Use JWT token for access token

2022-04-15 20:08:31 +02:00
parent 69bb2816b9
commit 94c601119a
4 changed files with 77 additions and 37 deletions
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@ -9,7 +9,7 @@ use askama::Template;
 use crate::actors::{openid_sessions_actor, users_actor};
 use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, SessionID};
 use crate::actors::users_actor::UsersActor;
-use crate::constants::{AUTHORIZE_URI, CERT_URI, OPEN_ID_ACCESS_TOKEN_LEN, OPEN_ID_ACCESS_TOKEN_TIMEOUT, OPEN_ID_AUTHORIZATION_CODE_LEN, OPEN_ID_AUTHORIZATION_CODE_TIMEOUT, OPEN_ID_REFRESH_TOKEN_LEN, OPEN_ID_REFRESH_TOKEN_TIMEOUT, OPEN_ID_SESSION_LEN, TOKEN_URI, USERINFO_URI};
+use crate::constants::*;
 use crate::controllers::base_controller::FatalErrorPage;
 use crate::data::app_config::AppConfig;
 use crate::data::client::{ClientID, ClientManager};
@ -139,11 +139,10 @@ pub async fn authorize(user: CurrentUser, id: Identity, query: web::Query<Author
        redirect_uri,
        authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
        authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
-        authorization_code_used: false,
-        access_token: rand_str(OPEN_ID_ACCESS_TOKEN_LEN),
+        access_token: None,
        access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
-        refresh_token: rand_str(OPEN_ID_REFRESH_TOKEN_LEN),
-        refresh_token_expire_at: time() + OPEN_ID_REFRESH_TOKEN_TIMEOUT,
+        refresh_token: "".to_string(),
+        refresh_token_expire_at: 0,
        nonce: query.0.nonce,
        code_challenge,
    };
@ -272,7 +271,7 @@ pub async fn token(req: HttpRequest,
                                &query.authorization_code_query,
                                &query.refresh_token_query) {
        ("authorization_code", Some(q), _) => {
-            let session: Session = match sessions
+            let mut session: Session = match sessions
                .send(openid_sessions_actor::FindSessionByAuthorizationCode(q.code.clone()))
                .await.unwrap()
            {
@ -310,17 +309,18 @@ pub async fn token(req: HttpRequest,
                }
            }

-            if session.authorization_code_used {
+            if let Some(_) = session.access_token {
                return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
            }

-            // Mark session as used
-            sessions.send(openid_sessions_actor::MarkAuthorizationCodeUsed(session.authorization_code))
+            session.regenerate_access_and_refresh_tokens(&app_config, &jwt_signer)?;
+
+            sessions.send(openid_sessions_actor::UpdateSession(session.clone()))
                .await.unwrap();


            // Generate id token
-            let token = IdToken {
+            let id_token = IdToken {
                issuer: app_config.website_origin.to_string(),
                subject_identifier: session.user,
                audience: session.client.0.to_string(),
@ -331,11 +331,11 @@ pub async fn token(req: HttpRequest,
            };

            TokenResponse {
-                access_token: session.access_token,
+                access_token: session.access_token.expect("Missing access token!"),
                token_type: "Bearer",
                refresh_token: session.refresh_token,
                expires_in: session.access_token_expire_at - time(),
-                id_token: Some(jwt_signer.sign_token(token.to_jwt_claims())?),
+                id_token: Some(jwt_signer.sign_token(id_token.to_jwt_claims())?),
            }
        }

@ -358,17 +358,14 @@ pub async fn token(req: HttpRequest,
                return Ok(error_response(&query, "access_denied", "Refresh token has expired!"));
            }

-            session.refresh_token = rand_str(OPEN_ID_REFRESH_TOKEN_LEN);
-            session.refresh_token_expire_at = OPEN_ID_REFRESH_TOKEN_TIMEOUT + time();
-            session.access_token = rand_str(OPEN_ID_ACCESS_TOKEN_LEN);
-            session.access_token_expire_at = OPEN_ID_ACCESS_TOKEN_TIMEOUT + time();
+            session.regenerate_access_and_refresh_tokens(&app_config, &jwt_signer)?;

            sessions
                .send(openid_sessions_actor::UpdateSession(session.clone()))
                .await.unwrap();

            TokenResponse {
-                access_token: session.access_token,
+                access_token: session.access_token.expect("Missing access token!"),
                token_type: "Bearer",
                refresh_token: session.refresh_token,
                expires_in: session.access_token_expire_at - time(),