refactor: auth system for better security

api/auth.go

@@ -25,15 +25,38 @@ func CreateAuthHandler(userService users.UserService, authService auth.AuthServi
 func (h *AuthHandler) createHttpHandler() http.Handler {
 	handler := http.NewServeMux()
 
-	handler.HandleFunc("GET /{provider}", h.handleProviderLogin)
-	handler.HandleFunc("GET /{provider}/callback", h.handleAuthCallback)
+	handler.HandleFunc("POST /refresh", h.handleRefresh)
+	handler.Handle("OPTIONS /refresh", middleware.CreateOptionsHandler("POST"))
+
+	handler.HandleFunc("GET /logout", h.handleLogout)
+	handler.Handle("OPTIONS /logout", middleware.CreateOptionsHandler("GET"))
 
+	handler.HandleFunc("GET /{provider}", h.handleProviderLogin)
 	handler.Handle("OPTIONS /{provider}", middleware.CreateOptionsHandler("GET"))
+
+	handler.HandleFunc("GET /{provider}/callback", h.handleAuthCallback)
 	handler.Handle("OPTIONS /{provider}/callback", middleware.CreateOptionsHandler("GET"))
 
 	return handler
 }
 
+func (h *AuthHandler) handleRefresh(w http.ResponseWriter, r *http.Request) {
+	if err := h.authService.Refresh(w, r); err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+}
+
+func (h *AuthHandler) handleLogout(w http.ResponseWriter, r *http.Request) {
+	if err := h.authService.Logout(w, r); err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+
+	redirectUrl := h.formatRedirectURL("/")
+	http.Redirect(w, r, redirectUrl, http.StatusTemporaryRedirect)
+}
+
 func (h *AuthHandler) handleProviderLogin(w http.ResponseWriter, r *http.Request) {
 	providerName := r.PathValue("provider")
 	provider, err := h.authService.GetProvider(providerName)
@@ -74,16 +97,15 @@ func (h *AuthHandler) handleAuthCallback(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	tokenString, err := h.authService.SignToken(h.authService.GenerateToken(user))
-	if err != nil {
+	if err := h.authService.FinishAuth(user, r, w); err != nil {
 		errors.HandleError(w, r, err)
 		return
 	}
 
-	redirectUrl := h.formatRedirectURL(r.URL.Query().Get("state"), tokenString)
+	redirectUrl := h.formatRedirectURL(r.URL.Query().Get("state"))
 	http.Redirect(w, r, redirectUrl, http.StatusTemporaryRedirect)
 }
 
-func (h *AuthHandler) formatRedirectURL(redirectTo string, token string) string {
-	return fmt.Sprintf("%s?redirectTo=%s&token=%s", config.Envs.AuthCallbackUrl, utils.FormatLocalPathString(redirectTo), token)
+func (h *AuthHandler) formatRedirectURL(redirectTo string) string {
+	return fmt.Sprintf("%s%s", config.Envs.AuthCallbackUrl, utils.FormatLocalPathString(redirectTo))
 }

api/email.go

@@ -220,16 +220,15 @@ func (h *EmailHandler) createHttpHandler() http.Handler {
 	// accounts
 	handler.HandleFunc("GET /", h.handleListAccounts)
 	handler.HandleFunc("PUT /", h.handleAddAccount)
+	handler.Handle("OPTIONS /", middleware.CreateOptionsHandler("GET", "PUT"))
+
 	handler.HandleFunc("GET /{email}", h.handleAccountInfo)
 	handler.HandleFunc("DELETE /{email}", h.handleRemoveAccount)
+	handler.Handle("OPTIONS /{email}", middleware.CreateOptionsHandler("GET", "DELETE"))
 
