Verify token claims prior to expiration (#124)

dkhalife · web-flow · commit c0b19ad9ed5f · 2025-06-10T13:56:41.000-07:00
diff --git a/internal/middleware/auth/auth.go b/internal/middleware/auth/auth.go
@@ -64,16 +64,25 @@ func NewAuthMiddleware(cfg *config.Config, userRepo uRepo.IUserRepo) (*jwt.GinJW
 		IdentityHandler: func(c *gin.Context) interface{} {
 			claims := jwt.ExtractClaims(c)
 
-			id, ok := claims[auth.IdentityKey].(string)
+			userIDRaw, ok := claims[auth.IdentityKey].(string)
 			if !ok {
 				logging.FromContext(c).Errorw("failed to extract ID from claims")
 				return nil
 			}
-			userID, err := strconv.Atoi(id)
+			userID, err := strconv.Atoi(userIDRaw)
 			if err != nil {
 				return nil
 			}
 
+			var tokenID = 0
+			appTokenIDRaw, ok := claims[auth.AppTokenKey].(string)
+			if ok {
+				tokenID, err = strconv.Atoi(appTokenIDRaw)
+				if err != nil {
+					tokenID = 0
+				}
+			}
+
 			scopesRaw, ok := claims["scopes"].([]interface{})
 			if !ok {
 				return nil
@@ -87,13 +96,39 @@ func NewAuthMiddleware(cfg *config.Config, userRepo uRepo.IUserRepo) (*jwt.GinJW
 			}
 
 			return &models.SignedInIdentity{
-				UserID: userID,
-				Type:   models.IdentityTypeUser,
-				Scopes: scopes,
+				UserID:  userID,
+				TokenID: tokenID,
+				Type:    models.IdentityType(claims["type"].(string)),
+				Scopes:  scopes,
 			}
 		},
 		Authorizator: func(data interface{}, c *gin.Context) bool {
-			if _, ok := data.(*models.SignedInIdentity); ok {
+			if identity, ok := data.(*models.SignedInIdentity); ok {
+				if identity.Type == models.IdentityTypeUser {
+					// Check that the user still exists
+					_, err := userRepo.GetUser(c.Request.Context(), identity.UserID)
+					if err != nil {
+						logging.FromContext(c).Errorw("failed to find user", "err", err)
+						return false
+					}
+				} else if identity.Type == models.IdentityTypeApp {
+					// An app token id must be present
+					if identity.TokenID == 0 {
+						logging.FromContext(c).Errorw("app token ID is nil")
+						return false
+					}
+
+					// Check that the app token still exists
+					_, err := userRepo.GetAppTokenByID(c.Request.Context(), identity.TokenID)
+					if err != nil {
+						logging.FromContext(c).Errorw("failed to find app token", "err", err)
+						return false
+					}
+				} else {
+					logging.FromContext(c).Errorw("unknown identity type", "type", identity.Type)
+					return false
+				}
+
 				return true
 			}
 			return false
diff --git a/internal/models/user.go b/internal/models/user.go
@@ -30,9 +30,10 @@ const (
 )
 
 type SignedInIdentity struct {
-	UserID int
-	Type   IdentityType
-	Scopes []ApiTokenScope
+	UserID  int
+	TokenID int
+	Type    IdentityType
+	Scopes  []ApiTokenScope
 }
 
 type UserPasswordReset struct {
diff --git a/internal/repos/user/user.go b/internal/repos/user/user.go
@@ -21,6 +21,7 @@ type IUserRepo interface {
 	ActivateAccount(c context.Context, email string, code string) (bool, error)
 	UpdatePasswordByToken(ctx context.Context, email string, token string, password string) error
 	CreateAppToken(c context.Context, userID int, name string, scopes []models.ApiTokenScope, days int) (*models.AppToken, error)
+	GetAppTokenByID(c context.Context, tokenId int) (*models.AppToken, error)
 	GetAllUserTokens(c context.Context, userID int) ([]*models.AppToken, error)
 	DeleteAppToken(c context.Context, userID int, tokenID string) error
 	UpdateNotificationSettings(c context.Context, userID int, provider models.NotificationProvider, triggers models.NotificationTriggerOptions) error
@@ -160,43 +161,62 @@ func convertScopesToStringArray(scopes []models.ApiTokenScope) []string {
 }
 
 func (r *UserRepository) CreateAppToken(c context.Context, userID int, name string, scopes []models.ApiTokenScope, days int) (*models.AppToken, error) {
-	duration := time.Duration(days) * 24 * time.Hour
-	expiresAt := time.Now().UTC().Add(duration)
-	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
-		auth.IdentityKey: fmt.Sprintf("%d", userID),
-		"exp":            expiresAt.Unix(),
-		"type":           "app",
-		"scopes":         scopes,
-	})
+	var token *models.AppToken
+	err := r.db.WithContext(c).Transaction(func(tx *gorm.DB) error {
+		var nextID int
+		if err := tx.Raw("SELECT COALESCE(MAX(id), 0)+1 AS next_id FROM app_tokens").Scan(&nextID).Error; err != nil {
+			return fmt.Errorf("failed to get next token id: %w", err)
+		}
 
