[jwt] implement tokens revocation

Author: capcom6

api/requests.http

@@ -218,12 +218,10 @@ Content-Type: application/json
 }
 
 ###
-POST {{baseUrl}}/3rdparty/v1/auth/token/revoke HTTP/1.1
+DELETE {{baseUrl}}/3rdparty/v1/auth/token/w8pxz0a4Fwa4xgzyCvSeC HTTP/1.1
 Authorization: Basic {{credentials}}
 Content-Type: application/json
 
-{}
-
 ###
 GET http://localhost:3000/metrics HTTP/1.1
 

internal/sms-gateway/handlers/thirdparty/auth.go

@@ -1,6 +1,7 @@
 package thirdparty
 
 import (
+	"errors"
 	"time"
 
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/base"
@@ -33,6 +34,7 @@ func NewAuthHandler(
 }
 
 func (h *AuthHandler) Register(router fiber.Router) {
+	router.Use(h.errorHanlder)
 	router.Post("/token", permissions.RequireScope(ScopeTokensManage), userauth.WithUser(h.postToken))
 	router.Delete("/token/:jti", permissions.RequireScope(ScopeTokensManage), userauth.WithUser(h.deleteToken))
 }
@@ -71,7 +73,7 @@ func (h *AuthHandler) postToken(user users.User, c *fiber.Ctx) error {
 		return err
 	}
 
-	token, err := h.jwtSvc.GenerateToken(user.ID, req.Scopes, req.TTL)
+	token, err := h.jwtSvc.GenerateToken(c.Context(), user.ID, req.Scopes, req.TTL)
 	if err != nil {
 		return err
 	}
@@ -84,6 +86,43 @@ func (h *AuthHandler) postToken(user users.User, c *fiber.Ctx) error {
 	})
 }
 
+// @Summary		Revoke token
+// @Description	Revoke access token with specified jti
+// @Security		ApiAuth
+// @Security		JWTAuth
+// @Tags		User, Auth
+// @Success		204	"No Content"
+// @Failure		401	{object}	smsgateway.ErrorResponse	"Unauthorized"
+// @Failure		403	{object}	smsgateway.ErrorResponse	"Forbidden"
+// @Failure		500	{object}	smsgateway.ErrorResponse	"Internal server error"
+// @Router		/3rdparty/v1/auth/token/{jti} [delete]
+//
+// Revoke token.
 func (h *AuthHandler) deleteToken(user users.User, c *fiber.Ctx) error {
-	return fiber.ErrNotImplemented
+	jti := c.Params("jti")
+
+	if err := h.jwtSvc.RevokeToken(c.Context(), user.ID, jti); err != nil {
+		return err
+	}
+
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+func (h *AuthHandler) errorHanlder(c *fiber.Ctx) error {
+	err := c.Next()
+	if err == nil {
+		return nil
+	}
+
+	switch {
+	case errors.Is(err, jwt.ErrDisabled):
+		return fiber.NewError(fiber.StatusNotImplemented, "token service disabled, contact your administrator")
+
+	case errors.Is(err, jwt.ErrInitFailed):
+		fallthrough
+	case errors.Is(err, jwt.ErrInvalidConfig):
+		return fiber.NewError(fiber.StatusInternalServerError, "token service not configured, contact your administrator")
+	}
+
+	return err
 }

internal/sms-gateway/jwt/disabled.go

@@ -13,16 +13,16 @@ func newDisabled() Service {
 }
 
 // GenerateToken implements Service.
-func (d *disabled) GenerateToken(userID string, scopes []string, ttl time.Duration) (*TokenInfo, error) {
+func (d *disabled) GenerateToken(_ context.Context, _ string, _ []string, _ time.Duration) (*TokenInfo, error) {
 	return nil, ErrDisabled
 }
 
 // ParseToken implements Service.
-func (d *disabled) ParseToken(ctx context.Context, token string) (*Claims, error) {
+func (d *disabled) ParseToken(_ context.Context, _ string) (*Claims, error) {
 	return nil, ErrDisabled
 }
 