 	// sharing
 	handler.HandleFunc("PUT /{email}/share", h.handleShareAccount)
 	handler.HandleFunc("DELETE /{email}/share", h.handleRemoveAccountShare)
-
-	// OPTIONS handlers
-	handler.Handle("OPTIONS /", middleware.CreateOptionsHandler("GET", "PUT"))
-	handler.Handle("OPTIONS /{email}", middleware.CreateOptionsHandler("GET", "DELETE"))
 	handler.Handle("OPTIONS /{email}/share", middleware.CreateOptionsHandler("PUT", "DELETE"))
 
 	return handler
@@ -281,9 +280,9 @@ func (h *EmailHandler) handleListAccounts(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	for _, account := range accounts {
-		account.Username = ""
-		account.Password = ""
+	for i := range accounts {
+		accounts[i].Username = ""
+		accounts[i].Password = ""
 	}
 
 	data, err := json.Marshal(accounts)
@@ -462,7 +461,7 @@ func (h *EmailHandler) handleRemoveAccountShare(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	params := repository.RemoveShareParams{
+	params := repository.DeleteShareParams{
 		UserId:  sharingUser.ID,
 		Account: account.ID,
 	}

api/handler.go

@@ -107,15 +107,15 @@ func newSpecBase(handler Handler) Spec {
 		},
 	}
 
-	securitySchemeName := "bearerAuth"
+	securitySchemeName := "cookieAuth"
 	spec.Components = &openapi3.Components{
 		SecuritySchemes: openapi3.SecuritySchemes{
 			securitySchemeName: &openapi3.SecuritySchemeRef{
 				Value: &openapi3.SecurityScheme{
-					Type:         "http",
-					Scheme:       "bearer",
-					BearerFormat: "JWT",
-					Description:  "Enter your bearer token in the format: Bearer <token>",
+					Type:        "apiKey",
+					In:          "cookie",
+					Name:        "access_token",
+					Description: "Authentication via access_token cookie. The API also uses a refresh_token cookie for token renewal.",
 				},
 			},
 		},

api/users.go

@@ -2,7 +2,9 @@ package api
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
+	"strconv"
 
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/piquel-fr/api/config"
@@ -51,10 +53,20 @@ func (h *UserHandler) getSpec() Spec {
 		WithProperty("role", openapi3.NewStringSchema()).
 		WithRequired([]string{"username", "name", "image", "email", "role"})
 
+	userSessionSchema := openapi3.NewObjectSchema().
+		WithProperty("id", openapi3.NewInt32Schema()).
+		WithProperty("userId", openapi3.NewInt32Schema()).
+		WithProperty("userAgent", openapi3.NewStringSchema()).
+		WithProperty("ipAdress", openapi3.NewStringSchema()).
+		WithProperty("expiresAt", openapi3.NewDateTimeSchema()).
+		WithProperty("createdAt", openapi3.NewDateTimeSchema()).
+		WithRequired([]string{"id", "userId", "userAgent", "ipAdress", "expiresAt", "createdAt"})
+
 	spec.Components.Schemas = openapi3.Schemas{
 		"User":                  &openapi3.SchemaRef{Value: userSchema},
 		"UpdateUserParams":      &openapi3.SchemaRef{Value: updateUserSchema},
 		"UpdateUserAdminParams": &openapi3.SchemaRef{Value: updateUserAdminSchema},
+		"UserSession":           &openapi3.SchemaRef{Value: userSessionSchema},
 	}
 
 	spec.AddOperation("/self", http.MethodGet, &openapi3.Operation{
@@ -174,22 +186,86 @@ func (h *UserHandler) getSpec() Spec {
 		),
 	})
 
