fix: session storage

Author: lakhansamani

server/handlers/authorize.go

@@ -194,7 +194,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		// rollover the session for security
 		go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
 		if responseType == constants.ResponseTypeCode {
-			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
+			newSessionTokenData, newSessionToken, newSessionExpiresAt, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
 			if err != nil {
 				log.Debug("CreateSessionToken failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
@@ -215,7 +215,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 				return
 			}
 
-			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken); err != nil {
+			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken, newSessionExpiresAt); err != nil {
 				log.Debug("SetUserSession failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
 				return
@@ -271,13 +271,13 @@ func AuthorizeHandler() gin.HandlerFunc {
 				return
 			}
 
-			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+nonce, authToken.FingerPrintHash); err != nil {
+			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+nonce, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt); err != nil {
 				log.Debug("SetUserSession failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
 				return
 			}
 
-			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+nonce, authToken.AccessToken.Token); err != nil {
+			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+nonce, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt); err != nil {
 				log.Debug("SetUserSession failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
 				return
@@ -305,7 +305,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 			if authToken.RefreshToken != nil {
 				res["refresh_token"] = authToken.RefreshToken.Token
 				params += "&refresh_token=" + authToken.RefreshToken.Token
-				memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+				memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
 			}
 
 			if responseMode == constants.ResponseModeQuery {

server/handlers/logout.go

@@ -47,7 +47,14 @@ func LogoutHandler() gin.HandlerFunc {
 			return
 		}
 
-		memorystore.Provider.DeleteUserSession(sessionData.Subject, sessionData.Nonce)
+		userID := sessionData.Subject
+		loginMethod := sessionData.LoginMethod
+		sessionToken := userID
+		if loginMethod != "" {
+			sessionToken = loginMethod + ":" + userID
+		}
+
+		memorystore.Provider.DeleteUserSession(sessionToken, sessionData.Nonce)
 		cookie.DeleteSession(gc)
 
 		if redirectURL != "" {

server/handlers/oauth_callback.go

@@ -249,12 +249,12 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 
 		sessionKey := provider + ":" + user.ID
 		cookie.SetSession(ctx, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)
 
 		if authToken.RefreshToken != nil {
 			params += `&refresh_token=` + authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
 		}
 
 		go func() {

server/handlers/token.go

@@ -247,8 +247,8 @@ func TokenHandler() gin.HandlerFunc {
 			return
 		}
 
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)
 		cookie.SetSession(gc, authToken.FingerPrintHash)
 
 		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
@@ -266,7 +266,7 @@ func TokenHandler() gin.HandlerFunc {
 
 		if authToken.RefreshToken != nil {
 			res["refresh_token"] = authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
 		}
 
 		gc.JSON(http.StatusOK, res)

server/handlers/verify_email.go

@@ -154,12 +154,12 @@ func VerifyEmailHandler() gin.HandlerFunc {
 
 		sessionKey := loginMethod + ":" + user.ID
 		cookie.SetSession(c, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)
 
 		if authToken.RefreshToken != nil {
 			params = params + `&refresh_token=` + authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
 		}
 
 		if redirectURL == "" {

server/memorystore/providers/inmemory/provider_test.go

@@ -0,0 +1,14 @@
+package inmemory
+
+import (
+	"testing"
+
+	"github.com/authorizerdev/authorizer/server/memorystore/providers"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestInMemoryProvider(t *testing.T) {
+	p, err := NewInMemoryProvider()
+	assert.NoError(t, err)
+	providers.ProviderTests(t, p)
+}

server/memorystore/providers/inmemory/store.go

@@ -8,39 +8,31 @@ import (
 )
 
 // SetUserSession sets the user session for given user identifier in form recipe:user_id
-func (c *provider) SetUserSession(userId, key, token string) error {
-	c.sessionStore.Set(userId, key, token)
+func (c *provider) SetUserSession(userId, key, token string, expiration int64) error {
+	c.sessionStore.Set(userId, key, token, expiration)
 	return nil
 }
 
 // GetUserSession returns value for given session token
 func (c *provider) GetUserSession(userId, sessionToken string) (string, error) {
-	return c.sessionStore.Get(userId, sessionToken), nil
+	val := c.sessionStore.Get(userId, sessionToken)
+	if val == "" {
+		return "", fmt.Errorf("Not found")
+	}
+	return val, nil
 }
 
