wip

Author: hf

internal/models/refresh_token.go

@@ -14,6 +14,15 @@ import (
 	"github.com/supabase/auth/internal/utilities"
 )
 
+type TODO struct {
+	SessionID string `json:"s"`
+	ID        int64  `json:"t"`
+}
+
+func (TODO) TableName() string {
+	panic("not a DB model")
+}
+
 // RefreshToken is the database model for refresh tokens.
 type RefreshToken struct {
 	ID int64 `db:"id"`

internal/models/sessions.go

@@ -91,6 +91,9 @@ type Session struct {
 
 	Tag           *string    `json:"tag" db:"tag"`
 	OAuthClientID *uuid.UUID `json:"oauth_client_id" db:"oauth_client_id"`
+
+	RefreshTokenHmacKey *string `json:"-" db:"refresh_token_hmac_key"`
+	RefreshTokenID      *int64  `json:"-" db:"refresh_token_id"`
 }
 
 func (Session) TableName() string {

internal/models/user.go

@@ -634,7 +634,9 @@ func FindUserByID(tx *storage.Connection, id uuid.UUID) (*User, error) {
 // the form SELECT ... FOR UPDATE SKIP LOCKED. This means that a FOR UPDATE
 // lock will only be acquired if there's no other lock. In case there is a
 // lock, a IsNotFound(err) error will be returned.
-func FindUserWithRefreshToken(tx *storage.Connection, token string, forUpdate bool) (*User, *RefreshToken, *Session, error) {
+//
+// Second value returned is either *models.RefreshToken or *models.TODO.
+func FindUserWithRefreshToken(tx *storage.Connection, token string, forUpdate bool) (*User, any, *Session, error) {
 	refreshToken := &RefreshToken{}
 
 	if forUpdate {

internal/tokens/service.go

@@ -130,7 +130,7 @@ func (s *Service) RefreshTokenGrant(ctx context.Context, db *storage.Connection,
 	for retry && time.Since(retryStart).Seconds() < retryLoopDuration {
 		retry = false
 
-		user, token, session, err := models.FindUserWithRefreshToken(db, params.RefreshToken, false)
+		user, anyToken, session, err := models.FindUserWithRefreshToken(db, params.RefreshToken, false)
 		if err != nil {
 			if models.IsNotFoundError(err) {
 				return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeRefreshTokenNotFound, "Invalid Refresh Token: Refresh Token Not Found")
@@ -143,9 +143,11 @@ func (s *Service) RefreshTokenGrant(ctx context.Context, db *storage.Connection,
 		}
 
 		if session == nil {
-			// a refresh token won't have a session if it's created prior to the sessions table introduced
-			if err := db.Destroy(token); err != nil {
-				return nil, apierrors.NewInternalServerError("Error deleting refresh token with missing session").WithInternalError(err)
+			if token, ok := anyToken.(*models.RefreshToken); ok {
+				// a refresh token won't have a session if it's created prior to the sessions table introduced
+				if err := db.Destroy(token); err != nil {
+					return nil, apierrors.NewInternalServerError("Error deleting refresh token with missing session").WithInternalError(err)
+				}
 			}
 			return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeSessionNotFound, "Invalid Refresh Token: No Valid Session Found")
 		}
@@ -281,53 +283,55 @@ func (s *Service) RefreshTokenGrant(ctx context.Context, db *storage.Connection,
 
 			var issuedToken *models.RefreshToken
 
-			if token.Revoked {
-				activeRefreshToken, terr := session.FindCurrentlyActiveRefreshToken(tx)
-				if terr != nil && !models.IsNotFoundError(terr) {
-					return apierrors.NewInternalServerError(terr.Error())
-				}
+			if token, ok := anyToken.(*models.RefreshToken); ok {
+				if token.Revoked {
+					activeRefreshToken, terr := session.FindCurrentlyActiveRefreshToken(tx)
+					if terr != nil && !models.IsNotFoundError(terr) {
+						return apierrors.NewInternalServerError(terr.Error())
+					}
 
