Parse current ID from auth cookie

insapp-io · Nov 6, 2019 · 3b4f69e · 3b4f69e
1 parent 8a821b2
commit 3b4f69e
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 32 deletions.
diff --git a/associationController.go b/associationController.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"net/http"
 
-	tauth "github.com/freehaha/token-auth"
 	"github.com/gorilla/mux"
 	"gopkg.in/mgo.v2/bson"
 )
@@ -50,14 +49,11 @@ func AddAssociationController(w http.ResponseWriter, r *http.Request) {
 	res := AddAssociation(association)
 	password := GeneratePassword()
 
-	token := tauth.Get(r)
-	id := bson.ObjectIdHex(token.Claims("id").(string))
-
 	var user AssociationUser
 	user.Association = res.ID
 	user.Username = res.Email
 	user.Master = false
-	user.Owner = id
+	user.Owner = GetUserFromRequest(r)
 	user.Password = GetMD5Hash(password)
 	AddAssociationUser(user)
 	_ = SendAssociationEmailSubscription(user.Username, password)

diff --git a/auth.go b/auth.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rsa"
 	"errors"
 	"io/ioutil"
+	"net/http"
 	"time"
 
 	jwt "github.com/dgrijalva/jwt-go"
@@ -70,7 +71,7 @@ func CreateNewTokens(ID bson.ObjectId, role string) (string, string, error) {
 }
 
 // CheckAndRefreshTokens renews the auth token, if needed.
-func CheckAndRefreshTokens(authTokenString string, refreshTokenString string) (string, string, error) {
+func CheckAndRefreshTokens(authTokenString string, refreshTokenString string, role string) (string, string, error) {
 	var newAuthTokenString string
 	var newRefreshTokenString string
 
@@ -85,6 +86,11 @@ func CheckAndRefreshTokens(authTokenString string, refreshTokenString string) (s
 
 	// The auth token is still valid
 	if _, ok := authToken.Claims.(*TokenClaims); ok && authToken.Valid {
+		// Check the role
+		if authToken.Claims.(*TokenClaims).Role != role {
+			return "", "", errors.New("Unauthorized")
+		}
+
 		// Update the expiration time of refresh token
 		newRefreshTokenString, err = updateRefreshTokenExpiration(refreshTokenString)
 
@@ -132,6 +138,17 @@ func RevokeRefreshToken(refreshTokenString string) error {
 	return nil
 }
 
+func GetUserFromRequest(r *http.Request) bson.ObjectId {
+	authCookie, _ := r.Cookie("AuthToken")
+
+	// Check that it matches with the auth token claims
+	authToken, _ := jwt.ParseWithClaims(authCookie.Value, &TokenClaims{}, func(token *jwt.Token) (interface{}, error) {
+		return verifyKey, nil
+	})
+
+	return authToken.Claims.(*TokenClaims).ID
+}
+
 // createAuthTokenString creates an auth token
 func createAuthTokenString(id bson.ObjectId, role string) (string, error) {
 	authTokenExpiration := time.Now().Add(authTokenValidTime).Unix()

diff --git a/eventController.go b/eventController.go
@@ -24,8 +24,8 @@ func GetEventController(w http.ResponseWriter, r *http.Request) {
 // containing all future events from "NOW"
 func GetFutureEventsController(w http.ResponseWriter, r *http.Request) {
 	userID := GetUserFromRequest(r)
-	user := GetUser(bson.ObjectIdHex(userID))
-	os := GetNotificationUserForUser(bson.ObjectIdHex(userID)).Os
+	user := GetUser(userID)
+	os := GetNotificationUserForUser(userID).Os
 	events := GetFutureEvents()
 	res := Events{}
 	if user.ID != "" {

diff --git a/go.mod b/go.mod
@@ -7,7 +7,6 @@ require (
 	cloud.google.com/go/storage v1.1.1 // indirect
 	firebase.google.com/go v3.9.0+incompatible
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/freehaha/token-auth v0.0.0-20151005051521-fbcb870ca8c0
 	github.com/gorilla/context v1.1.1 // indirect
 	github.com/gorilla/mux v1.7.3
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646

diff --git a/go.sum b/go.sum
@@ -22,8 +22,6 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/freehaha/token-auth v0.0.0-20151005051521-fbcb870ca8c0 h1:Vc29Xa77DR8uEtrwPjualtSiZJuhTKKjusUqEPK2yAw=
-github.com/freehaha/token-auth v0.0.0-20151005051521-fbcb870ca8c0/go.mod h1:qZrQw4xJt+htnbKPq+Q3Vs5BDkwRJAR60ORny+rgQ1A=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=

diff --git a/loginController.go b/loginController.go
@@ -36,7 +36,7 @@ func AuthMiddleware(next http.HandlerFunc) http.HandlerFunc {
 			fmt.Println(string(requestDump))
 		}
 
