From 1cf3a9ef0bebf7623f93cee42b72aab31ec12f10 Mon Sep 17 00:00:00 2001 From: Yi-Ting Shih Date: Fri, 12 Dec 2025 02:09:46 +0800 Subject: [PATCH] Fix: cookie timeout --- cmds/genToken.go | 37 ++++++++++++++++++++++++++++++++ cmds/root.go | 1 + cmds/serve.go | 3 +++ handlers/auth/postLogin.go | 10 ++++++--- middlewares/checkAccessToken.go | 11 ++++++---- middlewares/checkRefreshToken.go | 3 ++- 6 files changed, 57 insertions(+), 8 deletions(-) create mode 100644 cmds/genToken.go diff --git a/cmds/genToken.go b/cmds/genToken.go new file mode 100644 index 0000000..236fd02 --- /dev/null +++ b/cmds/genToken.go @@ -0,0 +1,37 @@ +package cmds + +import ( + "fmt" + "net/http" + + "github.com/go-resty/resty/v2" + "github.com/spf13/cobra" +) + +type genLoginUrlPayload struct { + LoginUrl string `json:"loginUrl"` +} + +type loginPayload struct { + Token string `json:"token"` +} + +var genTokenCmd = &cobra.Command{ + Use: "gen-token", + Run: func(cmd *cobra.Command, args []string) { + client := resty.New() + + var payload genLoginUrlPayload + resp, err := client.R(). + SetBody(`{"userId": "testuser1"}`). + SetAuthToken("poop"). + SetResult(&payload). + Post("http://localhost:8080/auth/gen-login-url") + + if err != nil || resp.StatusCode() != http.StatusOK { + panic(err) + } + + fmt.Printf("url: %s\n", payload.LoginUrl) + }, +} diff --git a/cmds/root.go b/cmds/root.go index 6b9aa12..9d097c0 100644 --- a/cmds/root.go +++ b/cmds/root.go @@ -21,4 +21,5 @@ func init() { cobra.EnableTraverseRunHooks = true RootCmd.AddCommand(serveCmd) + RootCmd.AddCommand(genTokenCmd) } diff --git a/cmds/serve.go b/cmds/serve.go index 46eb525..368d18b 100644 --- a/cmds/serve.go +++ b/cmds/serve.go @@ -101,6 +101,7 @@ var serveCmd = &cobra.Command{ Use(middlewares.AccessLog). Use(middlewares.CORSHandler) + backend.OPTIONS("/*any", utils.GetHealthz) backend.GET("/healthz", utils.GetHealthz) apiGroup := backend.NewGroup("/api"). @@ -136,6 +137,8 @@ var serveCmd = &cobra.Command{ func init() { serveCmd.Flags(). String("port", "8080", "Port to listen on") + serveCmd.Flags(). + Bool("https", false, "Enable https mode") serveCmd.Flags(). String("external-url", "http://localhost:8080", "External url for login") serveCmd.Flags(). diff --git a/handlers/auth/postLogin.go b/handlers/auth/postLogin.go index d1ab486..5434751 100644 --- a/handlers/auth/postLogin.go +++ b/handlers/auth/postLogin.go @@ -63,10 +63,14 @@ func (self *Handlers) PostLogin( } http.SetCookie(w, &http.Cookie{ - Name: "refresh_token", - Value: session.RefreshToken, + Name: "refresh_token", + Value: session.RefreshToken, + Path: "/", + Secure: viper.GetBool("https"), + HttpOnly: true, + SameSite: http.SameSiteLaxMode, Expires: time.Now().Add(time.Duration( - viper.GetInt64("REFRESH_TOKEN_TIMEOUT")) * time.Second), + viper.GetInt64("refresh-token-timeout")) * time.Second), }) return utils.Success(w) diff --git a/middlewares/checkAccessToken.go b/middlewares/checkAccessToken.go index e1e6f15..9813fcf 100644 --- a/middlewares/checkAccessToken.go +++ b/middlewares/checkAccessToken.go @@ -3,6 +3,7 @@ package middlewares import ( "context" "net/http" + "time" "gitea.konchin.com/go2025/backend/interfaces" "gitea.konchin.com/go2025/backend/models" @@ -46,10 +47,12 @@ func refreshAccessToken( } http.SetCookie(w, &http.Cookie{ - Name: "access_token", - Value: ret, - Path: "/", - Secure: false, + Name: "access_token", + Value: ret, + Path: "/", + Secure: viper.GetBool("https"), + Expires: time.Now().Add(time.Duration( + viper.GetInt64("access-token-timeout")) * time.Second), HttpOnly: true, SameSite: http.SameSiteLaxMode, }) diff --git a/middlewares/checkRefreshToken.go b/middlewares/checkRefreshToken.go index f8f1449..fa2023e 100644 --- a/middlewares/checkRefreshToken.go +++ b/middlewares/checkRefreshToken.go @@ -62,7 +62,8 @@ func (self *Handlers) CheckRefreshToken( Name: "refresh_token", Value: session.RefreshToken, Path: "/", - Secure: false, + Secure: viper.GetBool("https"), + Expires: claim.ExpiresAt.Time, HttpOnly: true, SameSite: http.SameSiteLaxMode, })