+	spec.AddOperation("/{user}/sessions", http.MethodGet, &openapi3.Operation{
+		Tags:        []string{"users", "sessions"},
+		Summary:     "Get user sessions",
+		Description: "Get the active sessions for the specified user",
+		OperationID: "get-user-sessions",
+		Parameters: openapi3.Parameters{
+			&openapi3.ParameterRef{
+				Value: &openapi3.Parameter{
+					Name:        "user",
+					In:          "path",
+					Required:    true,
+					Description: "The username",
+					Schema:      &openapi3.SchemaRef{Value: openapi3.NewStringSchema()},
+				},
+			},
+		},
+		Responses: openapi3.NewResponses(
+			openapi3.WithStatus(200, &openapi3.ResponseRef{
+				Value: openapi3.NewResponse().
+					WithDescription("User sessions found").
+					WithJSONSchemaRef(openapi3.NewSchemaRef("", openapi3.NewArraySchema().WithItems(userSessionSchema))),
+			}),
+			openapi3.WithStatus(401, &openapi3.ResponseRef{Value: openapi3.NewResponse().WithDescription("Unauthorized")}),
+			openapi3.WithStatus(403, &openapi3.ResponseRef{Value: openapi3.NewResponse().WithDescription("Forbidden")}),
+		),
+	})
+
+	spec.AddOperation("/{user}/sessions", http.MethodDelete, &openapi3.Operation{
+		Tags:        []string{"users", "sessions"},
+		Summary:     "Delete user sessions",
+		Description: "Delete all sessions for the user, or a specific one if 'id' query param is provided",
+		OperationID: "delete-user-sessions",
+		Parameters: openapi3.Parameters{
+			&openapi3.ParameterRef{
+				Value: &openapi3.Parameter{
+					Name:        "user",
+					In:          "path",
+					Required:    true,
+					Description: "The username",
+					Schema:      &openapi3.SchemaRef{Value: openapi3.NewStringSchema()},
+				},
+			},
+			&openapi3.ParameterRef{
+				Value: &openapi3.Parameter{
+					Name:        "id",
+					In:          "query",
+					Required:    false,
+					Description: "Specific session ID to delete",
+					Schema:      &openapi3.SchemaRef{Value: openapi3.NewInt32Schema()},
+				},
+			},
+		},
+		Responses: openapi3.NewResponses(
+			openapi3.WithStatus(200, &openapi3.ResponseRef{Value: openapi3.NewResponse().WithDescription("Session(s) deleted successfully")}),
+			openapi3.WithStatus(400, &openapi3.ResponseRef{Value: openapi3.NewResponse().WithDescription("Invalid input")}),
+			openapi3.WithStatus(401, &openapi3.ResponseRef{Value: openapi3.NewResponse().WithDescription("Unauthorized")}),
+		),
+	})
+
 	return spec
 }
 
 func (h *UserHandler) createHttpHandler() http.Handler {
 	handler := http.NewServeMux()
 
 	handler.HandleFunc("GET /self", h.handleGetSelf)
+	handler.Handle("OPTIONS /self", middleware.CreateOptionsHandler("GET"))
+
 	handler.HandleFunc("GET /{user}", h.handleGetUser)
 	handler.HandleFunc("PUT /{user}", h.handlePutUser)
 	handler.HandleFunc("DELETE /{user}", h.handleDeleteUser)
-	handler.HandleFunc("PUT /{user}/admin", h.handlePutUserAdmin)
-
-	handler.Handle("OPTIONS /self", middleware.CreateOptionsHandler("GET"))
 	handler.Handle("OPTIONS /{user}", middleware.CreateOptionsHandler("GET", "PUT", "DELETE"))
+
+	handler.HandleFunc("PUT /{user}/admin", h.handlePutUserAdmin)
 	handler.Handle("OPTIONS /{user}/admin", middleware.CreateOptionsHandler("PUT"))
 
+	handler.HandleFunc("GET /{user}/sessions", h.handleGetUserSessions)
+	handler.HandleFunc("DELETE /{user}/sessions", h.handleDeleteUserSessions)
+	handler.Handle("OPTIONS /{user}/sessions", middleware.CreateOptionsHandler("GET", "DELETE"))
+
 	return handler
 }
 