-		AuthCookie, authErr := r.Cookie("AuthToken")
+		authCookie, authErr := r.Cookie("AuthToken")
 
 		// Unauthorized attempt: no auth cookie
 		if authErr == http.ErrNoCookie {
@@ -52,7 +52,7 @@ func AuthMiddleware(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		RefreshCookie, refreshErr := r.Cookie("RefreshToken")
+		refreshCookie, refreshErr := r.Cookie("RefreshToken")
 
 		// Unauthorized attempt: no refresh cookie
 		if refreshErr == http.ErrNoCookie {
@@ -69,7 +69,7 @@ func AuthMiddleware(next http.HandlerFunc) http.HandlerFunc {
 		}
 
 		// Check the JWT for validity
-		authToken, refreshToken, err := CheckAndRefreshTokens(AuthCookie.Value, RefreshCookie.Value)
+		authToken, refreshToken, err := CheckAndRefreshTokens(authCookie.Value, refreshCookie.Value, "user")
 		if err != nil {
 			// Unauthorized attempt: JWT is not valid
 			if err.Error() == "Unauthorized" {

diff --git a/postController.go b/postController.go
@@ -9,7 +9,6 @@ import (
 	"strings"
 	"time"
 
-	tauth "github.com/freehaha/token-auth"
 	"github.com/gorilla/mux"
 	"gopkg.in/mgo.v2/bson"
 )
@@ -27,8 +26,8 @@ func GetPostController(w http.ResponseWriter, r *http.Request) {
 // N latest posts. Here N = 50.
 func GetAllPostsController(w http.ResponseWriter, r *http.Request) {
 	userID := GetUserFromRequest(r)
-	user := GetUser(bson.ObjectIdHex(userID))
-	os := GetNotificationUserForUser(bson.ObjectIdHex(userID)).Os
+	user := GetUser(userID)
+	os := GetNotificationUserForUser(userID).Os
 	posts := GetLatestPosts(10)
 	filteredPosts := Posts{}
 	if user.ID != "" {
@@ -70,8 +69,8 @@ func GetPostsForAssociationController(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	associationID := vars["id"]
 	userID := GetUserFromRequest(r)
-	user := GetUser(bson.ObjectIdHex(userID))
-	os := GetNotificationUserForUser(bson.ObjectIdHex(userID)).Os
+	user := GetUser(userID)
+	os := GetNotificationUserForUser(userID).Os
 	posts := GetPostsForAssociation(bson.ObjectIdHex(associationID))
 
 	filteredPosts := Posts{}
@@ -203,9 +202,7 @@ func ReportCommentController(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	postID := vars["id"]
 	commentID := vars["commentID"]
-	token := tauth.Get(r)
-	userID := token.Claims("id").(string)
-	ReportComment(bson.ObjectIdHex(postID), bson.ObjectIdHex(commentID), bson.ObjectIdHex(userID))
+	ReportComment(bson.ObjectIdHex(postID), bson.ObjectIdHex(commentID), GetUserFromRequest(r))
 	_ = json.NewEncoder(w).Encode(bson.M{})
 }
 

diff --git a/userController.go b/userController.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"net/http"
 
-	tauth "github.com/freehaha/token-auth"
 	"github.com/gorilla/mux"
 	"gopkg.in/mgo.v2/bson"
 )
@@ -65,16 +64,9 @@ func DeleteUserController(w http.ResponseWriter, r *http.Request) {
 func ReportUserController(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	userID := vars["id"]
-	token := tauth.Get(r)
-	reporterID := token.Claims("id").(string)
-	ReportUser(bson.ObjectIdHex(userID), bson.ObjectIdHex(reporterID))
-	json.NewEncoder(w).Encode(bson.M{})
-}
 
-func GetUserFromRequest(r *http.Request) string {
-	token := tauth.Get(r)
-	id := token.Claims("id").(string)
-	return id
+	ReportUser(bson.ObjectIdHex(userID), GetUserFromRequest(r))
+	json.NewEncoder(w).Encode(bson.M{})
 }
 
 func Contains(a string, list []string) bool {