fix: fix tokens to expire after 3 months and always inherit admin perms from user
This commit is contained in:
parent
e8f502073d
commit
b4c331daa0
|
@ -61,7 +61,7 @@ func (db *DB) Tokens(ctx context.Context, userID xid.ID) (ts []Token, err error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3 months, might be customizable later
|
// 3 months, might be customizable later
|
||||||
const ExpiryTime = 3 * 30 * 24 * time.Hour
|
const TokenExpiryTime = 3 * 30 * 24 * time.Hour
|
||||||
|
|
||||||
// SaveToken saves a token to the database.
|
// SaveToken saves a token to the database.
|
||||||
func (db *DB) SaveToken(ctx context.Context, userID xid.ID, tokenID xid.ID, apiOnly, readOnly bool) (t Token, err error) {
|
func (db *DB) SaveToken(ctx context.Context, userID xid.ID, tokenID xid.ID, apiOnly, readOnly bool) (t Token, err error) {
|
||||||
|
@ -69,7 +69,7 @@ func (db *DB) SaveToken(ctx context.Context, userID xid.ID, tokenID xid.ID, apiO
|
||||||
SetMap(map[string]any{
|
SetMap(map[string]any{
|
||||||
"user_id": userID,
|
"user_id": userID,
|
||||||
"token_id": tokenID,
|
"token_id": tokenID,
|
||||||
"expires": time.Now().Add(ExpiryTime),
|
"expires": time.Now().Add(TokenExpiryTime),
|
||||||
"api_only": apiOnly,
|
"api_only": apiOnly,
|
||||||
"read_only": readOnly,
|
"read_only": readOnly,
|
||||||
}).
|
}).
|
||||||
|
|
|
@ -96,9 +96,14 @@ func (s *Server) createToken(w http.ResponseWriter, r *http.Request) error {
|
||||||
return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
|
return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
u, err := s.DB.User(ctx, claims.UserID)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "getting me user")
|
||||||
|
}
|
||||||
|
|
||||||
readOnly := r.FormValue("read_only") == "true"
|
readOnly := r.FormValue("read_only") == "true"
|
||||||
tokenID := xid.New()
|
tokenID := xid.New()
|
||||||
tokenStr, err := s.Auth.CreateToken(claims.UserID, tokenID, false, true, !readOnly)
|
tokenStr, err := s.Auth.CreateToken(claims.UserID, tokenID, u.IsAdmin, true, !readOnly)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "creating token")
|
return errors.Wrap(err, "creating token")
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"codeberg.org/u1f320/pronouns.cc/backend/db"
|
||||||
"codeberg.org/u1f320/pronouns.cc/backend/log"
|
"codeberg.org/u1f320/pronouns.cc/backend/log"
|
||||||
"emperror.dev/errors"
|
"emperror.dev/errors"
|
||||||
"github.com/golang-jwt/jwt/v4"
|
"github.com/golang-jwt/jwt/v4"
|
||||||
|
@ -46,14 +47,11 @@ func New() *Verifier {
|
||||||
return &Verifier{key: key}
|
return &Verifier{key: key}
|
||||||
}
|
}
|
||||||
|
|
||||||
// ExpireDays is after how many days the token will expire.
|
|
||||||
const ExpireDays = 30
|
|
||||||
|
|
||||||
// CreateToken creates a token for the given user ID.
|
// CreateToken creates a token for the given user ID.
|
||||||
// It expires after 30 days.
|
// It expires after three months.
|
||||||
func (v *Verifier) CreateToken(userID, tokenID xid.ID, isAdmin bool, isAPIToken bool, isWriteToken bool) (token string, err error) {
|
func (v *Verifier) CreateToken(userID, tokenID xid.ID, isAdmin bool, isAPIToken bool, isWriteToken bool) (token string, err error) {
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
expires := now.Add(ExpireDays * 24 * time.Hour)
|
expires := now.Add(db.TokenExpiryTime)
|
||||||
|
|
||||||
t := jwt.NewWithClaims(jwt.SigningMethodHS256, Claims{
|
t := jwt.NewWithClaims(jwt.SigningMethodHS256, Claims{
|
||||||
UserID: userID,
|
UserID: userID,
|
||||||
|
|
Loading…
Reference in New Issue