commit b1cfabc81a09fa685cfee7c51f7ab73f7c563498 · hailey.at/cocoon

+13

internal/helpers/helpers.go

···

       7
       7
        
       	"math/rand"

     

       8
       8
        
       	"net/url"

     

       9
       9
        
       

     

       10
       10
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       10
       11
        
       	"github.com/labstack/echo/v4"

     

       11
       12
        
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       12
       13
        
       )

     
···

       29
       30
        
       		msg += ". " + *suffix

     

       30
       31
        
       	}

     

       31
       32
        
       	return genericError(e, 400, msg)

     

       33
       33
       +
       }

     

       34
       34
       +
       

     

       35
       35
       +
       func InvalidTokenError(e echo.Context) error {

     

       36
       36
       +
       	return InputError(e, to.StringPtr("InvalidToken"))

     

       37
       37
       +
       }

     

       38
       38
       +
       

     

       39
       39
       +
       func ExpiredTokenError(e echo.Context) error {

     

       40
       40
       +
       	// WARN: See https://github.com/bluesky-social/atproto/discussions/3319

     

       41
       41
       +
       	return e.JSON(400, map[string]string{

     

       42
       42
       +
       		"error":   "ExpiredToken",

     

       43
       43
       +
       		"message": "*",

     

       44
       44
       +
       	})

     

       32
       45
        
       }

     

       33
       46
        
       

     

       34
       47
        
       func genericError(e echo.Context, code int, msg string) error {

+2 -2

server/handle_server_confirm_email.go

···

       28
       28
        
       	}

     

       29
       29
        
       

     

       30
       30
        
       	if urepo.EmailVerificationCode == nil || urepo.EmailVerificationCodeExpiresAt == nil {

     

       31
       31
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       31
       31
       +
       		return helpers.ExpiredTokenError(e)

     

       32
       32
        
       	}

     

       33
       33
        
       

     

       34
       34
        
       	if *urepo.EmailVerificationCode != req.Token {

     
···

       36
       36
        
       	}

     

       37
       37
        
       

     

       38
       38
        
       	if time.Now().UTC().After(*urepo.EmailVerificationCodeExpiresAt) {

     

       39
       39
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       39
       39
       +
       		return helpers.ExpiredTokenError(e)

     

       40
       40
        
       	}

     

       41
       41
        
       

     

       42
       42
        
       	now := time.Now().UTC()

+2 -2

server/handle_server_reset_password.go

···

       33
       33
        
       	}

     

       34
       34
        
       

     

       35
       35
        
       	if *urepo.PasswordResetCode != req.Token {

     

       36
       36
       -
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       36
       36
       +
       		return helpers.InvalidTokenError(e)

     

       37
       37
        
       	}

     

       38
       38
        
       

     

       39
       39
        
       	if time.Now().UTC().After(*urepo.PasswordResetCodeExpiresAt) {

     

       40
       40
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       40
       40
       +
       		return helpers.ExpiredTokenError(e)

     

       41
       41
        
       	}

     

       42
       42
        
       

     

       43
       43
        
       	hash, err := bcrypt.GenerateFromPassword([]byte(req.Password), 10)

+3 -4

server/handle_server_update_email.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"time"

     

       5
       5
        
       

     

       6
       6
       -
       	"github.com/Azure/go-autorest/autorest/to"

     

       7
       6
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       7
        
       	"github.com/haileyok/cocoon/models"

     

       9
       8
        
       	"github.com/labstack/echo/v4"

     
···

       29
       28
        
       	}

     

       30
       29
        
       

     

       31
       30
        
       	if urepo.EmailUpdateCode == nil || urepo.EmailUpdateCodeExpiresAt == nil {

     

       32
       32
       -
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       31
       31
       +
       		return helpers.InvalidTokenError(e)

     

       33
       32
        
       	}

     

       34
       33
        
       

     

       35
       34
        
       	if *urepo.EmailUpdateCode != req.Token {

     

       36
       36
       -
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       35
       35
       +
       		return helpers.InvalidTokenError(e)

     

       37
       36
        
       	}

     

       38
       37
        
       

     

       39
       38
        
       	if time.Now().UTC().After(*urepo.EmailUpdateCodeExpiresAt) {

     

       40
       40
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       39
       39
       +
       		return helpers.ExpiredTokenError(e)

     

       41
       40
        
       	}

     

       42
       41
        
       

     

       43
       42
        
       	if err := s.db.Exec("UPDATE repos SET email_update_code = NULL, email_update_code_expires_at = NULL, email_confirmed_at = NULL,  email = ? WHERE did = ?", nil, req.Email, urepo.Repo.Did).Error; err != nil {