-				if activeRefreshToken != nil && activeRefreshToken.Parent.String() == token.Token {
-					// Token was revoked, but it's the
-					// parent of the currently active one.
-					// This indicates that the client was
-					// not able to store the result when it
-					// refreshed token. This case is
-					// allowed, provided we return back the
-					// active refresh token instead of
-					// creating a new one.
-					issuedToken = activeRefreshToken
-				} else {
-					// For a revoked refresh token to be reused, it
-					// has to fall within the reuse interval.
-					reuseUntil := token.UpdatedAt.Add(
-						time.Second * time.Duration(config.Security.RefreshTokenReuseInterval))
-
-					if s.now().After(reuseUntil) {
-						// not OK to reuse this token
-						if config.Security.RefreshTokenRotationEnabled {
-							// Revoke all tokens in token family
-							if err := models.RevokeTokenFamily(tx, token); err != nil {
-								return apierrors.NewInternalServerError(err.Error())
+					if activeRefreshToken != nil && activeRefreshToken.Parent.String() == token.Token {
+						// Token was revoked, but it's the
+						// parent of the currently active one.
+						// This indicates that the client was
+						// not able to store the result when it
+						// refreshed token. This case is
+						// allowed, provided we return back the
+						// active refresh token instead of
+						// creating a new one.
+						issuedToken = activeRefreshToken
+					} else {
+						// For a revoked refresh token to be reused, it
+						// has to fall within the reuse interval.
+						reuseUntil := token.UpdatedAt.Add(
+							time.Second * time.Duration(config.Security.RefreshTokenReuseInterval))
+
+						if s.now().After(reuseUntil) {
+							// not OK to reuse this token
+							if config.Security.RefreshTokenRotationEnabled {
+								// Revoke all tokens in token family
+								if err := models.RevokeTokenFamily(tx, token); err != nil {
+									return apierrors.NewInternalServerError(err.Error())
+								}
 							}
-						}
 
-						return storage.NewCommitWithError(apierrors.NewBadRequestError(apierrors.ErrorCodeRefreshTokenAlreadyUsed, "Invalid Refresh Token: Already Used").WithInternalMessage("Possible abuse attempt: %v", token.ID))
+							return storage.NewCommitWithError(apierrors.NewBadRequestError(apierrors.ErrorCodeRefreshTokenAlreadyUsed, "Invalid Refresh Token: Already Used").WithInternalMessage("Possible abuse attempt: %v", token.ID))
+						}
 					}
 				}
-			}
-
-			if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.TokenRefreshedAction, "", nil); terr != nil {
-				return terr
-			}
 
-			if issuedToken == nil {
-				newToken, terr := models.GrantRefreshTokenSwap(config.AuditLog, r, tx, user, token)
-				if terr != nil {
+				if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.TokenRefreshedAction, "", nil); terr != nil {
 					return terr
 				}
 
-				issuedToken = newToken
+				if issuedToken == nil {
+					newToken, terr := models.GrantRefreshTokenSwap(config.AuditLog, r, tx, user, token)
+					if terr != nil {
+						return terr
+					}
+
+					issuedToken = newToken
+				}
 			}
 
 			tokenString, expiresAt, terr = s.GenerateAccessToken(r, tx, GenerateAccessTokenParams{

migrations/20251007112900_add_session_refresh_token_columns.sql

@@ -0,0 +1,6 @@
+ALTER TABLE {{ index .Options "Namespace" }}.sessions
+ADD COLUMN IF NOT EXISTS refresh_token_hmac_key text,
+ADD COLUMN IF NOT EXISTS refresh_token_id bigint;
+
+COMMENT ON COLUMN {{ index .Options "Namespace" }}.refresh_token_hmac_key IS 'Holds a HMAC-SHA256 key used to sign refresh tokens for this session.';
+COMMENT ON COLUMN {{ index .Options "Namespace" }}.refresh_token_id IS 'Holds the ID of the last issued refresh token.';