ func (a *AuthorizationsApi) OAuth2CallbackAuthorizeHandler(c *core.WebContext) (
|
||||
|
||||
log.Infof(c, "[authorizations.OAuth2CallbackAuthorizeHandler] user external auth has been created for user \"uid:%d\"", user.Uid)
|
||||
} else if oldTokenClaims.Type == core.USER_TOKEN_TYPE_OAUTH2_CALLBACK {
|
||||
_, err = a.userExternalAuths.GetUserExternalAuthByUid(c, uid, userExternalAuthType)
|
||||
_, err = a.userExternalAuths.GetUserExternalAuthByUid(c, uid, tokenContext.ExternalAuthType)
|
||||
|
||||
if err != nil {
|
||||
log.Errorf(c, "[authorizations.OAuth2CallbackAuthorizeHandler] failed to get user external auth for user \"uid:%d\", because %s", uid, err.Error())
|
||||
@@ -461,6 +468,7 @@ func (a *AuthorizationsApi) OAuth2CallbackAuthorizeHandler(c *core.WebContext) (
|
||||
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
userApplicationCloudSettings, err := a.userAppCloudSettings.GetUserApplicationCloudSettingsByUid(c, user.Uid)
|
||||
var applicationCloudSettingSlice *models.ApplicationCloudSettingSlice = nil
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/url"
|
||||
@@ -208,7 +209,7 @@ func (a *OAuth2AuthenticationApi) CallbackHandler(c *core.WebContext) (string, *
|
||||
log.Errorf(c, "[oauth2_authentications.CallbackHandler] failed to get user by id %d, because %s", userExternalAuth.Uid, err.Error())
|
||||
return a.redirectToFailedCallbackPage(c, errs.Or(err, errs.ErrOperationFailed))
|
||||
}
|
||||
} else if errors.Is(err, errs.ErrUserExternalAuthNotFound) { // user not bound to external auth, try to bind or register new user
|
||||
} else { // errors.Is(err, errs.ErrUserExternalAuthNotFound) // user not bound to external auth, try to bind or register new user
|
||||
if a.CurrentConfig().OAuth2UserIdentifier == settings.OAuth2UserIdentifierEmail {
|
||||
user, err = a.users.GetUserByEmail(c, oauth2UserInfo.Email)
|
||||
} else if a.CurrentConfig().OAuth2UserIdentifier == settings.OAuth2UserIdentifierUsername {
|
||||
@@ -280,19 +281,39 @@ func (a *OAuth2AuthenticationApi) CallbackHandler(c *core.WebContext) (string, *
|
||||
}
|
||||
|
||||
if userExternalAuth == nil {
|
||||
token, _, err := a.tokens.CreateOAuth2CallbackRequireVerifyToken(c, user)
|
||||
tokenContext, err := json.Marshal(&models.OAuth2CallbackTokenContext{
|
||||
ExternalAuthType: userExternalAuthType,
|
||||
ExternalUsername: oauth2UserInfo.UserName,
|
||||
ExternalEmail: oauth2UserInfo.Email,
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
log.Errorf(c, "[oauth2_authentications.CallbackHandler] failed to create oauth 2.0 callback verify token for user \"uid:%d\", because %s", user.Uid, err.Error())
|
||||
log.Errorf(c, "[oauth2_authentications.CallbackHandler] failed to marshal oauth 2.0 callback verify token context, because %s", err.Error())
|
||||
return a.redirectToFailedCallbackPage(c, errs.ErrOperationFailed)
|
||||
}
|
||||
|
||||
token, _, err := a.tokens.CreateOAuth2CallbackRequireVerifyToken(c, user, string(tokenContext))
|
||||
|
||||
if err != nil {
|
||||
log.Errorf(c, "[oauth2_authentications.CallbackHandler] failed to create oauth 2.0 callback verify token, because %s", err.Error())
|
||||
return a.redirectToFailedCallbackPage(c, errs.ErrTokenGenerating)
|
||||
}
|
||||
|
||||
return a.redirectToVerifyCallbackPage(c, platform, userExternalAuthType, user.Username, token)
|
||||
} else {
|
||||
token, _, err := a.tokens.CreateOAuth2CallbackToken(c, user)
|
||||
tokenContext, err := json.Marshal(&models.OAuth2CallbackTokenContext{
|
||||
ExternalAuthType: userExternalAuthType,
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
log.Errorf(c, "[oauth2_authentications.CallbackHandler] failed to create oauth 2.0 callback token for user \"uid:%d\", because %s", user.Uid, err.Error())
