From 6676cc8ff393169037a9b6a3297007f262425283 Mon Sep 17 00:00:00 2001
From: Ryao <69711608+RyaoChengfeng@users.noreply.github.com>
Date: Thu, 11 Aug 2022 14:32:47 +0800
Subject: [PATCH] fix: add JTI name to JWT token (#989)

* feat: add jti to jwt

* fix

* fix
---
 object/token.go     | 27 +++++++++++++++------------
 object/token_jwt.go | 14 +++++++++-----
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/object/token.go b/object/token.go
index 999f10b3..30379a9d 100644
--- a/object/token.go
+++ b/object/token.go
@@ -287,7 +287,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 		}
 	}
 
-	accessToken, refreshToken, err := generateJwtToken(application, user, nonce, scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
 	if err != nil {
 		panic(err)
 	}
@@ -298,7 +298,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 
 	token := &Token{
 		Owner:         application.Owner,
-		Name:          util.GenerateId(),
+		Name:          tokenName,
 		CreatedTime:   util.GetCurrentTime(),
 		Application:   application.Name,
 		Organization:  user.Owner,
@@ -420,7 +420,8 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 			ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
 		}
 	}
-	newAccessToken, newRefreshToken, err := generateJwtToken(application, user, "", scope, host)
+
+	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		return &TokenError{
 			Error:            EndpointError,
@@ -430,7 +431,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 
 	newToken := &Token{
 		Owner:        application.Owner,
-		Name:         util.GenerateId(),
+		Name:         tokenName,
 		CreatedTime:  util.GetCurrentTime(),
 		Application:  application.Name,
 		Organization: user.Owner,
@@ -569,7 +570,8 @@ func GetPasswordToken(application *Application, username string, password string
 			ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
 		}
 	}
-	accessToken, refreshToken, err := generateJwtToken(application, user, "", scope, host)
+
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -578,7 +580,7 @@ func GetPasswordToken(application *Application, username string, password string
 	}
 	token := &Token{
 		Owner:        application.Owner,
-		Name:         util.GenerateId(),
+		Name:         tokenName,
 		CreatedTime:  util.GetCurrentTime(),
 		Application:  application.Name,
 		Organization: user.Owner,
@@ -609,7 +611,8 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 		Id:    application.GetId(),
 		Name:  fmt.Sprintf("app/%s", application.Name),
 	}
-	accessToken, _, err := generateJwtToken(application, nullUser, "", scope, host)
+
+	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -618,7 +621,7 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 	}
 	token := &Token{
 		Owner:        application.Owner,
-		Name:         util.GenerateId(),
+		Name:         tokenName,
 		CreatedTime:  util.GetCurrentTime(),
 		Application:  application.Name,
 		Organization: application.Organization,
@@ -637,13 +640,13 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 // GetTokenByUser
 // Implicit flow
 func GetTokenByUser(application *Application, user *User, scope string, host string) (*Token, error) {
-	accessToken, refreshToken, err := generateJwtToken(application, user, "", scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		return nil, err
 	}
 	token := &Token{
 		Owner:        application.Owner,
-		Name:         util.GenerateId(),
+		Name:         tokenName,
 		CreatedTime:  util.GetCurrentTime(),
 		Application:  application.Name,
 		Organization: user.Owner,
@@ -723,7 +726,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 		AddUser(user)
 	}
 
-	accessToken, refreshToken, err := generateJwtToken(application, user, "", "", host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -733,7 +736,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 
 	token := &Token{
 		Owner:        application.Owner,
-		Name:         util.GenerateId(),
+		Name:         tokenName,
 		CreatedTime:  util.GetCurrentTime(),
 		Application:  application.Name,
 		Organization: user.Owner,
diff --git a/object/token_jwt.go b/object/token_jwt.go
index d566c1ce..5e7ca967 100644
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@@ -19,6 +19,7 @@ import (
 	"time"
 
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/util"
 	"github.com/golang-jwt/jwt/v4"
 )
 
@@ -60,7 +61,7 @@ func getShortClaims(claims Claims) ClaimsShort {
 	return res
 }
 
-func generateJwtToken(application *Application, user *User, nonce string, scope string, host string) (string, string, error) {
+func generateJwtToken(application *Application, user *User, nonce string, scope string, host string) (string, string, string, error) {
 	nowTime := time.Now()
 	expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour)
 	refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours) * time.Hour)
@@ -72,6 +73,9 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		originBackend = origin
 	}
 
+	name := util.GenerateId()
+	jti := fmt.Sprintf("%s/%s", application.Owner, name)
+
 	claims := Claims{
 		User:  user,
 		Nonce: nonce,
@@ -85,7 +89,7 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 			ExpiresAt: jwt.NewNumericDate(expireTime),
 			NotBefore: jwt.NewNumericDate(nowTime),
 			IssuedAt:  jwt.NewNumericDate(nowTime),
-			ID:        "",
+			ID:        jti,
 		},
 	}
 
@@ -110,17 +114,17 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 	// RSA private key
 	key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(cert.PrivateKey))
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
 
 	token.Header["kid"] = cert.Name
 	tokenString, err := token.SignedString(key)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
 	refreshTokenString, err := refreshToken.SignedString(key)
 
-	return tokenString, refreshTokenString, err
+	return tokenString, refreshTokenString, name, err
 }
 
 func ParseJwtToken(token string, cert *Cert) (*Claims, error) {