refactor auth

Gopkg.lock

@@ -30,6 +30,21 @@
   ]
   revision = "bf7803815b0baa22ff7a10457932882dfbf09925"
 
+[[projects]]
+  name = "github.com/go-redis/redis"
+  packages = [
+    ".",
+    "internal",
+    "internal/consistenthash",
+    "internal/hashtag",
+    "internal/pool",
+    "internal/proto",
+    "internal/singleflight",
+    "internal/util"
+  ]
+  revision = "83fb42932f6145ce52df09860384a4653d2d332a"
+  version = "v6.12.0"
+
 [[projects]]
   name = "github.com/golang/protobuf"
   packages = ["proto"]
@@ -102,6 +117,6 @@
 [solve-meta]
   analyzer-name = "dep"
   analyzer-version = 1
-  inputs-digest = "7fe5f8b83f3a0556f7574a9334d97c080f888f616754772851ed06f70be00a37"
+  inputs-digest = "f39a3af36dc118d9ce3e7647ae989cd30486ef9729d721fe106bbb7cfaf6e4cb"
   solver-name = "gps-cdcl"
   solver-version = 1

middleware/auth/auth.go

@@ -5,7 +5,6 @@ import (
 	"github.com/dgrijalva/jwt-go"
 	"github.com/gin-gonic/gin"
 	"net/http"
-	"time"
 )
 
 const (
@@ -15,29 +14,27 @@ const (
 	ctxRequestTokenExpired        = "expired"
 )
 
-func Auth(authKey string) gin.HandlerFunc {
+func Auth(authKey string, session Session) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
-		var (
-			err error
-			tk  = ctx.Request.Header.Get(ctxRequestHeaderAuthorization)
-		)
+		var tokenFromCookie, tokenFromHeader string
 
-		if tk == "" {
-			tk, err = ctx.Cookie(ctxRequestCookieAuthorization)
-			if err != nil {
-				ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed"})
-				return
+		tokenFromCookie, err := ctx.Cookie(ctxRequestCookieAuthorization)
+		if err != nil {
+			if err == http.ErrNoCookie {
+				tokenFromHeader = ctx.Request.Header.Get(ctxRequestHeaderAuthorization)
 			}
+		}
 
-			tk = "Bearer " + tk
+		if tokenFromHeader == "" {
+			tokenFromHeader = "Bearer " + tokenFromCookie
 		}
 
-		if len(tk) < 8 {
+		if len(tokenFromHeader) < 8 {
 			ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed"})
 			return
 		}
 
-		token, err := jwt.Parse(tk[7:], func(token *jwt.Token) (interface{}, error) {
+		token, err := jwt.Parse(tokenFromHeader[7:], func(token *jwt.Token) (interface{}, error) {
 			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 			}
@@ -50,25 +47,21 @@ func Auth(authKey string) gin.HandlerFunc {
 			return
 		}
 
+		if !session.IsExistsJwtToken(token.Signature) {
+			ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed, token expired by server"})
+			return
+		}
+
 		if mapClaims, ok := token.Claims.(jwt.MapClaims); ok {
 			if expired, ok := mapClaims[ctxRequestTokenExpired].(float64); ok {
-				switch true {
-				case expired > 0:
-					if int64(expired) < time.Now().Unix() {
-						ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed, token timeout"})
-						return
-					}
+				if expired == 0 && tokenFromCookie == "" {
+					if session.DeleteJwtToken(token.Raw) {
+						ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed, token expired"})
 
-					// todo check expired from server
-				case expired == 0:
-					// Only cookie is exists, check token expired. app expired by itself call logout when app exit
-					if _, err := ctx.Cookie(ctxRequestCookieAuthorization); err != nil {
-						ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed, token timeout"})
-						return
+					} else {
+						ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed, delete server token failed"})
 					}
 