|
||||
log.Errorf(c, "[oauth2_authentications.CallbackHandler] failed to marshal oauth 2.0 callback token context, because %s", err.Error())
|
||||
return a.redirectToFailedCallbackPage(c, errs.ErrOperationFailed)
|
||||
}
|
||||
|
||||
token, _, err := a.tokens.CreateOAuth2CallbackToken(c, user, string(tokenContext))
|
||||
|
||||
if err != nil {
|
||||
log.Errorf(c, "[oauth2_authentications.CallbackHandler] failed to create oauth 2.0 callback token, because %s", err.Error())
|
||||
return a.redirectToFailedCallbackPage(c, errs.ErrTokenGenerating)
|
||||
}
|
||||
|
||||
|
||||
+2
-1
@@ -136,7 +136,7 @@ func (a *TokensApi) TokenRevokeCurrentHandler(c *core.WebContext) (any, *errs.Er
|
||||
return false, errs.ErrTokenIsEmpty
|
||||
}
|
||||
|
||||
_, claims, err := a.tokens.ParseToken(c, tokenString)
|
||||
_, claims, _, err := a.tokens.ParseToken(c, tokenString)
|
||||
|
||||
if err != nil {
|
||||
return nil, errs.Or(err, errs.NewIncompleteOrIncorrectSubmissionError(err))
|
||||
@@ -344,6 +344,7 @@ func (a *TokensApi) TokenRefreshHandler(c *core.WebContext) (any, *errs.Error) {
|
||||
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
userApplicationCloudSettings, err := a.userAppCloudSettings.GetUserApplicationCloudSettingsByUid(c, user.Uid)
|
||||
var applicationCloudSettingSlice *models.ApplicationCloudSettingSlice = nil
|
||||
|
||||
@@ -205,6 +205,7 @@ func (a *TwoFactorAuthorizationsApi) TwoFactorEnableConfirmHandler(c *core.WebCo
|
||||
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
log.Infof(c, "[twofactor_authorizations.TwoFactorEnableConfirmHandler] user \"uid:%d\" token refreshed, new token will be expired at %d", user.Uid, claims.ExpiresAt)
|
||||
|
||||
|
||||
@@ -142,6 +142,7 @@ func (a *UsersApi) UserRegisterHandler(c *core.WebContext) (any, *errs.Error) {
|
||||
authResp.Token = token
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
log.Infof(c, "[users.UserRegisterHandler] user \"uid:%d\" has logined, token will be expired at %d", user.Uid, claims.ExpiresAt)
|
||||
|
||||
@@ -205,6 +206,7 @@ func (a *UsersApi) UserEmailVerifyHandler(c *core.WebContext) (any, *errs.Error)
|
||||
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
log.Infof(c, "[users.UserEmailVerifyHandler] user \"uid:%d\" token created, new token will be expired at %d", user.Uid, claims.ExpiresAt)
|
||||
}
|
||||
@@ -588,6 +590,7 @@ func (a *UsersApi) UserUpdateProfileHandler(c *core.WebContext) (any, *errs.Erro
|
||||
resp.NewToken = token
|
||||
c.SetTextualToken(token)
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext("")
|
||||
|
||||
log.Infof(c, "[users.UserUpdateProfileHandler] user \"uid:%d\" token refreshed, new token will be expired at %d", user.Uid, claims.ExpiresAt)
|
||||
|
||||
|
||||
@@ -447,7 +447,7 @@ func (l *UserDataCli) CreateNewUserToken(c *core.CliContext, username string, to
|
||||
|
||||
// RevokeUserToken revokes the specified token of the user
|
||||
func (l *UserDataCli) RevokeUserToken(c *core.CliContext, token string) error {
|
||||
_, claims, err := l.tokens.ParseToken(c, token)
|
||||
_, claims, _, err := l.tokens.ParseToken(c, token)
|
||||
|
||||
if err != nil {
|
||||
log.CliErrorf(c, "[user_data.RevokeUserToken] failed to parse token, because %s", err.Error())
|
||||
|
||||
@@ -13,6 +13,7 @@ import (
|
||||
const webContextRequestIdFieldKey = "REQUEST_ID"
|
||||
const webContextTextualTokenFieldKey = "TOKEN_STRING"
|
||||
const webContextTokenClaimsFieldKey = "TOKEN_CLAIMS"
|
||||
const webContextTokenContextFieldKey = "TOKEN_CONTEXT"
|
||||
const webContextResponseErrorFieldKey = "RESPONSE_ERROR"
|
||||
|
||||