-	signedToken, err := jwtToken.SignedString([]byte(r.cfg.Jwt.Secret))
-	if err != nil {
-		return nil, fmt.Errorf("failed to sign token: %s", err.Error())
-	}
+		for _, scope := range scopes {
+			if scope == models.ApiTokenScopeUserRead || scope == models.ApiTokenScopeUserWrite {
+				return fmt.Errorf("user scopes are not allowed")
+			}
 
-	for _, scope := range scopes {
-		if scope == models.ApiTokenScopeUserRead || scope == models.ApiTokenScopeUserWrite {
-			return nil, fmt.Errorf("user scopes are not allowed")
+			if scope == models.ApiTokenScopeTokenWrite {
+				return fmt.Errorf("token scopes are not allowed")
+			}
 		}
 
-		if scope == models.ApiTokenScopeTokenWrite {
-			return nil, fmt.Errorf("token scopes are not allowed")
+		duration := time.Duration(days) * 24 * time.Hour
+		expiresAt := time.Now().UTC().Add(duration)
+		jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			auth.AppTokenKey: fmt.Sprintf("%d", nextID),
+			auth.IdentityKey: fmt.Sprintf("%d", userID),
+			"exp":            expiresAt.Unix(),
+			"type":           "app",
+			"scopes":         scopes,
+		})
+
+		signedToken, err := jwtToken.SignedString([]byte(r.cfg.Jwt.Secret))
+		if err != nil {
+			return fmt.Errorf("failed to sign token: %s", err.Error())
 		}
-	}
 
-	token := &models.AppToken{
-		UserID:    userID,
-		Name:      name,
-		Token:     signedToken,
-		ExpiresAt: expiresAt,
-		Scopes:    convertScopesToStringArray(scopes),
-	}
+		token = &models.AppToken{
+			ID:        nextID,
+			UserID:    userID,
+			Name:      name,
+			Token:     signedToken,
+			ExpiresAt: expiresAt,
+			Scopes:    convertScopesToStringArray(scopes),
+		}
 
-	if err := r.db.WithContext(c).Create(token).Error; err != nil {
-		return nil, fmt.Errorf("failed to save token: %s", err.Error())
-	}
+		if err := tx.Create(token).Error; err != nil {
+			return fmt.Errorf("failed to save token: %s", err.Error())
+		}
+		return nil
+	})
 
-	return token, nil
+	return token, err
+}
+
+func (r *UserRepository) GetAppTokenByID(c context.Context, tokenId int) (*models.AppToken, error) {
+	var token models.AppToken
+	if err := r.db.WithContext(c).Where("id = ?", tokenId).First(&token).Error; err != nil {
+		return nil, err
+	}
+	return &token, nil
 }
 
 func (r *UserRepository) GetAllUserTokens(c context.Context, userID int) ([]*models.AppToken, error) {
diff --git a/internal/utils/auth/auth.go b/internal/utils/auth/auth.go
@@ -11,7 +11,8 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-var IdentityKey = "id"
+var IdentityKey = "user_id"
+var AppTokenKey = "token_id"
 
 func EncodePassword(password string) (string, error) {
 	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)

Original file line number	Diff line number	Diff line change
`@@ -30,9 +30,10 @@ const (`
`30`	`30`	`)`
`31`	`31`
`32`	`32`	`type SignedInIdentity struct {`
`33`		`- UserID int`
`34`		`- Type IdentityType`
`35`		`- Scopes []ApiTokenScope`
	`33`	`+ UserID int`
	`34`	`+ TokenID int`
	`35`	`+ Type IdentityType`
	`36`	`+ Scopes []ApiTokenScope`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`type UserPasswordReset struct {`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,8 @@ import (`
`11`	`11`	`"golang.org/x/crypto/bcrypt"`
`12`	`12`	`)`
`13`	`13`
`14`		`-var IdentityKey = "id"`
	`14`	`+var IdentityKey = "user_id"`
	`15`	`+var AppTokenKey = "token_id"`
`15`	`16`
`16`	`17`	`func EncodePassword(password string) (string, error) {`
`17`	`18`	`bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)`