 // DeleteAllUserSessions deletes all the user sessions from in-memory store.
 func (c *provider) DeleteAllUserSessions(userId string) error {
-	namespaces := []string{
-		constants.AuthRecipeMethodBasicAuth,
-		constants.AuthRecipeMethodMagicLinkLogin,
-		constants.AuthRecipeMethodApple,
-		constants.AuthRecipeMethodFacebook,
-		constants.AuthRecipeMethodGithub,
-		constants.AuthRecipeMethodGoogle,
-		constants.AuthRecipeMethodLinkedIn,
-		constants.AuthRecipeMethodTwitter,
-		constants.AuthRecipeMethodMicrosoft,
-	}
-
-	for _, namespace := range namespaces {
-		c.sessionStore.RemoveAll(namespace + ":" + userId)
-	}
+	c.sessionStore.RemoveAll(userId)
 	return nil
 }
 
 // DeleteUserSession deletes the user session from the in-memory store.
 func (c *provider) DeleteUserSession(userId, sessionToken string) error {
-	c.sessionStore.Remove(userId, sessionToken)
+	c.sessionStore.Remove(userId, constants.TokenTypeSessionToken+"_"+sessionToken)
+	c.sessionStore.Remove(userId, constants.TokenTypeAccessToken+"_"+sessionToken)
+	c.sessionStore.Remove(userId, constants.TokenTypeRefreshToken+"_"+sessionToken)
 	return nil
 }
 

server/memorystore/providers/inmemory/stores/session_store.go

@@ -1,8 +1,15 @@
 package stores
 
 import (
+	"fmt"
 	"strings"
 	"sync"
+	"time"
+)
+
+const (
+	// Maximum entries to keep in session storage
+	maxCacheSize = 1000
 )
 
 // SessionEntry is the struct for entry stored in store
@@ -13,69 +20,76 @@ type SessionEntry struct {
 
 // SessionStore struct to store the env variables
 type SessionStore struct {
-	mutex sync.Mutex
-	store map[string]map[string]*SessionEntry
+	mutex        sync.Mutex
+	store        map[string]*SessionEntry
+	itemsToEvict []string
 }
 
 // NewSessionStore create a new session store
 func NewSessionStore() *SessionStore {
 	return &SessionStore{
 		mutex: sync.Mutex{},
-		store: make(map[string]map[string]*SessionEntry),
+		store: make(map[string]*SessionEntry),
 	}
 }
 
 // Get returns the value of the key in state store
 func (s *SessionStore) Get(key, subKey string) string {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
-	return s.store[key][subKey].Value
+	currentTime := time.Now().Unix()
+	k := fmt.Sprintf("%s:%s", key, subKey)
+	if v, ok := s.store[k]; ok {
+		if v.ExpiresAt > currentTime {
+			return v.Value
+		}
+		s.itemsToEvict = append(s.itemsToEvict, k)
+	}
+	return ""
 }
 
 // Set sets the value of the key in state store
-func (s *SessionStore) Set(key string, subKey, value string) {
+func (s *SessionStore) Set(key string, subKey, value string, expiration int64) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
-
-	if _, ok := s.store[key]; !ok {
-		s.store[key] = make(map[string]string)
+	k := fmt.Sprintf("%s:%s", key, subKey)
+	if _, ok := s.store[k]; !ok {
+		s.store[k] = &SessionEntry{
+			Value:     value,
+			ExpiresAt: expiration,
+			// TODO add expire time
+		}
+	}
+	s.store[k] = &SessionEntry{
+		Value:     value,
+		ExpiresAt: expiration,
+		// TODO add expire time
 	}
-	s.store[key][subKey] = value
 }
 
 // RemoveAll all values for given key
 func (s *SessionStore) RemoveAll(key string) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
-
-	delete(s.store, key)
+	for k := range s.store {
+		if strings.Contains(k, key) {
+			delete(s.store, k)
+		}
+	}
 }
 
 // Remove value for given key and subkey
 func (s *SessionStore) Remove(key, subKey string) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
-	if _, ok := s.store[key]; ok {
-		delete(s.store[key], subKey)
-	}
-}
-
-// Get all the values for given key
-func (s *SessionStore) GetAll(key string) map[string]string {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if _, ok := s.store[key]; !ok {
-		s.store[key] = make(map[string]string)
-	}
-	return s.store[key]
+	k := fmt.Sprintf("%s:%s", key, subKey)
+	delete(s.store, k)
 }
 
 // RemoveByNamespace to delete session for a given namespace example google,github
 func (s *SessionStore) RemoveByNamespace(namespace string) error {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
-
 	for key := range s.store {
 		if strings.Contains(key, namespace+":") {
 			delete(s.store, key)