// AcceptLanguageHeaderName represents the header name of accept language
|
||||
@@ -113,6 +114,22 @@ func (c *WebContext) GetTokenClaims() *UserTokenClaims {
|
||||
return claims.(*UserTokenClaims)
|
||||
}
|
||||
|
||||
// SetTokenContext sets the given user token context to context
|
||||
func (c *WebContext) SetTokenContext(context string) {
|
||||
c.Set(webContextTokenContextFieldKey, context)
|
||||
}
|
||||
|
||||
// GetTokenContext returns the current user token context
|
||||
func (c *WebContext) GetTokenContext() string {
|
||||
context, exists := c.Get(webContextTokenContextFieldKey)
|
||||
|
||||
if !exists {
|
||||
return ""
|
||||
}
|
||||
|
||||
return context.(string)
|
||||
}
|
||||
|
||||
// GetCurrentUid returns the current user uid by the current user token
|
||||
func (c *WebContext) GetCurrentUid() int64 {
|
||||
claims := c.GetTokenClaims()
|
||||
|
||||
@@ -6,5 +6,6 @@ import (
|
||||
|
||||
// Error codes related to user external authentication
|
||||
var (
|
||||
ErrUserExternalAuthNotFound = NewNormalError(NormalSubcategoryUserExternalAuth, 0, http.StatusBadRequest, "user external auth is not found")
|
||||
ErrUserExternalAuthNotFound = NewNormalError(NormalSubcategoryUserExternalAuth, 0, http.StatusBadRequest, "user external auth is not found")
|
||||
ErrUserExternalAuthAlreadyExists = NewNormalError(NormalSubcategoryUserExternalAuth, 1, http.StatusBadRequest, "user external auth already exists")
|
||||
)
|
||||
|
||||
@@ -37,7 +37,7 @@ func JWTAuthorizationByCookie(c *core.WebContext) {
|
||||
|
||||
// JWTTwoFactorAuthorization verifies whether current request is valid by 2fa passcode
|
||||
func JWTTwoFactorAuthorization(c *core.WebContext) {
|
||||
claims, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_HEADER)
|
||||
claims, tokenContext, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_HEADER)
|
||||
|
||||
if err != nil {
|
||||
utils.PrintJsonErrorResult(c, err)
|
||||
@@ -51,12 +51,13 @@ func JWTTwoFactorAuthorization(c *core.WebContext) {
|
||||
}
|
||||
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext(tokenContext)
|
||||
c.Next()
|
||||
}
|
||||
|
||||
// JWTEmailVerifyAuthorization verifies whether current request is email verification
|
||||
func JWTEmailVerifyAuthorization(c *core.WebContext) {
|
||||
claims, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_ARGUMENT)
|
||||
claims, tokenContext, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_ARGUMENT)
|
||||
|
||||
if err != nil {
|
||||
utils.PrintJsonErrorResult(c, errs.ErrEmailVerifyTokenIsInvalidOrExpired)
|
||||
@@ -70,12 +71,13 @@ func JWTEmailVerifyAuthorization(c *core.WebContext) {
|
||||
}
|
||||
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext(tokenContext)
|
||||
c.Next()
|
||||
}
|
||||
|
||||
// JWTResetPasswordAuthorization verifies whether current request is password reset
|
||||
func JWTResetPasswordAuthorization(c *core.WebContext) {
|
||||
claims, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_ARGUMENT)
|
||||
claims, tokenContext, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_ARGUMENT)
|
||||
|
||||
if err != nil {
|
||||
utils.PrintJsonErrorResult(c, errs.ErrPasswordResetTokenIsInvalidOrExpired)
|
||||
@@ -89,12 +91,13 @@ func JWTResetPasswordAuthorization(c *core.WebContext) {
|
||||
}
|
||||
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext(tokenContext)
|
||||
c.Next()
|
||||
}
|
||||
|
||||
// JWTMCPAuthorization verifies whether current request is valid by jwt mcp token in header
|
||||
func JWTMCPAuthorization(c *core.WebContext) {
|
||||
claims, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_HEADER)
|
||||
claims, tokenContext, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_HEADER)
