Merge pull request #402 from authorizerdev/fix/profile-access

fix: use session / access_token for profile related queries or mutation

Author: lakhansamani

dashboard/yarn.lock

@@ -1222,10 +1222,10 @@ error-ex@^1.3.1:
   dependencies:
     is-arrayish "^0.2.1"
 
-esbuild-linux-64@0.14.9:
+esbuild-darwin-arm64@0.14.9:
   version "0.14.9"
-  resolved "https://registry.npmjs.org/esbuild-linux-64/-/esbuild-linux-64-0.14.9.tgz"
-  integrity sha512-WoEI+R6/PLZAxS7XagfQMFgRtLUi5cjqqU9VCfo3tnWmAXh/wt8QtUfCVVCcXVwZLS/RNvI19CtfjlrJU61nOg==
+  resolved "https://registry.npmjs.org/esbuild-darwin-arm64/-/esbuild-darwin-arm64-0.14.9.tgz"
+  integrity sha512-3ue+1T4FR5TaAu4/V1eFMG8Uwn0pgAwQZb/WwL1X78d5Cy8wOVQ67KNH1lsjU+y/9AcwMKZ9x0GGNxBB4a1Rbw==
 
 esbuild@^0.14.9:
   version "0.14.9"

server/handlers/userinfo.go

@@ -21,7 +21,6 @@ func UserInfoHandler() gin.HandlerFunc {
 			})
 			return
 		}
-
 		claims, err := token.ValidateAccessToken(gc, accessToken)
 		if err != nil {
 			log.Debug("Error validating access token: ", err)
@@ -30,7 +29,6 @@ func UserInfoHandler() gin.HandlerFunc {
 			})
 			return
 		}
-
 		userID := claims["sub"].(string)
 		user, err := db.Provider.GetUserByID(gc, userID)
 		if err != nil {

server/resolvers/deactivate_account.go

@@ -21,17 +21,11 @@ func DeactivateAccountResolver(ctx context.Context) (*model.Response, error) {
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
-	accessToken, err := token.GetAccessToken(gc)
+	userID, err := token.GetUserIDFromSessionOrAccessToken(gc)
 	if err != nil {
-		log.Debug("Failed to get access token: ", err)
+		log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err)
 		return res, err
 	}
-	claims, err := token.ValidateAccessToken(gc, accessToken)
-	if err != nil {
-		log.Debug("Failed to validate access token: ", err)
-		return res, err
-	}
-	userID := claims["sub"].(string)
 	log := log.WithFields(log.Fields{
 		"user_id": userID,
 	})

server/resolvers/profile.go

@@ -20,21 +20,11 @@ func ProfileResolver(ctx context.Context) (*model.User, error) {
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
-
-	accessToken, err := token.GetAccessToken(gc)
+	userID, err := token.GetUserIDFromSessionOrAccessToken(gc)
 	if err != nil {
-		log.Debug("Failed to get access token: ", err)
+		log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err)
 		return res, err
 	}
-
-	claims, err := token.ValidateAccessToken(gc, accessToken)
-	if err != nil {
-		log.Debug("Failed to validate access token: ", err)
-		return res, err
-	}
-
-	userID := claims["sub"].(string)
-
 	log := log.WithFields(log.Fields{
 		"user_id": userID,
 	})

server/resolvers/update_profile.go

@@ -35,15 +35,9 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
-
-	accessToken, err := token.GetAccessToken(gc)
+	userID, err := token.GetUserIDFromSessionOrAccessToken(gc)
 	if err != nil {
-		log.Debug("Failed to get access token: ", err)
-		return res, err
-	}
-	claims, err := token.ValidateAccessToken(gc, accessToken)
-	if err != nil {
-		log.Debug("Failed to validate access token: ", err)
+		log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err)
 		return res, err
 	}
 
@@ -52,8 +46,6 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 		log.Debug("All params are empty")
 		return res, fmt.Errorf("please enter at least one param to update")
 	}
-
-	userID := claims["sub"].(string)
 	log := log.WithFields(log.Fields{
 		"user_id": userID,
 	})

server/token/auth_token.go

@@ -15,6 +15,7 @@ import (
 	"github.com/robertkrimen/otto"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/memorystore"
@@ -480,3 +481,34 @@ func GetIDToken(gc *gin.Context) (string, error) {
 	token := strings.TrimPrefix(auth, "Bearer ")
 	return token, nil
 }
+
+// GetUserIDFromSessionOrAccessToken returns the user id from the session or access token
+func GetUserIDFromSessionOrAccessToken(gc *gin.Context) (string, error) {
+	// First try to get the user id from the session
+	isSession := true
+	token, err := cookie.GetSession(gc)
+	if err != nil || token == "" {
+		log.Debug("Failed to get session token: ", err)
+		isSession = false
+		token, err = GetAccessToken(gc)
+		if err != nil || token == "" {
+			log.Debug("Failed to get access token: ", err)
+			return "", fmt.Errorf(`unauthorized`)
+		}
+	}
+	if isSession {
+		claims, err := ValidateBrowserSession(gc, token)
+		if err != nil {
+			log.Debug("Failed to validate session token: ", err)
+			return "", fmt.Errorf(`unauthorized`)
+		}
+		return claims.Subject, nil
+	}
+	// If not session, then validate the access token
+	claims, err := ValidateAccessToken(gc, token)
+	if err != nil {
+		log.Debug("Failed to validate access token: ", err)
+		return "", fmt.Errorf(`unauthorized`)
+	}
+	return claims["sub"].(string), nil
+}