From e896759e1e5cf87c9a499d7477cdfabb85d07752 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Thu, 11 Nov 2021 00:14:03 +0100 Subject: [PATCH 1/4] "implemented" logout call --- backend/src/graphql/resolver/UserResolver.ts | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/backend/src/graphql/resolver/UserResolver.ts b/backend/src/graphql/resolver/UserResolver.ts index 2ecd523e9..ebb5000c9 100644 --- a/backend/src/graphql/resolver/UserResolver.ts +++ b/backend/src/graphql/resolver/UserResolver.ts @@ -263,13 +263,13 @@ export class UserResolver { @Authorized() @Query(() => String) - async logout(@Ctx() context: any): Promise { - const payload = { session_id: context.sessionId } - const result = await apiPost(CONFIG.LOGIN_API_URL + 'logout', payload) - if (!result.success) { - throw new Error(result.data) - } - return 'success' + async logout(@Ctx() context: any): Promise { + // TODO: We dont need this anymore, but might need this in the future in oder to invalidate a valid JWT-Token. + // Furthermore this hook can be useful for tracking user behaviour (did he logout or not? Flag him if he didn't on next login) + // The functionality is fully client side - the client just needs to delete his token with the current implementation. + // we could try to force this by sending `token: null` or `token: ''` with this call. But since it bares no real security + // we should just return true for now. + return true } @Mutation(() => String) From d7c515491245a3ff576315c0e85165c38f889d8b Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Thu, 11 Nov 2021 00:30:00 +0100 Subject: [PATCH 2/4] removed unused context corrected comment removed unused code-comment --- backend/src/graphql/resolver/UserResolver.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/backend/src/graphql/resolver/UserResolver.ts b/backend/src/graphql/resolver/UserResolver.ts index ebb5000c9..888a1aa00 100644 --- a/backend/src/graphql/resolver/UserResolver.ts +++ b/backend/src/graphql/resolver/UserResolver.ts @@ -263,9 +263,9 @@ export class UserResolver { @Authorized() @Query(() => String) - async logout(@Ctx() context: any): Promise { + async logout(): Promise { // TODO: We dont need this anymore, but might need this in the future in oder to invalidate a valid JWT-Token. - // Furthermore this hook can be useful for tracking user behaviour (did he logout or not? Flag him if he didn't on next login) + // Furthermore this hook can be useful for tracking user behaviour (did he logout or not? Warn him if he didn't on next login) // The functionality is fully client side - the client just needs to delete his token with the current implementation. // we could try to force this by sending `token: null` or `token: ''` with this call. But since it bares no real security // we should just return true for now. @@ -574,7 +574,6 @@ export class UserResolver { @Authorized() @Query(() => Boolean) async hasElopage(@Ctx() context: any): Promise { - // const result = await apiGet(CONFIG.LOGIN_API_URL + 'hasElopage?session_id=' + context.sessionId) const userRepository = getCustomRepository(UserRepository) const userEntity = await userRepository.findByPubkeyHex(context.pubKey).catch() if (!userEntity) { From e76646b327fff16c17250e552f6e4b812799b31c Mon Sep 17 00:00:00 2001 From: elweyn Date: Wed, 10 Nov 2021 06:13:29 +0100 Subject: [PATCH 3/4] Withdrew the sessionId from the JWT. --- backend/src/graphql/directive/isAuthorized.ts | 12 +++--------- backend/src/jwt/decode.ts | 5 ----- backend/src/jwt/encode.ts | 5 ++--- 3 files changed, 5 insertions(+), 17 deletions(-) diff --git a/backend/src/graphql/directive/isAuthorized.ts b/backend/src/graphql/directive/isAuthorized.ts index 77fe56ba1..d72f19456 100644 --- a/backend/src/graphql/directive/isAuthorized.ts +++ b/backend/src/graphql/directive/isAuthorized.ts @@ -13,15 +13,9 @@ const isAuthorized: AuthChecker = async ( ) => { if (context.token) { const decoded = decode(context.token) - if (decoded.sessionId && decoded.sessionId !