|
||||
|
||||
if err != nil {
|
||||
utils.PrintJsonErrorResult(c, err)
|
||||
@@ -108,12 +111,13 @@ func JWTMCPAuthorization(c *core.WebContext) {
|
||||
}
|
||||
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext(tokenContext)
|
||||
c.Next()
|
||||
}
|
||||
|
||||
// JWTOAuth2CallbackAuthorization verifies whether current request is OAuth 2.0 callback
|
||||
func JWTOAuth2CallbackAuthorization(c *core.WebContext) {
|
||||
claims, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_HEADER)
|
||||
claims, tokenContext, err := getTokenClaims(c, TOKEN_SOURCE_TYPE_HEADER)
|
||||
|
||||
if err != nil {
|
||||
utils.PrintJsonErrorResult(c, errs.ErrTokenExpired)
|
||||
@@ -127,11 +131,12 @@ func JWTOAuth2CallbackAuthorization(c *core.WebContext) {
|
||||
}
|
||||
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext(tokenContext)
|
||||
c.Next()
|
||||
}
|
||||
|
||||
func jwtAuthorization(c *core.WebContext, source TokenSourceType) {
|
||||
claims, err := getTokenClaims(c, source)
|
||||
claims, tokenContext, err := getTokenClaims(c, source)
|
||||
|
||||
if err != nil {
|
||||
utils.PrintJsonErrorResult(c, err)
|
||||
@@ -151,31 +156,32 @@ func jwtAuthorization(c *core.WebContext, source TokenSourceType) {
|
||||
}
|
||||
|
||||
c.SetTokenClaims(claims)
|
||||
c.SetTokenContext(tokenContext)
|
||||
c.Next()
|
||||
}
|
||||
|
||||
func getTokenClaims(c *core.WebContext, source TokenSourceType) (*core.UserTokenClaims, *errs.Error) {
|
||||
token, claims, err := parseToken(c, source)
|
||||
func getTokenClaims(c *core.WebContext, source TokenSourceType) (*core.UserTokenClaims, string, *errs.Error) {
|
||||
token, claims, tokenContext, err := parseToken(c, source)
|
||||
|
||||
if err != nil {
|
||||
log.Warnf(c, "[authorization.getTokenClaims] failed to parse token, because %s", err.Error())
|
||||
return nil, errs.Or(err, errs.ErrUnauthorizedAccess)
|
||||
return nil, "", errs.Or(err, errs.ErrUnauthorizedAccess)
|
||||
}
|
||||
|
||||
if !token.Valid {
|
||||
log.Warnf(c, "[authorization.getTokenClaims] token is invalid")
|
||||
return nil, errs.ErrCurrentInvalidToken
|
||||
return nil, "", errs.ErrCurrentInvalidToken
|
||||
}
|
||||
|
||||
if claims.Uid <= 0 {
|
||||
log.Warnf(c, "[authorization.getTokenClaims] user id in token is invalid")
|
||||
return nil, errs.ErrCurrentInvalidToken
|
||||
return nil, "", errs.ErrCurrentInvalidToken
|
||||
}
|
||||
|
||||
return claims, nil
|
||||
return claims, tokenContext, nil
|
||||
}
|
||||
|
||||
func parseToken(c *core.WebContext, source TokenSourceType) (*jwt.Token, *core.UserTokenClaims, error) {
|
||||
func parseToken(c *core.WebContext, source TokenSourceType) (*jwt.Token, *core.UserTokenClaims, string, error) {
|
||||
tokenString := ""
|
||||
|
||||
if source == TOKEN_SOURCE_TYPE_ARGUMENT {
|
||||
@@ -187,7 +193,7 @@ func parseToken(c *core.WebContext, source TokenSourceType) (*jwt.Token, *core.U
|
||||
}
|
||||
|
||||
if tokenString == "" {
|
||||
return nil, nil, errs.ErrTokenIsEmpty
|
||||
return nil, nil, "", errs.ErrTokenIsEmpty
|
||||
}
|
||||
|
||||
return services.Tokens.ParseToken(c, tokenString)
|
||||
|
||||
@@ -14,6 +14,5 @@ type OAuth2CallbackRequest struct {
|
||||
|
||||
// OAuth2CallbackLoginRequest represents all parameters of OAuth 2.0 callback login request
|
||||
type OAuth2CallbackLoginRequest struct {
|
||||
Provider string `json:"provider" binding:"required,notBlank"`
|
||||
Password string `json:"password" binding:"omitempty,min=6,max=128"`
|
||||
}
|
||||
|
||||
@@ -12,11 +12,19 @@ type TokenRecord struct {
|
||||
TokenType core.TokenType `xorm:"INDEX(IDX_token_record_uid_type_expired_time) TINYINT NOT NULL"`
|
||||
Secret string `xorm:"VARCHAR(10) NOT NULL"`