@@ -362,3 +438,103 @@ func (h *UserHandler) handlePutUserAdmin(w http.ResponseWriter, r *http.Request)
 	}
 	w.WriteHeader(http.StatusOK)
 }
+
+func (h *UserHandler) handleGetUserSessions(w http.ResponseWriter, r *http.Request) {
+	requester, err := h.userService.GetUserFromContext(r.Context())
+	if err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+
+	var user *repository.User
+	username := r.PathValue("user")
+	if username == requester.Username {
+		user = requester
+	} else {
+		user, err = h.userService.GetUserByUsername(r.Context(), username)
+		if err != nil {
+			errors.HandleError(w, r, err)
+			return
+		}
+	}
+
+	if err := h.authService.Authorize(&config.AuthRequest{
+		User:      requester,
+		Ressource: user,
+		Actions:   []string{auth.ActionViewUserSessions},
+		Context:   r.Context(),
+	}); err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+
+	sessions, err := h.authService.GetUserSessions(r.Context(), user.ID)
+	if err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+
+	// hide the token hash for security reasons
+	for i := range sessions {
+		sessions[i].TokenHash = ""
+	}
+
+	data, err := json.Marshal(sessions)
+	if err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Write(data)
+}
+
+func (h *UserHandler) handleDeleteUserSessions(w http.ResponseWriter, r *http.Request) {
+	requester, err := h.userService.GetUserFromContext(r.Context())
+	if err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+
+	var user *repository.User
+	username := r.PathValue("user")
+	if username == requester.Username {
+		user = requester
+	} else {
+		user, err = h.userService.GetUserByUsername(r.Context(), username)
+		if err != nil {
+			errors.HandleError(w, r, err)
+			return
+		}
+	}
+
+	if err := h.authService.Authorize(&config.AuthRequest{
+		User:      requester,
+		Ressource: user,
+		Actions:   []string{auth.ActionDeleteUserSessions},
+		Context:   r.Context(),
+	}); err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+
+	if idStr := r.URL.Query().Get("id"); idStr != "" {
+		id, err := strconv.Atoi(idStr)
+		if err != nil {
+			errors.HandleError(w, r, errors.NewError(fmt.Sprintf("id %s is not valid integer %s", idStr, err.Error()), http.StatusBadRequest))
+			return
+		}
+		if err := h.authService.DeleteUserSession(r.Context(), user.ID, int32(id)); err != nil {
+			errors.HandleError(w, r, err)
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
+	if err := h.authService.DeleteUserSessions(r.Context(), user.ID); err != nil {
+		errors.HandleError(w, r, err)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+}

config/config.go

@@ -11,6 +11,7 @@ import (
 type EnvsConfig struct {
 	AuthCallbackUrl string
 	Url             string
+	Domain          string
 	Port            string
 	DBURL           string
 	GithubApiToken  string
@@ -54,6 +55,7 @@ func LoadConfig() {
 	Envs = EnvsConfig{
 		AuthCallbackUrl:    getEnv("AUTH_CALLBACK"),
 		Url:                getEnv("URL"),
+		Domain:             getEnv("DOMAIN"),
 		Port:               getDefaultEnv("PORT", "80"),
 		DBURL:              getEnv("DB_URL"),
 		GoogleClientID:     getEnv("AUTH_GOOGLE_CLIENT_ID"),

database/queries/email.sql

@@ -28,7 +28,7 @@ FROM "mail_accounts"
 LEFT JOIN "mail_share" ON "mail_accounts"."id" = "mail_share"."account"
 WHERE "mail_accounts"."ownerId" = $1 OR "mail_share"."userId" = $1;
 
--- name: RemoveMailAccount :exec
+-- name: DeleteMailAccount :exec
 DELETE FROM "mail_accounts" 
 WHERE "id" = $1;
 
@@ -38,7 +38,7 @@ INSERT INTO "mail_share" (
 )
 VALUES ($1, $2, $3);
 
--- name: RemoveShare :exec
+-- name: DeleteShare :exec
 DELETE FROM "mail_share"
 WHERE "userId" = $1 AND "account" = $2;