From 977d7dab7e9b1bd06efef031788558da0f45ac9e Mon Sep 17 00:00:00 2001
From: kirari04 <lev@saminskij.ch>
Date: Sat, 13 Jan 2024 22:38:18 +0100
Subject: [PATCH] improoved upload session handling and added longer auth
 sessions

---
 config/config.go                            |  4 +++-
 controllers/CreateUploadChunckController.go |  3 ++-
 helpers/DynamicJwt.go                       |  8 ++------
 logic/CreateUploadChunck.go                 | 11 ++++++-----
 logic/CreateUploadFile.go                   |  2 +-
 logic/CreateUploadSession.go                |  2 +-
 routes/api.go                               |  5 ++++-
 7 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/config/config.go b/config/config.go
index f6f1431..9ac7430 100755
--- a/config/config.go
+++ b/config/config.go
@@ -15,7 +15,8 @@ type Config struct {
 	ProjectDocumentation string `validate:"required,min=1,max=512"`
 	ProjectDownload      string `validate:"required,min=1,max=512"`
 
-	JwtSecretKey string `validate:"required,min=8,max=512"`
+	JwtSecretKey       string `validate:"required,min=8,max=512"`
+	JwtUploadSecretKey string `validate:"required,min=8,max=512"`
 
 	CookieDomain string `validate:"required,min=8,max=225"`
 
@@ -129,6 +130,7 @@ func Setup() {
 	ENV.ProjectDownload = getEnv("ProjectDownload", "https://github.com/notfound")
 
 	ENV.JwtSecretKey = getEnv("JwtSecretKey", "secretkey")
+	ENV.JwtUploadSecretKey = getEnv("JwtUploadSecretKey", "secretkeyupload")
 
 	ENV.CookieDomain = getEnv("CookieDomain", "secretkey")
 
diff --git a/controllers/CreateUploadChunckController.go b/controllers/CreateUploadChunckController.go
index c76ba82..1895375 100755
--- a/controllers/CreateUploadChunckController.go
+++ b/controllers/CreateUploadChunckController.go
@@ -14,6 +14,7 @@ import (
 	"github.com/google/uuid"
 )
 
+// this route is not securet with user jwt token so it doesnt invalidate the chunck because the session invalidated during the upload time
 func CreateUploadChunck(c *fiber.Ctx) error {
 	// parse & validate request
 	var validation models.UploadChunckValidation
@@ -43,7 +44,7 @@ func CreateUploadChunck(c *fiber.Ctx) error {
 	}
 
 	// business logic
-	status, response, err := logic.CreateUploadChunck(*validation.Index, validation.SessionJwtToken, filePath, c.Locals("UserID").(uint))
+	status, response, err := logic.CreateUploadChunck(*validation.Index, validation.SessionJwtToken, filePath)
 	if err != nil {
 		os.Remove(filePath)
 		return c.Status(status).SendString(err.Error())
diff --git a/helpers/DynamicJwt.go b/helpers/DynamicJwt.go
index 1dd713e..8eb4cff 100755
--- a/helpers/DynamicJwt.go
+++ b/helpers/DynamicJwt.go
@@ -1,7 +1,6 @@
 package helpers
 
 import (
-	"ch/kirari04/videocms/config"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -9,8 +8,7 @@ import (
 
 var jwtKey []byte
 
-func GenerateDynamicJWT[T jwt.Claims](claims *T, expire time.Duration) (string, time.Time, error) {
-	jwtKey = []byte(config.ENV.JwtSecretKey)
+func GenerateDynamicJWT[T jwt.Claims](claims *T, expire time.Duration, jwtKey []byte) (string, time.Time, error) {
 	expirationTime := time.Now().Add(expire)
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, *claims)
 	tokenString, err := token.SignedString(jwtKey)
@@ -20,9 +18,7 @@ func GenerateDynamicJWT[T jwt.Claims](claims *T, expire time.Duration) (string,
 	return tokenString, expirationTime, nil
 }
 
-func VerifyDynamicJWT[T jwt.Claims](tknStr string, claims T) (*jwt.Token, T, error) {
-	jwtKey = []byte(config.ENV.JwtSecretKey)
-
+func VerifyDynamicJWT[T jwt.Claims](tknStr string, claims T, jwtKey []byte) (*jwt.Token, T, error) {
 	tkn, err := jwt.ParseWithClaims(tknStr, claims, func(token *jwt.Token) (interface{}, error) {
 		return jwtKey, nil
 	})
diff --git a/logic/CreateUploadChunck.go b/logic/CreateUploadChunck.go
index 20e597d..106548f 100755
--- a/logic/CreateUploadChunck.go
+++ b/logic/CreateUploadChunck.go
@@ -1,6 +1,7 @@
 package logic
 
 import (
+	"ch/kirari04/videocms/config"
 	"ch/kirari04/videocms/helpers"
 	"ch/kirari04/videocms/inits"
 	"ch/kirari04/videocms/models"
@@ -13,9 +14,9 @@ import (
 	"github.com/gofiber/fiber/v2"
 )
 
