Merge pull request #405 from MadAppGang/fix/payload-for-refresh-token

add token payload for refreshed token
MadAppGang · Jun 10, 2023 · d2e154d · d2e154d
2 parents 63b85ab + 6bec938
commit d2e154d
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 10 deletions.
diff --git a/jwt/service/jwt_token_service.go b/jwt/service/jwt_token_service.go
@@ -318,7 +318,7 @@ func (ts *JWTokenService) NewRefreshToken(u model.User, scopes []string, app mod
 }
 
 // RefreshAccessToken issues new access token for provided refresh token.
-func (ts *JWTokenService) RefreshAccessToken(refreshToken model.Token) (model.Token, error) {
+func (ts *JWTokenService) RefreshAccessToken(refreshToken model.Token, tokenPayload map[string]interface{}) (model.Token, error) {
 	rt, ok := refreshToken.(*model.JWToken)
 	if !ok || rt == nil {
 		return nil, model.ErrTokenInvalid
@@ -343,7 +343,12 @@ func (ts *JWTokenService) RefreshAccessToken(refreshToken model.Token) (model.To
 		return nil, ErrInvalidUser
 	}
 
-	token, err := ts.NewAccessToken(user, strings.Split(claims.Scopes, " "), app, false, nil)
+	token, err := ts.NewAccessToken(
+		user,
+		strings.Split(claims.Scopes, " "),
+		app,
+		false,
+		tokenPayload)
 	if err != nil {
 		return nil, err
 	}

diff --git a/model/token_service.go b/model/token_service.go
@@ -9,7 +9,7 @@ const (
 type TokenService interface {
 	NewAccessToken(u User, scopes []string, app AppData, requireTFA bool, tokenPayload map[string]interface{}) (Token, error)
 	NewRefreshToken(u User, scopes []string, app AppData) (Token, error)
-	RefreshAccessToken(token Token) (Token, error)
+	RefreshAccessToken(token Token, tokenPayload map[string]interface{}) (Token, error)
 	NewInviteToken(email, role, audience string, data map[string]interface{}) (Token, error)
 	NewResetToken(userID string) (Token, error)
 	NewWebCookieToken(u User) (Token, error)

diff --git a/web/api/2fa.go b/web/api/2fa.go
@@ -81,7 +81,7 @@ func (ar *Router) EnableTFA() http.HandlerFunc {
 			return
 		}
 
-		tokenPayload, err := ar.getTokenPayloadForApp(app, user)
+		tokenPayload, err := ar.getTokenPayloadForApp(app, user.ID)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorAPIAPPUnableToTokenPayloadForAPPError, app.ID, err)
 			return
@@ -276,7 +276,7 @@ func (ar *Router) FinalizeTFA() http.HandlerFunc {
 			scopes = append(scopes, "offline")
 		}
 
-		tokenPayload, err := ar.getTokenPayloadForApp(app, user)
+		tokenPayload, err := ar.getTokenPayloadForApp(app, user.ID)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorAPIAPPUnableToTokenPayloadForAPPError, app.ID, err)
 			return

diff --git a/web/api/login.go b/web/api/login.go
@@ -235,7 +235,7 @@ func (ar *Router) GetUser() http.HandlerFunc {
 }
 
 // getTokenPayloadForApp get additional token payload data
-func (ar *Router) getTokenPayloadForApp(app model.AppData, user model.User) (map[string]interface{}, error) {
+func (ar *Router) getTokenPayloadForApp(app model.AppData, userID string) (map[string]interface{}, error) {
 	if app.TokenPayloadService == model.TokenPayloadServiceNone ||
 		app.TokenPayloadService == "" {
 		return nil, nil
@@ -246,7 +246,7 @@ func (ar *Router) getTokenPayloadForApp(app model.AppData, user model.User) (map
 		return nil, err
 	}
 
-	return ps.TokenPayloadForApp(app.ID, app.Name, user.ID)
+	return ps.TokenPayloadForApp(app.ID, app.Name, userID)
 }
 
 func (ar *Router) getTokenPayloadService(app model.AppData) (model.TokenPayloadProvider, error) {
@@ -346,7 +346,7 @@ func (ar *Router) loginFlow(app model.AppData, user model.User, requestedScopes
 	}
 
 	offline := contains(scopes, model.OfflineScope)
-	tokenPayload, err := ar.getTokenPayloadForApp(app, user)
+	tokenPayload, err := ar.getTokenPayloadForApp(app, user.ID)
 	if err != nil {
 		return AuthResponse{}, err
 	}

diff --git a/web/api/phone_login.go b/web/api/phone_login.go
@@ -139,7 +139,7 @@ func (ar *Router) PhoneLogin() http.HandlerFunc {
 			scopes = append(scopes, "offline")
 		}
 
-		tokenPayload, err := ar.getTokenPayloadForApp(app, user)
+		tokenPayload, err := ar.getTokenPayloadForApp(app, user.ID)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorAPIAPPUnableToTokenPayloadForAPPError, app.ID, err)
 			return

diff --git a/web/api/refresh_token.go b/web/api/refresh_token.go
@@ -39,8 +39,19 @@ func (ar *Router) RefreshTokens() http.HandlerFunc {
 		// Get refresh token from context.
 		oldRefreshToken := tokenFromContext(r.Context())
 
+		if err := oldRefreshToken.Validate(); err != nil {
+			ar.Error(w, locale, http.StatusUnauthorized, l.ErrorTokenInvalidError, err)
+			return
+		}
+
+		tokenPayload, err := ar.getTokenPayloadForApp(app, oldRefreshToken.Subject())
+		if err != nil {
+			ar.Error(w, locale, http.StatusBadRequest, l.ErrorAPIAPPUnableToTokenPayloadForAPPError)
+			return
+		}
+
 		// Issue new access token and stringify it for response.
-		accessToken, err := ar.server.Services().Token.RefreshAccessToken(oldRefreshToken)
+		accessToken, err := ar.server.Services().Token.RefreshAccessToken(oldRefreshToken, tokenPayload)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorTokenRefreshAccessToken, err)
 			return