From d129202b952649f3581bdc04c666a9a85f32b3e2 Mon Sep 17 00:00:00 2001
From: Steve0x2a <stevesough@gmail.com>
Date: Fri, 28 Jan 2022 15:07:42 +0800
Subject: [PATCH] fix: no database check when using accessToken (#461)

Signed-off-by: 0x2a <stevesough@gmail.com>
---
 object/token.go               | 10 +++++++++
 routers/auto_signin_filter.go | 40 ++++++++++++-----------------------
 util/time.go                  |  7 ++++++
 3 files changed, 31 insertions(+), 26 deletions(-)

diff --git a/object/token.go b/object/token.go
index bd1bfed4..19a87f54 100644
--- a/object/token.go
+++ b/object/token.go
@@ -156,6 +156,16 @@ func DeleteToken(token *Token) bool {
 	return affected != 0
 }
 
+func GetTokenByAccessToken(accessToken string) *Token {
+	//Check if the accessToken is in the database
+	token := Token{}
+	existed, err := adapter.Engine.Where("access_token=?", accessToken).Get(&token)
+	if err != nil || !existed {
+		return nil
+	}
+	return &token
+}
+
 func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string) (string, *Application) {
 	if responseType != "code" {
 		return "response_type should be \"code\"", nil
diff --git a/routers/auto_signin_filter.go b/routers/auto_signin_filter.go
index de33774b..3a580ef5 100644
--- a/routers/auto_signin_filter.go
+++ b/routers/auto_signin_filter.go
@@ -16,7 +16,6 @@ package routers
 
 import (
 	"fmt"
-	"time"
 
 	"github.com/astaxie/beego/context"
 	"github.com/casdoor/casdoor/object"
@@ -28,22 +27,26 @@ func AutoSigninFilter(ctx *context.Context) {
 	//	return
 	//}
 
-	// "/page?access_token=123"
+	// "/page?access_token=123" or HTTP Bearer token
+	// Authorization: Bearer bearerToken
 	accessToken := ctx.Input.Query("accessToken")
+	if accessToken == "" {
+		accessToken = parseBearerToken(ctx)
+	}
 	if accessToken != "" {
-		cert := object.GetDefaultCert()
-		claims, err := object.ParseJwtToken(accessToken, cert)
-		if err != nil {
-			responseError(ctx, "invalid JWT token")
+		token := object.GetTokenByAccessToken(accessToken)
+		if token == nil {
+			responseError(ctx, "non-existent accessToken")
 			return
 		}
-		if time.Now().Unix() > claims.ExpiresAt.Unix() {
-			responseError(ctx, "expired JWT token")
+		if !util.CheckTokenExpireTime(token.CreatedTime, token.ExpiresIn) {
+			responseError(ctx, "expired accessToken")
+			return
 		}
-
-		userId := fmt.Sprintf("%s/%s", claims.User.Owner, claims.User.Name)
+		userId := fmt.Sprintf("%s/%s", token.Organization, token.User)
+		application, _ := object.GetApplicationByUserId(fmt.Sprintf("app/%s", token.Application))
 		setSessionUser(ctx, userId)
-		setSessionOidc(ctx, claims.Scope, claims.Audience[0])
+		setSessionOidc(ctx, token.Scope, application.ClientId)
 		return
 	}
 
@@ -69,19 +72,4 @@ func AutoSigninFilter(ctx *context.Context) {
 		return
 	}
 
-	// HTTP Bearer token
-	// Authorization: Bearer bearerToken
-	bearerToken := parseBearerToken(ctx)
-	if bearerToken != "" {
-		cert := object.GetDefaultCert()
-		claims, err := object.ParseJwtToken(bearerToken, cert)
-		if err != nil {
-			responseError(ctx, err.Error())
-			return
-		}
-
-		setSessionUser(ctx, fmt.Sprintf("%s/%s", claims.Owner, claims.Name))
-		setSessionExpire(ctx, claims.ExpiresAt.Unix())
-		setSessionOidc(ctx, claims.Scope, claims.Audience[0])
-	}
 }
diff --git a/util/time.go b/util/time.go
index d489497b..d1a3ca87 100644
--- a/util/time.go
+++ b/util/time.go
@@ -28,3 +28,10 @@ func GetCurrentTime() string {
 func GetCurrentUnixTime() string {
 	return strconv.FormatInt(time.Now().UnixNano(), 10)
 }
+
+func CheckTokenExpireTime(createdTime string, expireIn int) bool {
+	create, _ := time.Parse(time.RFC3339, createdTime)
+	expireAt := create.Add(time.Duration(expireIn) * time.Minute)
+
+	return time.Now().Before(expireAt)
+}