Add: Session checking on jwt decode

b83dc523 · Akshay Bharambe · d3fab005 · b83dc523 · b83dc523
Commit b83dc523 authored 4 years ago by Akshay Bharambe
--- a/authmdl/jwtmdl/jwtmdl_fasthttp.go
+++ b/authmdl/jwtmdl/jwtmdl_fasthttp.go
@@ -8,6 +8,7 @@ import (

 	"github.com/valyala/fasthttp"

+	"corelab.mkcl.org/MKCLOS/coredevelopmentplatform/corepkgv2/authmdl/sessionmdl"
 	"corelab.mkcl.org/MKCLOS/coredevelopmentplatform/corepkgv2/errormdl"
 	"corelab.mkcl.org/MKCLOS/coredevelopmentplatform/corepkgv2/loggermdl"
 	jwt "github.com/dgrijalva/jwt-go"
@@ -15,6 +16,12 @@ import (

 // DecodeTokenWithJWTKey decode token
 func DecodeTokenWithJWTKey(req *fasthttp.Request, jwtKey string) (jwt.MapClaims, error) {
+
+	// check for instance header.
+	if sessionmdl.ValidateSession && req.Header.Peek(sessionmdl.InstanceHeader) != sessionmdl.SessionInstance {
+		return nil, sessionmdl.ErrInvalidSessionInstance
+	}
+
 	tokenFromRequest := string(req.Header.Peek("Authorization"))
 	tokenArray := strings.Split(tokenFromRequest, "Bearer")
 	if len(tokenArray) <= 1 {
@@ -42,6 +49,14 @@ func DecodeTokenWithJWTKey(req *fasthttp.Request, jwtKey string) (jwt.MapClaims,
 		return nil, errormdl.Wrap("Error while getting claims")
 	}

+	// validate user session from session id present in token
+	if sessionmdl.ValidateSession {
+		if err := sessionmdl.ValidateSessionFromToken(claims); err != nil {
+			loggermdl.LogError("session validation failed with err:", err)
+			return nil, sessionmdl.ErrSessionValidationFailed
+		}
+	}
+
 	return claims, nil
 }


--- a/authmdl/jwtmdl/jwtmdl_http.go
+++ b/authmdl/jwtmdl/jwtmdl_http.go
@@ -7,6 +7,7 @@ import (

 	"github.com/dgrijalva/jwt-go/request"

+	"corelab.mkcl.org/MKCLOS/coredevelopmentplatform/corepkgv2/authmdl/sessionmdl"
 	"corelab.mkcl.org/MKCLOS/coredevelopmentplatform/corepkgv2/errormdl"
 	"corelab.mkcl.org/MKCLOS/coredevelopmentplatform/corepkgv2/loggermdl"
 	jwt "github.com/dgrijalva/jwt-go"
@@ -14,6 +15,12 @@ import (

 // DecodeTokenWithJWTKey decode token
 func DecodeTokenWithJWTKey(req *http.Request, jwtKey string) (jwt.MapClaims, error) {
+
+	// check for instance header.
+	if sessionmdl.ValidateSession && req.Header.Get(sessionmdl.InstanceHeader) != sessionmdl.SessionInstance {
+		return nil, sessionmdl.ErrInvalidSessionInstance
+	}
+
 	token, err := request.ParseFromRequest(req, request.OAuth2Extractor, func(token *jwt.Token) (interface{}, error) {
 		b := ([]byte(jwtKey))
 		return b, nil
@@ -29,6 +36,14 @@ func DecodeTokenWithJWTKey(req *http.Request, jwtKey string) (jwt.MapClaims, err
 		return nil, errormdl.Wrap("Error while getting claims")
 	}

+	// validate user session from session id present in token
+	if sessionmdl.ValidateSession {
+		if err := sessionmdl.ValidateSessionFromToken(claims); err != nil {
+			loggermdl.LogError("session validation failed with err:", err)
+			return nil, sessionmdl.ErrSessionValidationFailed
+		}
+	}
+
 	return claims, nil
 }