-				default:
-					ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed, token timeout"})
 					return
 				}
 

middleware/auth/optional_auth.go

@@ -2,33 +2,32 @@ package auth
 
 import (
 	"fmt"
-	"time"
-
 	"github.com/dgrijalva/jwt-go"
 	"github.com/gin-gonic/gin"
+	"net/http"
 )
 
 func OptionalAuth(authKey string) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
-		var (
-			err error
-			tk  = ctx.Request.Header.Get(ctxRequestHeaderAuthorization)
-		)
-
-		if tk == "" {
-			tk, err = ctx.Cookie(ctxRequestCookieAuthorization)
-			if err != nil {
-				return
+		var tokenFromCookie, tokenFromHeader string
+
+		tokenFromCookie, err := ctx.Cookie(ctxRequestCookieAuthorization)
+		if err != nil {
+			if err == http.ErrNoCookie {
+				tokenFromHeader = ctx.Request.Header.Get(ctxRequestHeaderAuthorization)
 			}
+		}
 
-			tk = "Bearer " + tk
+		if tokenFromHeader == "" {
+			tokenFromHeader = "Bearer " + tokenFromCookie
 		}
 
-		if len(tk) < 8 {
+		if len(tokenFromHeader) < 8 {
+			ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "auth failed"})
 			return
 		}
 
-		token, err := jwt.Parse(tk[7:], func(token *jwt.Token) (interface{}, error) {
+		token, err := jwt.Parse(tokenFromHeader[7:], func(token *jwt.Token) (interface{}, error) {
 			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 			}
@@ -41,15 +40,6 @@ func OptionalAuth(authKey string) gin.HandlerFunc {
 		}
 
 		if mapClaims, ok := token.Claims.(jwt.MapClaims); ok {
-			if expired, ok := mapClaims[ctxRequestTokenExpired].(float64); ok {
-				if int64(expired) < time.Now().Unix() {
-					// Only cookie is blank value, check token expired
-					if _, err := ctx.Cookie(ctxRequestCookieAuthorization); err != nil {
-						return
-					}
-				}
-			}
-
 			if uid, ok := mapClaims[CtxRequestHeaderUserId].(float64); ok {
 				ctx.Set(CtxRequestHeaderUserId, int64(uid))
 			}

middleware/auth/session.go

@@ -0,0 +1,14 @@
+package auth
+
+import "time"
+
+type Session interface {
+	// StoreJwtToken store jwt token is redis, make it expired for feature
+	StoreJwtToken(key string, value string, timeout time.Duration) error
+
+	// IsExistsJwtToken judge whether token is invalid
+	IsExistsJwtToken(key string) bool
+
+	// DeleteJwtToken delete jwt token
+	DeleteJwtToken(key string) bool
+}

middleware/auth/session_redis.go

@@ -0,0 +1,49 @@
+package auth
+
+import (
+	"github.com/go-redis/redis"
+	"sync"
+	"time"
+)
+
+type RedisSessionStore struct {
+	once   *sync.Once
+	client *redis.Client
+}
+
+func NewRedisSessionStore(address string, password string) *RedisSessionStore {
+	session := &RedisSessionStore{}
+	session.once.Do(func() {
+		session.client = redis.NewClient(&redis.Options{
+			Addr:     address,
+			Password: password,
+		})
+
+		if err := session.client.Ping().Err(); err != nil {
+			panic(err)
+		}
+	})
+
+	return session
+}
+
+func (rss *RedisSessionStore) StoreJwtToken(key string, value string, timeout time.Duration) error {
+	return rss.client.Set(key, value, timeout).Err()
+}
+
+func (rss *RedisSessionStore) IsExistsJwtToken(key string) bool {
+	if v := rss.client.Exists(key).Val(); v != 1 {
+		return false
+	}
+
+	return true
+}
+
+// DeleteJwtToken delete jwt token
+func (rss *RedisSessionStore) DeleteJwtToken(key string) bool {
+	if v := rss.client.Del(key).Val(); v != 1 {
+		return false
+	}
+
+	return true
+}