== 0) { - const result = await apiGet( - `${CONFIG.LOGIN_API_URL}checkSessionState?session_id=${decoded.sessionId}`, - ) - context.sessionId = decoded.sessionId - context.pubKey = decoded.pubKey - context.setHeaders.push({ key: 'token', value: encode(decoded.sessionId, decoded.pubKey) }) - return result.success - } + context.pubKey = decoded.pubKey + context.setHeaders.push({ key: 'token', value: encode(decoded.pubKey) }) + return true } throw new Error('401 Unauthorized') } diff --git a/backend/src/jwt/decode.ts b/backend/src/jwt/decode.ts index 34b3ed836..6f09276b0 100644 --- a/backend/src/jwt/decode.ts +++ b/backend/src/jwt/decode.ts @@ -2,27 +2,22 @@ import jwt, { JwtPayload } from 'jsonwebtoken' import CONFIG from '../config/' interface CustomJwtPayload extends JwtPayload { - sessionId: number pubKey: Buffer } type DecodedJwt = { token: string - sessionId: number pubKey: Buffer } export default (token: string): DecodedJwt => { if (!token) throw new Error('401 Unauthorized') - let sessionId = null let pubKey = null try { const decoded = jwt.verify(token, CONFIG.JWT_SECRET) - sessionId = decoded.sessionId pubKey = decoded.pubKey return { token, - sessionId, pubKey, } } catch (err) { diff --git a/backend/src/jwt/encode.ts b/backend/src/jwt/encode.ts index fde28b467..ef062ad3a 100644 --- a/backend/src/jwt/encode.ts +++ b/backend/src/jwt/encode.ts @@ -5,10 +5,9 @@ import jwt from 'jsonwebtoken' import CONFIG from '../config/' // Generate an Access Token -export default function encode(sessionId: number, pubKey: Buffer): string { - const token = jwt.sign({ sessionId, pubKey }, CONFIG.JWT_SECRET, { +export default function encode(pubKey: Buffer): string { + const token = jwt.sign({ pubKey }, CONFIG.JWT_SECRET, { expiresIn: CONFIG.JWT_EXPIRES_IN, - subject: sessionId.toString(), }) return token } From cbc6570d657a358e953f8b746fc46587a31c79e8 Mon Sep 17 00:00:00 2001 From: elweyn Date: Thu, 11 Nov 2021 12:32:37 +0100 Subject: [PATCH 4/4] Encode doesn't need sessionId anymore. --- backend/src/graphql/resolver/TransactionResolver.ts | 2 +- backend/src/graphql/resolver/UserResolver.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/src/graphql/resolver/TransactionResolver.ts b/backend/src/graphql/resolver/TransactionResolver.ts index 755955a7f..8b7b7cee1 100644 --- a/backend/src/graphql/resolver/TransactionResolver.ts +++ b/backend/src/graphql/resolver/TransactionResolver.ts @@ -516,7 +516,7 @@ export class TransactionResolver { } // validate recipient user - // TODO: the detour over the public key is unnecessary + // TODO: the detour over the public key is unnecessary sessionId is removed const recipiantPublicKey = await getPublicKey(email, context.sessionId) if (!recipiantPublicKey) { throw new Error('recipiant not known') diff --git a/backend/src/graphql/resolver/UserResolver.ts b/backend/src/graphql/resolver/UserResolver.ts index 2ecd523e9..5184d550f 100644 --- a/backend/src/graphql/resolver/UserResolver.ts +++ b/backend/src/graphql/resolver/UserResolver.ts @@ -200,7 +200,7 @@ export class UserResolver { context.setHeaders.push({ key: 'token', - value: encode(result.data.session_id, result.data.user.public_hex), + value: encode(result.data.user.public_hex), }) const user = new User(result.data.user) // Hack: Database Field is not validated properly and not nullable