feat: invalidate old token after changing the password (close #5515)
This commit is contained in:
Andy Hsu
@ -4,6 +4,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/alist-org/alist/v3/internal/conf"
|
||||
"github.com/alist-org/alist/v3/internal/model"
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
@ -12,12 +13,14 @@ var SecretKey []byte
|
||||
|
||||
type UserClaims struct {
|
||||
Username string `json:"username"`
|
||||
PwdTS int64 `json:"pwd_ts"`
|
||||
jwt.RegisteredClaims
|
||||
}
|
||||
|
||||
func GenerateToken(username string) (tokenString string, err error) {
|
||||
func GenerateToken(user *model.User) (tokenString string, err error) {
|
||||
claim := UserClaims{
|
||||
Username: username,
|
||||
Username: user.Username,
|
||||
PwdTS: user.PwdTS,
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(conf.Conf.TokenExpiresIn) * time.Hour)),
|
||||
IssuedAt: jwt.NewNumericDate(time.Now()),
|
||||
|
||||
@ -78,7 +78,7 @@ func loginHash(c *gin.Context, req *LoginReq) {
|
||||
}
|
||||
}
|
||||
// generate token
|
||||
token, err := common.GenerateToken(user.Username)
|
||||
token, err := common.GenerateToken(user)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 400, true)
|
||||
return
|
||||
|
||||
@ -260,7 +260,7 @@ func OIDCLoginCallback(c *gin.Context) {
|
||||
common.ErrorResp(c, err, 400)
|
||||
}
|
||||
}
|
||||
token, err := common.GenerateToken(user.Username)
|
||||
token, err := common.GenerateToken(user)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 400)
|
||||
}
|
||||
@ -426,7 +426,7 @@ func SSOLoginCallback(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
}
|
||||
token, err := common.GenerateToken(user.Username)
|
||||
token, err := common.GenerateToken(user)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 400)
|
||||
}
|
||||
|
||||
@ -94,7 +94,7 @@ func FinishAuthnLogin(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
token, err := common.GenerateToken(user.Username)
|
||||
token, err := common.GenerateToken(user)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 400, true)
|
||||
return
|
||||
|
||||
@ -57,6 +57,12 @@ func Auth(c *gin.Context) {
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
// validate password timestamp
|
||||
if userClaims.PwdTS != user.PwdTS {
|
||||
common.ErrorStrResp(c, "Password has been changed, login please", 401)
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
if user.Disabled {
|
||||
common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
|
||||
c.Abort()
|
||||
@ -105,6 +111,12 @@ func Authn(c *gin.Context) {
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
// validate password timestamp
|
||||
if userClaims.PwdTS != user.PwdTS {
|
||||
common.ErrorStrResp(c, "Password has been changed, login please", 401)
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
if user.Disabled {
|
||||
common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
|
||||
c.Abort()
|
||||
|
||||
Reference in New Issue
Block a user