fix: authorize endpoint setting user session

lakhansamani · lakhansamani · commit 97f6c7d50ae6 · 2022-08-29T08:18:20.000+05:30
diff --git a/server/handlers/authorize.go b/server/handlers/authorize.go
@@ -248,7 +248,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 				return
 			}
 
-			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)
+			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)
 			cookie.SetSession(gc, newSessionToken)
 			code := uuid.New().String()
 			memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken)
diff --git a/server/handlers/token.go b/server/handlers/token.go
@@ -76,7 +76,6 @@ func TokenHandler() gin.HandlerFunc {
 		sessionKey := ""
 
 		if isAuthorizationCodeGrant {
-
 			if codeVerifier == "" {
 				log.Debug("Code verifier is empty")
 				gc.JSON(http.StatusBadRequest, gin.H{
@@ -134,15 +133,18 @@ func TokenHandler() gin.HandlerFunc {
 				})
 				return
 			}
+
 			userID = claims.Subject
 			roles = claims.Roles
 			scope = claims.Scope
 			loginMethod = claims.LoginMethod
+
 			// rollover the session for security
 			sessionKey = userID
 			if loginMethod != "" {
 				sessionKey = loginMethod + ":" + userID
 			}
+
 			go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
 		} else {
 			// validate refresh token
diff --git a/server/memorystore/providers/inmemory/store.go b/server/memorystore/providers/inmemory/store.go
@@ -7,7 +7,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 )
 
-// SetUserSession sets the user session
+// SetUserSession sets the user session for given user identifier in form recipe:user_id
 func (c *provider) SetUserSession(userId, key, token string) error {
 	c.sessionStore.Set(userId, key, token)
 	return nil
diff --git a/server/memorystore/providers/providers.go b/server/memorystore/providers/providers.go
@@ -2,7 +2,7 @@ package providers
 
 // Provider defines current memory store provider
 type Provider interface {
-	// SetUserSession sets the user session
+	// SetUserSession sets the user session for given user identifier in form recipe:user_id
 	SetUserSession(userId, key, token string) error
 	// GetAllUserSessions returns all the user sessions from the session store
 	GetAllUserSessions(userId string) (map[string]string, error)
diff --git a/server/memorystore/providers/redis/store.go b/server/memorystore/providers/redis/store.go
@@ -14,7 +14,7 @@ var (
 	envStorePrefix = "authorizer_env"
 )
 
-// SetUserSession sets the user session in redis store.
+// SetUserSession sets the user session for given user identifier in form recipe:user_id
 func (c *provider) SetUserSession(userId, key, token string) error {
 	err := c.store.HSet(c.ctx, userId, key, token).Err()
 	if err != nil {
diff --git a/server/token/auth_token.go b/server/token/auth_token.go
@@ -298,7 +298,6 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD
 	if res.LoginMethod != "" {
 		sessionStoreKey = res.LoginMethod + ":" + res.Subject
 	}
-
 	token, err := memorystore.Provider.GetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+res.Nonce)
 	if token == "" || err != nil {
 		log.Debug("invalid browser session:", err)

Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,7 @@ func AuthorizeHandler() gin.HandlerFunc {`
`248`	`248`	`return`
`249`	`249`	`}`
`250`	`250`
`251`		`- memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)`
	`251`	`+ memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)`
`252`	`252`	`cookie.SetSession(gc, newSessionToken)`
`253`	`253`	`code := uuid.New().String()`
`254`	`254`	`memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken)`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`"github.com/authorizerdev/authorizer/server/constants"`
`8`	`8`	`)`
`9`	`9`
`10`		`-// SetUserSession sets the user session`
	`10`	`+// SetUserSession sets the user session for given user identifier in form recipe:user_id`
`11`	`11`	`func (c *provider) SetUserSession(userId, key, token string) error {`
`12`	`12`	`c.sessionStore.Set(userId, key, token)`
`13`	`13`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ var (`
`14`	`14`	`envStorePrefix = "authorizer_env"`
`15`	`15`	`)`
`16`	`16`
`17`		`-// SetUserSession sets the user session in redis store.`
	`17`	`+// SetUserSession sets the user session for given user identifier in form recipe:user_id`
`18`	`18`	`func (c *provider) SetUserSession(userId, key, token string) error {`
`19`	`19`	`err := c.store.HSet(c.ctx, userId, key, token).Err()`
`20`	`20`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -298,7 +298,6 @@ func ValidateBrowserSession(gc gin.Context, encryptedSession string) (SessionD`
`298`	`298`	`if res.LoginMethod != "" {`
`299`	`299`	`sessionStoreKey = res.LoginMethod + ":" + res.Subject`
`300`	`300`	`}`
`301`		`-`
`302`	`301`	`token, err := memorystore.Provider.GetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+res.Nonce)`
`303`	`302`	`if token == "" \|\| err != nil {`
`304`	`303`	`log.Debug("invalid browser session:", err)`