 // RevokeToken implements Service.
-func (d *disabled) RevokeToken(ctx context.Context, jti string) error {
+func (d *disabled) RevokeToken(_ context.Context, _, _ string) error {
 	return ErrDisabled
 }

internal/sms-gateway/jwt/errors.go

@@ -3,10 +3,9 @@ package jwt
 import "errors"
 
 var (
-	ErrDisabled                = errors.New("jwt disabled")
-	ErrInitFailed              = errors.New("failed to initialize jwt")
-	ErrInvalidConfig           = errors.New("invalid config")
-	ErrInvalidToken            = errors.New("invalid token")
-	ErrTokenRevoked            = errors.New("token revoked")
-	ErrUnexpectedSigningMethod = errors.New("unexpected signing method")
+	ErrDisabled      = errors.New("jwt disabled")
+	ErrInitFailed    = errors.New("failed to initialize jwt")
+	ErrInvalidConfig = errors.New("invalid config")
+	ErrInvalidToken  = errors.New("invalid token")
+	ErrTokenRevoked  = errors.New("token revoked")
 )

internal/sms-gateway/jwt/jwt.go

@@ -8,9 +8,9 @@ import (
 )
 
 type Service interface {
-	GenerateToken(userID string, scopes []string, ttl time.Duration) (*TokenInfo, error)
+	GenerateToken(ctx context.Context, userID string, scopes []string, ttl time.Duration) (*TokenInfo, error)
 	ParseToken(ctx context.Context, token string) (*Claims, error)
-	RevokeToken(ctx context.Context, jti string) error
+	RevokeToken(ctx context.Context, userID, jti string) error
 }
 
 type Claims struct {

internal/sms-gateway/jwt/models.go

@@ -0,0 +1,37 @@
+package jwt
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/android-sms-gateway/server/internal/sms-gateway/models"
+	"gorm.io/gorm"
+)
+
+type tokenModel struct {
+	models.TimedModel
+
+	ID        string     `gorm:"primaryKey;type:char(21)"`
+	UserID    string     `gorm:"not null;type:char(21);index:idx_tokens_user_id"`
+	ExpiresAt time.Time  `gorm:"not null"`
+	RevokedAt *time.Time `gorm:"index:idx_tokens_revoked_at"`
+}
+
+func (tokenModel) TableName() string {
+	return "tokens"
+}
+
+func newTokenModel(id, userID string, expiresAt time.Time) *tokenModel {
+	return &tokenModel{
+		ID:        id,
+		UserID:    userID,
+		ExpiresAt: expiresAt,
+	}
+}
+
+func Migrate(db *gorm.DB) error {
+	if err := db.AutoMigrate(new(tokenModel)); err != nil {
+		return fmt.Errorf("tokens migration failed: %w", err)
+	}
+	return nil
+}

internal/sms-gateway/jwt/module.go

@@ -2,6 +2,7 @@ package jwt
 
 import (
 	"github.com/android-sms-gateway/server/internal/sms-gateway/cache"
+	"github.com/capcom6/go-infra-fx/db"
 	"github.com/go-core-fx/logger"
 	"go.uber.org/fx"
 )
@@ -13,13 +14,17 @@ func Module() fx.Option {
 		fx.Provide(func(factory cache.Factory) (cache.Cache, error) {
 			return factory.New("jwt")
 		}, fx.Private),
-		fx.Provide(NewRevokedStorage, fx.Private),
-		fx.Provide(func(config Config, revoked *RevokedStorage) (Service, error) {
+		fx.Provide(NewRepository, fx.Private),
+		fx.Provide(func(config Config, tokens *Repository) (Service, error) {
 			if config.Secret == "" {
 				return newDisabled(), nil
 			}
 