|
||||
UserAgent string `xorm:"VARCHAR(255)"`
|
||||
Context string `xorm:"BLOB"`
|
||||
CreatedUnixTime int64 `xorm:"PK"`
|
||||
ExpiredUnixTime int64 `xorm:"INDEX(IDX_token_record_uid_type_expired_time) INDEX(IDX_token_record_expired_time)"`
|
||||
LastSeenUnixTime int64
|
||||
}
|
||||
|
||||
// OAuth2CallbackTokenContext represents the context data of oauth 2.0 callback token
|
||||
type OAuth2CallbackTokenContext struct {
|
||||
ExternalAuthType core.UserExternalAuthType `json:"externalAuthType"`
|
||||
ExternalUsername string `json:"externalUsername"`
|
||||
ExternalEmail string `json:"externalEmail"`
|
||||
}
|
||||
|
||||
// TokenGenerateMCPRequest represents all parameters of mcp token generation request
|
||||
type TokenGenerateMCPRequest struct {
|
||||
Password string `json:"password" binding:"omitempty,min=6,max=128"`
|
||||
|
||||
+25
-22
@@ -73,75 +73,75 @@ func (s *TokenService) GetAllUnexpiredNormalAndMCPTokensByUid(c core.Context, ui
|
||||
}
|
||||
|
||||
// ParseToken returns the token model according to token content
|
||||
func (s *TokenService) ParseToken(c core.Context, token string) (*jwt.Token, *core.UserTokenClaims, error) {
|
||||
func (s *TokenService) ParseToken(c core.Context, token string) (*jwt.Token, *core.UserTokenClaims, string, error) {
|
||||
return s.parseToken(c, token)
|
||||
}
|
||||
|
||||
// CreateTokenViaCli generates a new normal token and saves to database
|
||||
func (s *TokenService) CreateTokenViaCli(c *core.CliContext, user *models.User) (string, *models.TokenRecord, error) {
|
||||
token, _, tokenRecord, err := s.createToken(c, user, core.USER_TOKEN_TYPE_NORMAL, TokenUserAgentCreatedViaCli, s.CurrentConfig().TokenExpiredTimeDuration)
|
||||
token, _, tokenRecord, err := s.createToken(c, user, core.USER_TOKEN_TYPE_NORMAL, TokenUserAgentCreatedViaCli, "", s.CurrentConfig().TokenExpiredTimeDuration)
|
||||
return token, tokenRecord, err
|
||||
}
|
||||
|
||||
// CreateToken generates a new normal token and saves to database
|
||||
func (s *TokenService) CreateToken(c *core.WebContext, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_NORMAL, s.getUserAgent(c), s.CurrentConfig().TokenExpiredTimeDuration)
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_NORMAL, s.getUserAgent(c), "", s.CurrentConfig().TokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreateRequire2FAToken generates a new token requiring user to verify 2fa passcode and saves to database
|
||||
func (s *TokenService) CreateRequire2FAToken(c *core.WebContext, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_REQUIRE_2FA, s.getUserAgent(c), s.CurrentConfig().TemporaryTokenExpiredTimeDuration)
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_REQUIRE_2FA, s.getUserAgent(c), "", s.CurrentConfig().TemporaryTokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreateEmailVerifyToken generates a new email verify token and saves to database
|
||||
func (s *TokenService) CreateEmailVerifyToken(c *core.WebContext, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_EMAIL_VERIFY, s.getUserAgent(c), s.CurrentConfig().EmailVerifyTokenExpiredTimeDuration)
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_EMAIL_VERIFY, s.getUserAgent(c), "", s.CurrentConfig().EmailVerifyTokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreateEmailVerifyTokenWithoutUserAgent generates a new email verify token and saves to database
|
||||
func (s *TokenService) CreateEmailVerifyTokenWithoutUserAgent(c core.Context, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_EMAIL_VERIFY, "", s.CurrentConfig().EmailVerifyTokenExpiredTimeDuration)
