···
"github.com/redis/go-redis/v9"
14
-
// redis-backed implementation of ClientAuthStore.
14
+
type RedisStoreConfig struct {
17
+
// The purpose of these limits is to avoid dead sessions hanging around in
18
+
// the db indefinitely. The durations here should be *at least as long as*
19
+
// the expected duration of the oauth session itself.
20
+
SessionExpiryDuration time.Duration // duration since session creation (max TTL)
21
+
SessionInactivityDuration time.Duration // duration since last session update
22
+
AuthRequestExpiryDuration time.Duration // duration since auth request creation
25
+
// Redis-backed implementation of ClientAuthStore
16
-
client *redis.Client
17
-
SessionTTL time.Duration
18
-
AuthRequestTTL time.Duration
27
+
client *redis.Client
28
+
cfg *RedisStoreConfig
31
+
type sessionMetadata struct {
32
+
CreatedAt time.Time `json:"created_at"`
33
+
UpdatedAt time.Time `json:"updated_at"`
var _ oauth.ClientAuthStore = &RedisStore{}
23
-
func NewRedisStore(redisURL string) (*RedisStore, error) {
24
-
opts, err := redis.ParseURL(redisURL)
38
+
func NewRedisStore(cfg *RedisStoreConfig) (*RedisStore, error) {
40
+
return nil, fmt.Errorf("missing cfg")
42
+
if cfg.RedisURL == "" {
43
+
return nil, fmt.Errorf("missing RedisURL")
45
+
if cfg.SessionExpiryDuration == 0 {
46
+
return nil, fmt.Errorf("missing SessionExpiryDuration")
48
+
if cfg.SessionInactivityDuration == 0 {
49
+
return nil, fmt.Errorf("missing SessionInactivityDuration")
51
+
if cfg.AuthRequestExpiryDuration == 0 {
52
+
return nil, fmt.Errorf("missing AuthRequestExpiryDuration")
55
+
opts, err := redis.ParseURL(cfg.RedisURL)
return nil, fmt.Errorf("failed to parse redis URL: %w", err)
client := redis.NewClient(opts)
31
-
// Test the connection.
62
+
// Test the connection
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
···
41
-
SessionTTL: 30 * 24 * time.Hour, // 30 days
42
-
AuthRequestTTL: 10 * time.Minute, // 10 minutes
···
return fmt.Sprintf("oauth:session:%s:%s", did, sessionID)
84
+
func sessionMetadataKey(did syntax.DID, sessionID string) string {
85
+
return fmt.Sprintf("oauth:session_meta:%s:%s", did, sessionID)
func authRequestKey(state string) string {
return fmt.Sprintf("oauth:auth_request:%s", state)
func (r *RedisStore) GetSession(ctx context.Context, did syntax.DID, sessionID string) (*oauth.ClientSessionData, error) {
key := sessionKey(did, sessionID)
94
+
metaKey := sessionMetadataKey(did, sessionID)
96
+
// Check metadata for inactivity expiry
97
+
metaData, err := r.client.Get(ctx, metaKey).Bytes()
98
+
if err == redis.Nil {
99
+
return nil, fmt.Errorf("session not found: %s", did)
102
+
return nil, fmt.Errorf("failed to get session metadata: %w", err)
105
+
var meta sessionMetadata
106
+
if err := json.Unmarshal(metaData, &meta); err != nil {
107
+
return nil, fmt.Errorf("failed to unmarshal session metadata: %w", err)
110
+
// Check if session has been inactive for too long
111
+
inactiveThreshold := time.Now().Add(-r.cfg.SessionInactivityDuration)
112
+
if meta.UpdatedAt.Before(inactiveThreshold) {
113
+
// Session is inactive, delete it
114
+
r.client.Del(ctx, key, metaKey)
115
+
return nil, fmt.Errorf("session expired due to inactivity: %s", did)
118
+
// Get the actual session data
data, err := r.client.Get(ctx, key).Bytes()
return nil, fmt.Errorf("session not found: %s", did)
···
func (r *RedisStore) SaveSession(ctx context.Context, sess oauth.ClientSessionData) error {
key := sessionKey(sess.AccountDID, sess.SessionID)
137
+
metaKey := sessionMetadataKey(sess.AccountDID, sess.SessionID)
data, err := json.Marshal(sess)
return fmt.Errorf("failed to marshal session: %w", err)
84
-
if err := r.client.Set(ctx, key, data, r.SessionTTL).Err(); err != nil {
144
+
// Check if session already exists to preserve CreatedAt
145
+
var meta sessionMetadata
146
+
existingMetaData, err := r.client.Get(ctx, metaKey).Bytes()
147
+
if err == redis.Nil {
149
+
meta = sessionMetadata{
150
+
CreatedAt: time.Now(),
151
+
UpdatedAt: time.Now(),
153
+
} else if err != nil {
154
+
return fmt.Errorf("failed to check existing session metadata: %w", err)
156
+
// Existing session - preserve CreatedAt, update UpdatedAt
157
+
if err := json.Unmarshal(existingMetaData, &meta); err != nil {
158
+
return fmt.Errorf("failed to unmarshal existing session metadata: %w", err)
160
+
meta.UpdatedAt = time.Now()
163
+
// Calculate remaining TTL based on creation time
164
+
remainingTTL := r.cfg.SessionExpiryDuration - time.Since(meta.CreatedAt)
165
+
if remainingTTL <= 0 {
166
+
return fmt.Errorf("session has expired")
169
+
// Use the shorter of: remaining TTL or inactivity duration
170
+
ttl := min(r.cfg.SessionInactivityDuration, remainingTTL)
172
+
// Save session data
173
+
if err := r.client.Set(ctx, key, data, ttl).Err(); err != nil {
return fmt.Errorf("failed to save session: %w", err)
178
+
metaData, err := json.Marshal(meta)
180
+
return fmt.Errorf("failed to marshal session metadata: %w", err)
182
+
if err := r.client.Set(ctx, metaKey, metaData, ttl).Err(); err != nil {
183
+
return fmt.Errorf("failed to save session metadata: %w", err)
func (r *RedisStore) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error {
key := sessionKey(did, sessionID)
93
-
if err := r.client.Del(ctx, key).Err(); err != nil {
191
+
metaKey := sessionMetadataKey(did, sessionID)
193
+
if err := r.client.Del(ctx, key, metaKey).Err(); err != nil {
return fmt.Errorf("failed to delete session: %w", err)
···
func (r *RedisStore) SaveAuthRequestInfo(ctx context.Context, info oauth.AuthRequestData) error {
key := authRequestKey(info.State)
120
-
// check if already exists (to match MemStore behavior)
220
+
// Check if already exists (to match MemStore behavior)
exists, err := r.client.Exists(ctx, key).Result()
return fmt.Errorf("failed to check auth request existence: %w", err)
···
return fmt.Errorf("failed to marshal auth request: %w", err)
134
-
if err := r.client.Set(ctx, key, data, r.AuthRequestTTL).Err(); err != nil {
234
+
if err := r.client.Set(ctx, key, data, r.cfg.AuthRequestExpiryDuration).Err(); err != nil {
return fmt.Errorf("failed to save auth request: %w", err)
brookjeynes.dev