-			return New(config, revoked)
+			return New(config, tokens)
 		}),
 	)
 }
+
+func init() {
+	db.RegisterMigration(Migrate)
+}

internal/sms-gateway/jwt/repository.go

@@ -0,0 +1,47 @@
+package jwt
+
+import (
+	"context"
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type Repository struct {
+	db *gorm.DB
+}
+
+func NewRepository(db *gorm.DB) *Repository {
+	return &Repository{
+		db: db,
+	}
+}
+
+func (r *Repository) Insert(ctx context.Context, token *tokenModel) error {
+	if err := r.db.WithContext(ctx).Create(token).Error; err != nil {
+		return fmt.Errorf("can't create token: %w", err)
+	}
+
+	return nil
+}
+
+func (r *Repository) Revoke(ctx context.Context, jti, userID string) error {
+	if err := r.db.WithContext(ctx).Model((*tokenModel)(nil)).
+		Where("id = ? and user_id = ? and revoked_at is null", jti, userID).
+		Update("revoked_at", gorm.Expr("NOW()")).Error; err != nil {
+		return fmt.Errorf("can't revoke token: %w", err)
+	}
+
+	return nil
+}
+
+func (r *Repository) IsRevoked(ctx context.Context, jti string) (bool, error) {
+	var count int64
+	if err := r.db.WithContext(ctx).Model((*tokenModel)(nil)).
+		Where("id = ? and revoked_at is not null", jti).
+		Count(&count).Error; err != nil {
+		return false, fmt.Errorf("can't check if token is revoked: %w", err)
+	}
+
+	return count > 0, nil
+}

internal/sms-gateway/jwt/revoked.go

@@ -14,17 +14,17 @@ const jtiLength = 21
 type service struct {
 	config Config
 
-	revoked *RevokedStorage
+	tokens *Repository
 
 	idFactory func() string
 }
 
-func New(config Config, revoked *RevokedStorage) (Service, error) {
+func New(config Config, tokens *Repository) (Service, error) {
 	if err := config.Validate(); err != nil {
 		return nil, err
 	}
 
-	if revoked == nil {
+	if tokens == nil {
 		return nil, fmt.Errorf("%w: revoked storage is required", ErrInitFailed)
 	}
 
@@ -36,13 +36,13 @@ func New(config Config, revoked *RevokedStorage) (Service, error) {
 	return &service{
 		config: config,
 
-		revoked: revoked,
+		tokens: tokens,
 
 		idFactory: idFactory,
 	}, nil
 }
 
-func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duration) (*TokenInfo, error) {
+func (s *service) GenerateToken(ctx context.Context, userID string, scopes []string, ttl time.Duration) (*TokenInfo, error) {
 	if userID == "" {
 		return nil, fmt.Errorf("%w: user id is required", ErrInvalidConfig)
 	}
@@ -78,6 +78,10 @@ func (s *service) GenerateToken(userID string, scopes []string, ttl time.Duratio
 		return nil, fmt.Errorf("failed to sign token: %w", err)
 	}
 
+	if err := s.tokens.Insert(ctx, newTokenModel(claims.ID, claims.UserID, claims.ExpiresAt.Time)); err != nil {
+		return nil, fmt.Errorf("failed to insert token: %w", err)
+	}
+
 	return &TokenInfo{ID: claims.ID, AccessToken: signedToken, ExpiresAt: claims.ExpiresAt.Time}, nil
 }
 
@@ -102,9 +106,9 @@ func (s *service) ParseToken(ctx context.Context, token string) (*Claims, error)
 		return nil, ErrInvalidToken
 	}
 
-	revoked, err := s.revoked.IsRevoked(ctx, claims.ID)
+	revoked, err := s.tokens.IsRevoked(ctx, claims.ID)
 	if err != nil {
-		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+		return nil, err
 	}
 	if revoked {
 		return nil, ErrTokenRevoked
@@ -113,6 +117,6 @@ func (s *service) ParseToken(ctx context.Context, token string) (*Claims, error)
 	return claims, nil
 }
 
-func (s *service) RevokeToken(ctx context.Context, jti string) error {
-	return s.revoked.Revoke(ctx, jti, s.config.TTL)
+func (s *service) RevokeToken(ctx context.Context, userID, jti string) error {
+	return s.tokens.Revoke(ctx, jti, userID)
 }