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_EMAIL_VERIFY, "", "", s.CurrentConfig().EmailVerifyTokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreatePasswordResetToken generates a new password reset token and saves to database
|
||||
func (s *TokenService) CreatePasswordResetToken(c *core.WebContext, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_PASSWORD_RESET, s.getUserAgent(c), s.CurrentConfig().PasswordResetTokenExpiredTimeDuration)
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_PASSWORD_RESET, s.getUserAgent(c), "", s.CurrentConfig().PasswordResetTokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreatePasswordResetTokenWithoutUserAgent generates a new password reset token and saves to database
|
||||
func (s *TokenService) CreatePasswordResetTokenWithoutUserAgent(c core.Context, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_PASSWORD_RESET, "", s.CurrentConfig().PasswordResetTokenExpiredTimeDuration)
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_PASSWORD_RESET, "", "", s.CurrentConfig().PasswordResetTokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreateMCPToken generates a new MCP token and saves to database
|
||||
func (s *TokenService) CreateMCPToken(c *core.WebContext, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
tokenExpiredTimeDuration := time.Unix(tokenMaxExpiredAtUnixTime, 0).Sub(time.Now())
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_MCP, s.getUserAgent(c), tokenExpiredTimeDuration)
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_MCP, s.getUserAgent(c), "", tokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreateMCPTokenViaCli generates a new MCP token and saves to database
|
||||
func (s *TokenService) CreateMCPTokenViaCli(c *core.CliContext, user *models.User) (string, *models.TokenRecord, error) {
|
||||
tokenExpiredTimeDuration := time.Unix(tokenMaxExpiredAtUnixTime, 0).Sub(time.Now())
|
||||
token, _, tokenRecord, err := s.createToken(c, user, core.USER_TOKEN_TYPE_MCP, TokenUserAgentCreatedViaCli, tokenExpiredTimeDuration)
|
||||
token, _, tokenRecord, err := s.createToken(c, user, core.USER_TOKEN_TYPE_MCP, TokenUserAgentCreatedViaCli, "", tokenExpiredTimeDuration)
|
||||
return token, tokenRecord, err
|
||||
}
|
||||
|
||||
// CreateOAuth2CallbackRequireVerifyToken generates a new OAuth 2.0 callback token requiring user to verify and saves to database
|
||||
func (s *TokenService) CreateOAuth2CallbackRequireVerifyToken(c *core.WebContext, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_OAUTH2_CALLBACK_REQUIRE_VERIFY, s.getUserAgent(c), s.CurrentConfig().TemporaryTokenExpiredTimeDuration)
|
||||
func (s *TokenService) CreateOAuth2CallbackRequireVerifyToken(c *core.WebContext, user *models.User, context string) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_OAUTH2_CALLBACK_REQUIRE_VERIFY, s.getUserAgent(c), context, s.CurrentConfig().TemporaryTokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
// CreateOAuth2CallbackToken generates a new OAuth 2.0 callback token and saves to database
|
||||
func (s *TokenService) CreateOAuth2CallbackToken(c *core.WebContext, user *models.User) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_OAUTH2_CALLBACK, s.getUserAgent(c), s.CurrentConfig().TemporaryTokenExpiredTimeDuration)
|
||||
func (s *TokenService) CreateOAuth2CallbackToken(c *core.WebContext, user *models.User, context string) (string, *core.UserTokenClaims, error) {
|
||||
token, claims, _, err := s.createToken(c, user, core.USER_TOKEN_TYPE_OAUTH2_CALLBACK, s.getUserAgent(c), context, s.CurrentConfig().TemporaryTokenExpiredTimeDuration)
|
||||
return token, claims, err
|
||||
}
|
||||
|
||||
@@ -331,8 +331,9 @@ func (s *TokenService) GenerateTokenId(tokenRecord *models.TokenRecord) string {
|
||||