+11 -12

server/middleware.go

···

       54
       54
        
       		token, _, err := new(jwt.Parser).ParseUnverified(tokenstr, jwt.MapClaims{})

     

       55
       55
        
       		claims, ok := token.Claims.(jwt.MapClaims)

     

       56
       56
        
       		if !ok {

     

       57
       57
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       57
       57
       +
       			return helpers.InvalidTokenError(e)

     

       58
       58
        
       		}

     

       59
       59
        
       

     

       60
       60
        
       		var did string

     
···

       93
       93
        
       			})

     

       94
       94
        
       			if err != nil {

     

       95
       95
        
       				s.logger.Error("error parsing jwt", "error", err)

     

       96
       96
       -
       				// NOTE: https://github.com/bluesky-social/atproto/discussions/3319

     

       97
       97
       -
       				return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"})

     

       96
       96
       +
       				return helpers.ExpiredTokenError(e)

     

       98
       97
        
       			}

     

       99
       98
        
       

     

       100
       99
        
       			if !token.Valid {

     

       101
       101
       -
       				return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       100
       100
       +
       				return helpers.InvalidTokenError(e)

     

       102
       101
        
       			}

     

       103
       102
        
       		} else {

     

       104
       103
        
       			kpts := strings.Split(tokenstr, ".")

     
···

       143
       142
        
       		scope, _ := claims["scope"].(string)

     

       144
       143
        
       

     

       145
       144
        
       		if isRefresh && scope != "com.atproto.refresh" {

     

       146
       146
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       145
       145
       +
       			return helpers.InvalidTokenError(e)

     

       147
       146
        
       		} else if !hasLxm && !isRefresh && scope != "com.atproto.access" {

     

       148
       148
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       147
       147
       +
       			return helpers.InvalidTokenError(e)

     

       149
       148
        
       		}

     

       150
       149
        
       

     

       151
       150
        
       		table := "tokens"

     
···

       160
       159
        
       			var result Result

     

       161
       160
        
       			if err := s.db.Raw("SELECT EXISTS(SELECT 1 FROM "+table+" WHERE token = ?) AS found", nil, tokenstr).Scan(&result).Error; err != nil {

     

       162
       161
        
       				if err == gorm.ErrRecordNotFound {

     

       163
       163
       -
       					return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       162
       162
       +
       					return helpers.InvalidTokenError(e)

     

       164
       163
        
       				}

     

       165
       164
        
       

     

       166
       165
        
       				s.logger.Error("error getting token from db", "error", err)

     
···

       168
       167
        
       			}

     

       169
       168
        
       

     

       170
       169
        
       			if !result.Found {

     

       171
       171
       -
       				return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       170
       170
       +
       				return helpers.InvalidTokenError(e)

     

       172
       171
        
       			}

     

       173
       172
        
       		}

     

       174
       173
        
       

     
···

       179
       178
        
       		}

     

       180
       179
        
       

     

       181
       180
        
       		if exp < float64(time.Now().UTC().Unix()) {

     

       182
       182
       -
       			return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       181
       181
       +
       			return helpers.ExpiredTokenError(e)

     

       183
       182
        
       		}

     

       184
       183
        
       

     

       185
       184
        
       		if repo == nil {

     
···

       197
       196
        
       		e.Set("token", tokenstr)

     

       198
       197
        
       

     

       199
       198
        
       		if err := next(e); err != nil {

     

       200
       200
       -
       			e.Error(err)

     

       199
       199
       +
       			return helpers.InvalidTokenError(e)

     

       201
       200
        
       		}

     

       202
       201
        
       

     

       203
       202
        
       		return nil

     
···

       241
       240
        
       		}

     

       242
       241
        
       

     

       243
       242
        
       		if oauthToken.Token == "" {

     

       244
       244
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       243
       243
       +
       			return helpers.InvalidTokenError(e)

     

       245
       244
        
       		}

     

       246
       245
        
       

     

       247
       246
        
       		if *oauthToken.Parameters.DpopJkt != proof.JKT {

     
···

       250
       249
        
       		}

     

       251
       250
        
       

     

       252
       251
        
       		if time.Now().After(oauthToken.ExpiresAt) {

     

       253
       253
       -
       			return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"})

     

       252
       252
       +
       			return helpers.ExpiredTokenError(e)

     

       254
       253
        
       		}

     

       255
       254
        
       

     

       256
       255
        
       		repo, err := s.getRepoActorByDid(oauthToken.Sub)