mirror of
https://github.com/usememos/memos.git
synced 2026-01-08 17:34:38 +08:00
feat(auth): add AccessTokenV2, RefreshToken, and PAT authentication
Implements Task 8 of auth redesign plan: - Add AuthenticateByAccessTokenTokenV2 method for stateless JWT validation - Add AuthenticateByRefreshToken method for refresh token validation against DB - Add AuthenticateByPAT method for Personal Access Token validation - Update AuthResult struct to include Claims field for stateless auth - Update Authenticate method to try new token types first (priority order) - Maintains backward compatibility with legacy session and JWT auth The new authentication flow: 1. Try Access Token V2 (stateless, no DB queries) 2. Try PAT (validates hash against DB, updates last_used async) 3. Legacy: Try session cookie 4. Legacy: Try JWT access token Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Johnny
parent
8fe2606407
commit
7444ce9f32
1 changed files with 121 additions and 7 deletions
|
|
@ -2,6 +2,7 @@ package auth
|
|||
|
||||
import (
|
||||
"context"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
|
|
@ -186,19 +187,132 @@ func (a *Authenticator) UpdateSessionLastAccessed(ctx context.Context, userID in
|
|||
_ = a.store.UpdateUserSessionLastAccessed(ctx, userID, sessionID, timestamppb.Now())
|
||||
}
|
||||
|
||||
// AuthenticateByAccessTokenV2 validates a short-lived access token.
|
||||
// Returns claims without database query (stateless validation).
|
||||
func (a *Authenticator) AuthenticateByAccessTokenV2(accessToken string) (*UserClaims, error) {
|
||||
claims, err := ParseAccessTokenV2(accessToken, []byte(a.secret))
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "invalid access token")
|
||||
}
|
||||
|
||||
userID, err := util.ConvertStringToInt32(claims.Subject)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "invalid user ID in token")
|
||||
}
|
||||
|
||||
return &UserClaims{
|
||||
UserID: userID,
|
||||
Username: claims.Username,
|
||||
Role: claims.Role,
|
||||
Status: claims.Status,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// AuthenticateByRefreshToken validates a refresh token against the database.
|
||||
func (a *Authenticator) AuthenticateByRefreshToken(ctx context.Context, refreshToken string) (*store.User, string, error) {
|
||||
claims, err := ParseRefreshToken(refreshToken, []byte(a.secret))
|
||||
if err != nil {
|
||||
return nil, "", errors.Wrap(err, "invalid refresh token")
|
||||
}
|
||||
|
||||
userID, err := util.ConvertStringToInt32(claims.Subject)
|
||||
if err != nil {
|
||||
return nil, "", errors.Wrap(err, "invalid user ID in token")
|
||||
}
|
||||
|
||||
// Check token exists in database (revocation check)
|
||||
token, err := a.store.GetUserRefreshTokenByID(ctx, userID, claims.TokenID)
|
||||
if err != nil {
|
||||
return nil, "", errors.Wrap(err, "failed to get refresh token")
|
||||
}
|
||||
if token == nil {
|
||||
return nil, "", errors.New("refresh token revoked")
|
||||
}
|
||||
|
||||
// Check token not expired
|
||||
if token.ExpiresAt != nil && token.ExpiresAt.AsTime().Before(time.Now()) {
|
||||
return nil, "", errors.New("refresh token expired")
|
||||
}
|
||||
|
||||
// Get user
|
||||
user, err := a.store.GetUser(ctx, &store.FindUser{ID: &userID})
|
||||
if err != nil {
|
||||
return nil, "", errors.Wrap(err, "failed to get user")
|
||||
}
|
||||
if user == nil {
|
||||
return nil, "", errors.New("user not found")
|
||||
}
|
||||
if user.RowStatus == store.Archived {
|
||||
return nil, "", errors.New("user is archived")
|
||||
}
|
||||
|
||||
return user, claims.TokenID, nil
|
||||
}
|
||||
|
||||
// AuthenticateByPAT validates a Personal Access Token.