return fmt.Sprintf("%d:%d:%d", tokenRecord.Uid, tokenRecord.CreatedUnixTime, tokenRecord.UserTokenId)
|
||||
}
|
||||
|
||||
func (s *TokenService) parseToken(c core.Context, tokenString string) (*jwt.Token, *core.UserTokenClaims, error) {
|
||||
func (s *TokenService) parseToken(c core.Context, tokenString string) (*jwt.Token, *core.UserTokenClaims, string, error) {
|
||||
claims := &core.UserTokenClaims{}
|
||||
tokenContext := ""
|
||||
|
||||
token, err := jwt.ParseWithClaims(tokenString, claims,
|
||||
func(token *jwt.Token) (any, error) {
|
||||
@@ -356,6 +357,7 @@ func (s *TokenService) parseToken(c core.Context, tokenString string) (*jwt.Toke
|
||||
return nil, errs.ErrTokenExpired
|
||||
}
|
||||
|
||||
tokenContext = tokenRecord.Context
|
||||
return []byte(tokenRecord.Secret), nil
|
||||
},
|
||||
jwt.WithIssuedAt(),
|
||||
@@ -363,30 +365,30 @@ func (s *TokenService) parseToken(c core.Context, tokenString string) (*jwt.Toke
|
||||
|
||||
if err != nil {
|
||||
if errors.Is(err, request.ErrNoTokenInRequest) {
|
||||
return nil, nil, errs.ErrTokenIsEmpty
|
||||
return nil, nil, "", errs.ErrTokenIsEmpty
|
||||
}
|
||||
|
||||
if errors.Is(err, jwt.ErrTokenMalformed) || errors.Is(err, jwt.ErrTokenUnverifiable) || errors.Is(err, jwt.ErrTokenSignatureInvalid) {
|
||||
log.Warnf(c, "[tokens.parseToken] token is invalid, because %s", err.Error())
|
||||
return nil, nil, errs.ErrCurrentInvalidToken
|
||||
return nil, nil, "", errs.ErrCurrentInvalidToken
|
||||
}
|
||||
|
||||
if errors.Is(err, jwt.ErrTokenExpired) {
|
||||
return nil, nil, errs.ErrCurrentTokenExpired
|
||||
return nil, nil, "", errs.ErrCurrentTokenExpired
|
||||
}
|
||||
|
||||
if errors.Is(err, jwt.ErrTokenUsedBeforeIssued) {
|
||||
log.Warnf(c, "[tokens.parseToken] token is invalid, because issue time is later than now")
|
||||
return nil, nil, errs.ErrCurrentInvalidToken
|
||||
return nil, nil, "", errs.ErrCurrentInvalidToken
|
||||
}
|
||||
|
||||
return nil, nil, err
|
||||
return nil, nil, "", err
|
||||
}
|
||||
|
||||
return token, claims, err
|
||||
return token, claims, tokenContext, err
|
||||
}
|
||||
|
||||
func (s *TokenService) createToken(c core.Context, user *models.User, tokenType core.TokenType, userAgent string, expiryDate time.Duration) (string, *core.UserTokenClaims, *models.TokenRecord, error) {
|
||||
func (s *TokenService) createToken(c core.Context, user *models.User, tokenType core.TokenType, userAgent string, context string, expiryDate time.Duration) (string, *core.UserTokenClaims, *models.TokenRecord, error) {
|
||||
var err error
|
||||
now := time.Now()
|
||||
|
||||
@@ -395,6 +397,7 @@ func (s *TokenService) createToken(c core.Context, user *models.User, tokenType
|
||||
UserTokenId: s.getUserTokenId(),
|
||||
TokenType: tokenType,
|
||||
UserAgent: userAgent,
|
||||
Context: context,
|
||||
CreatedUnixTime: now.Unix(),
|
||||
ExpiredUnixTime: now.Add(expiryDate).Unix(),
|
||||
LastSeenUnixTime: now.Unix(),
|
||||
|
||||
@@ -92,7 +92,15 @@ func (s *UserExternalAuthService) CreateUserExternalAuth(c core.Context, userExt
|
||||
userExternalAuth.CreatedUnixTime = time.Now().Unix()
|
||||
|
||||
return s.UserDB().DoTransaction(c, func(sess *xorm.Session) error {
|
||||
_, err := sess.Insert(userExternalAuth)
|
||||
exists, err := sess.Where("uid=? AND external_auth_type=?", userExternalAuth.Uid, userExternalAuth.ExternalAuthType).Limit(1).Exist(&models.UserExternalAuth{})
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
} else if exists {
|
||||
return errs.ErrUserExternalAuthAlreadyExists
|
||||
}
|
||||
|
||||
_, err = sess.Insert(userExternalAuth)
|
||||
return err
|
||||
})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user