-func CreateUploadChunck(index uint, sessionToken string, fromFile string, userId uint) (status int, response string, err error) {
+func CreateUploadChunck(index uint, sessionToken string, fromFile string) (status int, response string, err error) {
 	// validate token
-	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{})
+	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{}, []byte(config.ENV.JwtUploadSecretKey))
 	if err != nil || claims == nil {
 		log.Printf("err: %v", err)
 		return fiber.StatusBadRequest, "", errors.New("broken upload session token")
@@ -23,9 +24,9 @@ func CreateUploadChunck(index uint, sessionToken string, fromFile string, userId
 	if !token.Valid {
 		return fiber.StatusBadRequest, "", errors.New("invalid upload session token")
 	}
-	if (*claims).UserID != userId {
-		return fiber.StatusForbidden, "", fiber.ErrForbidden
-	}
+	// if (*claims).UserID != userId {
+	// 	return fiber.StatusForbidden, "", fiber.ErrForbidden
+	// }
 
 	//check if session still active
 	uploadSession := models.UploadSession{}
diff --git a/logic/CreateUploadFile.go b/logic/CreateUploadFile.go
index 2db5685..58e74e6 100755
--- a/logic/CreateUploadFile.go
+++ b/logic/CreateUploadFile.go
@@ -19,7 +19,7 @@ import (
  */
 func CreateUploadFile(sessionToken string, userId uint) (status int, response *models.Link, err error) {
 	// validate token
-	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{})
+	token, claims, err := helpers.VerifyDynamicJWT(sessionToken, &models.UploadSessionClaims{}, []byte(config.ENV.JwtUploadSecretKey))
 	if err != nil && claims != nil {
 		log.Printf("err: %v", err)
 		return fiber.StatusBadRequest, nil, errors.New("broken upload session token")
diff --git a/logic/CreateUploadSession.go b/logic/CreateUploadSession.go
index 8451739..67598ae 100755
--- a/logic/CreateUploadSession.go
+++ b/logic/CreateUploadSession.go
@@ -100,7 +100,7 @@ func CreateUploadSession(toFolder uint, fileName string, uploadSessionUUID strin
 	}
 
 	maxUploadDuration := time.Hour * 2
-	token, expirationTime, err := helpers.GenerateDynamicJWT[models.UploadSessionClaims](&claims, maxUploadDuration)
+	token, expirationTime, err := helpers.GenerateDynamicJWT[models.UploadSessionClaims](&claims, maxUploadDuration, []byte(config.ENV.JwtUploadSecretKey))
 	if err != nil {
 		log.Printf("Failed to generate jwt token for upload session: %v", err)
 		return fiber.StatusInternalServerError, nil, fiber.ErrInternalServerError
diff --git a/routes/api.go b/routes/api.go
index 5f8990a..5fab7ae 100755
--- a/routes/api.go
+++ b/routes/api.go
@@ -27,6 +27,9 @@ func Api() {
 	inits.Api.Get("/p/pages", controllers.ListPublicWebPage)
 	inits.Api.Get("/p/page", controllers.GetPublicWebPage)
 
+	// requires uploadsession jwt inside body
+	inits.Api.Post("/pcu/chunck", controllers.CreateUploadChunck)
+
 	// Routes that require to be authenticated
 	protectedApi := inits.Api.Group("", middlewares.Auth)
 	protectedApi.Post("/folder", controllers.CreateFolder)
@@ -66,6 +69,6 @@ func Api() {
 	protectedApi.Get("/pcu/sessions", controllers.GetUploadSessions)
 	protectedApi.Post("/pcu/session", controllers.CreateUploadSession)
 	protectedApi.Delete("/pcu/session", controllers.DeleteUploadSession)
-	protectedApi.Post("/pcu/chunck", controllers.CreateUploadChunck)
+	// protectedApi.Post("/pcu/chunck", controllers.CreateUploadChunck)
 	protectedApi.Post("/pcu/file", controllers.CreateUploadFile)
 }