improoved upload session handling and added longer auth sessions

Kirari04 · Jan 13, 2024 · 977d7da · 977d7da
1 parent c48523a
commit 977d7da
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 16 deletions.
diff --git a/config/config.go b/config/config.go
@@ -15,7 +15,8 @@ type Config struct {
 	ProjectDocumentation string `validate:"required,min=1,max=512"`
 	ProjectDownload      string `validate:"required,min=1,max=512"`
 
-	JwtSecretKey string `validate:"required,min=8,max=512"`
+	JwtSecretKey       string `validate:"required,min=8,max=512"`
+	JwtUploadSecretKey string `validate:"required,min=8,max=512"`
 
 	CookieDomain string `validate:"required,min=8,max=225"`
 
@@ -129,6 +130,7 @@ func Setup() {
 	ENV.ProjectDownload = getEnv("ProjectDownload", "https://github.com/notfound")
 
 	ENV.JwtSecretKey = getEnv("JwtSecretKey", "secretkey")
+	ENV.JwtUploadSecretKey = getEnv("JwtUploadSecretKey", "secretkeyupload")
 
 	ENV.CookieDomain = getEnv("CookieDomain", "secretkey")
 

diff --git a/controllers/CreateUploadChunckController.go b/controllers/CreateUploadChunckController.go
@@ -14,6 +14,7 @@ import (
 	"github.com/google/uuid"
 )
 
+// this route is not securet with user jwt token so it doesnt invalidate the chunck because the session invalidated during the upload time
 func CreateUploadChunck(c *fiber.Ctx) error {
 	// parse & validate request
 	var validation models.UploadChunckValidation
@@ -43,7 +44,7 @@ func CreateUploadChunck(c *fiber.Ctx) error {
 	}
 
 	// business logic
-	status, response, err := logic.CreateUploadChunck(*validation.Index, validation.SessionJwtToken, filePath, c.Locals("UserID").(uint))
+	status, response, err := logic.CreateUploadChunck(*validation.Index, validation.SessionJwtToken, filePath)
 	if err != nil {
 		os.Remove(filePath)
 		return c.Status(status).SendString(err.Error())

diff --git a/helpers/DynamicJwt.go b/helpers/DynamicJwt.go
@@ -1,16 +1,14 @@
 package helpers
 
 import (
-	"ch/kirari04/videocms/config"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 )
 
 var jwtKey []byte
 
-func GenerateDynamicJWT[T jwt.Claims](claims *T, expire time.Duration) (string, time.Time, error) {
-	jwtKey = []byte(config.ENV.JwtSecretKey)
+func GenerateDynamicJWT[T jwt.Claims](claims *T, expire time.Duration, jwtKey []byte) (string, time.Time, error) {
 	expirationTime := time.Now().Add(expire)
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, *claims)
 	tokenString, err := token.SignedString(jwtKey)
@@ -20,9 +18,7 @@ func GenerateDynamicJWT[T jwt.Claims](claims *T, expire time.Duration) (string,
 	return tokenString, expirationTime, nil
 }
 
-func VerifyDynamicJWT[T jwt.Claims](tknStr string, claims T) (*jwt.Token, T, error) {
-	jwtKey = []byte(config.ENV.JwtSecretKey)
-
+func VerifyDynamicJWT[T jwt.Claims](tknStr string, claims T, jwtKey []byte) (*jwt.Token, T, error) {
 	tkn, err := jwt.ParseWithClaims(tknStr, claims, func(token *jwt.Token) (interface{}, error) {
 		return jwtKey, nil
 	})

diff --git a/logic/CreateUploadChunck.go b/logic/CreateUploadChunck.go
@@ -1,6 +1,7 @@
 package logic
 
 import (
+	"ch/kirari04/videocms/config"
 	"ch/kirari04/videocms/helpers"
 	"ch/kirari04/videocms/inits"
 	"ch/kirari04/videocms/models"
@@ -13,19 +14,19 @@ import (
 	"github.com/gofiber/fiber/v2"
 )
 
-func CreateUploadChunck(index uint, sessionToken string, fromFile string, userId uint) (status int, response string, err error) {
+func CreateUploadChunck(index uint, sessionToken string, fromFile string) (status int, response string, err error) {
 	// validate token
-	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{})
+	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{}, []byte(config.ENV.JwtUploadSecretKey))
 	if err != nil || claims == nil {
 		log.Printf("err: %v", err)
 		return fiber.StatusBadRequest, "", errors.New("broken upload session token")
 	}
 	if !token.Valid {
 		return fiber.StatusBadRequest, "", errors.New("invalid upload session token")
 	}
-	if (*claims).UserID != userId {
-		return fiber.StatusForbidden, "", fiber.ErrForbidden
-	}
+	// if (*claims).UserID != userId {
+	// 	return fiber.StatusForbidden, "", fiber.ErrForbidden
+	// }
 
 	//check if session still active
 	uploadSession := models.UploadSession{}

diff --git a/logic/CreateUploadFile.go b/logic/CreateUploadFile.go
@@ -19,7 +19,7 @@ import (
  */
 func CreateUploadFile(sessionToken string, userId uint) (status int, response *models.Link, err error) {
 	// validate token
-	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{})
+	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{}, []byte(config.ENV.JwtUploadSecretKey))
 	if err != nil && claims != nil {
 		log.Printf("err: %v", err)
 		return fiber.StatusBadRequest, nil, errors.New("broken upload session token")

diff --git a/logic/CreateUploadSession.go b/logic/CreateUploadSession.go
@@ -100,7 +100,7 @@ func CreateUploadSession(toFolder uint, fileName string, uploadSessionUUID strin
 	}
 
 	maxUploadDuration := time.Hour * 2
-	token, expirationTime, err := helpers.GenerateDynamicJWT[models.UploadSessionClaims](&claims, maxUploadDuration)
+	token, expirationTime, err := helpers.GenerateDynamicJWT[models.UploadSessionClaims](&claims, maxUploadDuration, []byte(config.ENV.JwtUploadSecretKey))
 	if err != nil {
 		log.Printf("Failed to generate jwt token for upload session: %v", err)
 		return fiber.StatusInternalServerError, nil, fiber.ErrInternalServerError

diff --git a/routes/api.go b/routes/api.go
@@ -27,6 +27,9 @@ func Api() {
 	inits.Api.Get("/p/pages", controllers.ListPublicWebPage)
 	inits.Api.Get("/p/page", controllers.GetPublicWebPage)
 
+	// requires uploadsession jwt inside body
+	inits.Api.Post("/pcu/chunck", controllers.CreateUploadChunck)
+
 	// Routes that require to be authenticated
 	protectedApi := inits.Api.Group("", middlewares.Auth)
 	protectedApi.Post("/folder", controllers.CreateFolder)
@@ -66,6 +69,6 @@ func Api() {
 	protectedApi.Get("/pcu/sessions", controllers.GetUploadSessions)
 	protectedApi.Post("/pcu/session", controllers.CreateUploadSession)
 	protectedApi.Delete("/pcu/session", controllers.DeleteUploadSession)
-	protectedApi.Post("/pcu/chunck", controllers.CreateUploadChunck)
+	// protectedApi.Post("/pcu/chunck", controllers.CreateUploadChunck)
 	protectedApi.Post("/pcu/file", controllers.CreateUploadFile)
 }