feat: add IsRevokedToken logic to graphql-server

Signed-off-by: namkyu1999 <[email protected]>
litmuschaos · Jul 12, 2023 · a7b7b3a · a7b7b3a
1 parent 4d7720d
commit a7b7b3a
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/litmus-portal/graphql-server/pkg/authorization/middleware.go b/litmus-portal/graphql-server/pkg/authorization/middleware.go
@@ -6,6 +6,8 @@ import (
 
 	"github.com/gin-gonic/gin"
 	log "github.com/sirupsen/logrus"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
 )
 
 type contextKey string
@@ -17,7 +19,7 @@ const (
 )
 
 // Middleware verifies jwt and checks if user has enough privilege to access route (no roles' info needed)
-func Middleware(handler http.Handler) gin.HandlerFunc {
+func Middleware(handler http.Handler, mongoClient *mongo.Client) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		jwt := ""
 		auth, err := c.Request.Cookie(CookieName)
@@ -26,15 +28,19 @@ func Middleware(handler http.Handler) gin.HandlerFunc {
 		} else if c.Request.Header.Get("Authorization") != "" {
 			jwt = c.Request.Header.Get("Authorization")
 		}
-
+		if IsRevokedToken(jwt, mongoClient) {
+			c.Writer.WriteHeader(http.StatusUnauthorized)
+			c.Writer.Write([]byte("Error verifying JWT token: Token is revoked"))
+			return
+		}
 		ctx := context.WithValue(c.Request.Context(), AuthKey, jwt)
 		c.Request = c.Request.WithContext(ctx)
 		handler.ServeHTTP(c.Writer, c.Request)
 	}
 }
 
 // RestMiddlewareWithRole verifies jwt and checks if user has enough privilege to access route
-func RestMiddlewareWithRole(handler gin.HandlerFunc, roles []string) gin.HandlerFunc {
+func RestMiddlewareWithRole(handler gin.HandlerFunc, mongoClient *mongo.Client, roles []string) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		jwt := ""
 		auth, err := c.Request.Cookie(CookieName)
@@ -43,6 +49,11 @@ func RestMiddlewareWithRole(handler gin.HandlerFunc, roles []string) gin.Handler
 		} else if c.Request.Header.Get("Authorization") != "" {
 			jwt = c.Request.Header.Get("Authorization")
 		}
+		if IsRevokedToken(jwt, mongoClient) {
+			c.Writer.WriteHeader(http.StatusUnauthorized)
+			c.Writer.Write([]byte("Error verifying JWT token: Token is revoked"))
+			return
+		}
 		user, err := UserValidateJWT(jwt)
 		if err != nil {
 			log.WithError(err).Error("invalid Auth Cookie")
@@ -64,3 +75,20 @@ func RestMiddlewareWithRole(handler gin.HandlerFunc, roles []string) gin.Handler
 		return
 	}
 }
+
+// IsRevokedToken checks if the given JWT Token is revoked
+func IsRevokedToken(tokenString string, mongoClient *mongo.Client) bool {
+	collection := mongoClient.Database("auth").Collection("revoked-token")
+	result := struct {
+		Token     string `bson:"token"`
+		ExpireOn  int64  `bson:"expire_on"`
+		CreatedAt int64  `bson:"created_at"`
+	}{}
+	err := collection.FindOne(context.Background(), bson.M{
+		"token": tokenString,
+	}).Decode(&result)
+	if err != nil {
+		return false
+	}
+	return true
+}
diff --git a/litmus-portal/graphql-server/server.go b/litmus-portal/graphql-server/server.go
@@ -139,9 +139,9 @@ func main() {
 
 	// routers
 	router.GET("/", rest_handlers.PlaygroundHandler())
-	router.Any("/query", authorization.Middleware(srv))
+	router.Any("/query", authorization.Middleware(srv, client))
 	router.GET("/readiness", rest_handlers.ReadinessHandler(client, mongodbOperator))
-	router.GET("/icon/:ProjectID/:HubName/:ChartName/:IconName", authorization.RestMiddlewareWithRole(rest_handlers.GetIconHandler, nil))
+	router.GET("/icon/:ProjectID/:HubName/:ChartName/:IconName", authorization.RestMiddlewareWithRole(rest_handlers.GetIconHandler, client, nil))
 	router.Any("/file/:key", rest_handlers.FileHandler(mongodbOperator, kubeClients))
 	router.GET("/status", rest_handlers.StatusHandler)
 	router.GET("/workflow_helper_image_version", rest_handlers.WorkflowHelperImageVersionHandler)