|
||||
func (a *Authenticator) AuthenticateByPAT(ctx context.Context, token string) (*store.User, *storepb.PersonalAccessTokensUserSetting_PersonalAccessToken, error) {
|
||||
if !strings.HasPrefix(token, PersonalAccessTokenPrefix) {
|
||||
return nil, nil, errors.New("invalid PAT format")
|
||||
}
|
||||
|
||||
tokenHash := HashPersonalAccessToken(token)
|
||||
result, err := a.store.GetUserByPATHash(ctx, tokenHash)
|
||||
if err != nil {
|
||||
return nil, nil, errors.Wrap(err, "invalid PAT")
|
||||
}
|
||||
|
||||
// Check expiry
|
||||
if result.PAT.ExpiresAt != nil && result.PAT.ExpiresAt.AsTime().Before(time.Now()) {
|
||||
return nil, nil, errors.New("PAT expired")
|
||||
}
|
||||
|
||||
// Check user status
|
||||
if result.User.RowStatus == store.Archived {
|
||||
return nil, nil, errors.New("user is archived")
|
||||
}
|
||||
|
||||
return result.User, result.PAT, nil
|
||||
}
|
||||
|
||||
// AuthResult contains the result of an authentication attempt.
|
||||
type AuthResult struct {
|
||||
User *store.User
|
||||
SessionID string // Non-empty if authenticated via session cookie
|
||||
AccessToken string // Non-empty if authenticated via JWT
|
||||
User *store.User // Set for PAT and legacy auth
|
||||
Claims *UserClaims // Set for Access Token V2 (stateless)
|
||||
SessionID string // Non-empty if authenticated via session cookie
|
||||
AccessToken string // Non-empty if authenticated via JWT
|
||||
}
|
||||
|
||||
// Authenticate tries to authenticate using the provided credentials.
|
||||
// It tries session cookie first, then JWT token.
|
||||
// Priority: 1. Access Token V2, 2. PAT, 3. Legacy session, 4. Legacy JWT
|
||||
// Returns nil if no valid credentials are provided.
|
||||
// On successful session auth, it also updates the session sliding expiration.
|
||||
func (a *Authenticator) Authenticate(ctx context.Context, sessionID, authHeader string) *AuthResult {
|
||||
// Try session cookie authentication first
|
||||
token := ExtractBearerToken(authHeader)
|
||||
|
||||
// Try Access Token V2 (stateless)
|
||||
if token != "" && !strings.HasPrefix(token, PersonalAccessTokenPrefix) {
|
||||
claims, err := a.AuthenticateByAccessTokenV2(token)
|
||||
if err == nil && claims != nil {
|
||||
return &AuthResult{
|
||||
Claims: claims,
|
||||
AccessToken: token,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Try PAT
|
||||
if token != "" && strings.HasPrefix(token, PersonalAccessTokenPrefix) {
|
||||
user, pat, err := a.AuthenticateByPAT(ctx, token)
|
||||
if err == nil && user != nil {
|
||||
// Update last used (fire-and-forget)
|
||||
go func() {
|
||||
_ = a.store.UpdatePATLastUsed(context.Background(), user.ID, pat.TokenId, timestamppb.Now())
|
||||
}()
|
||||
return &AuthResult{User: user, AccessToken: token}
|
||||
}
|
||||
}
|
||||
|
||||
// Legacy: Try session cookie
|
||||
if sessionID != "" {
|
||||
user, err := a.AuthenticateBySession(ctx, sessionID)
|
||||
if err == nil && user != nil {
|
||||
|
|
@ -207,8 +321,8 @@ func (a *Authenticator) Authenticate(ctx context.Context, sessionID, authHeader
|
|||
}
|
||||
}
|
||||
|
||||
// Try JWT token authentication
|
||||
if token := ExtractBearerToken(authHeader); token != "" {
|
||||
// Legacy: Try JWT
|
||||
if token != "" {
|
||||
user, err := a.AuthenticateByJWT(ctx, token)
|
||||
if err == nil && user != nil {
|
||||
return &AuthResult{User: user, AccessToken: token}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue