doomtube/beeta
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixes lol
All checks were successful
Build and Push / build-all (push) Successful in 9m12s
Details

Browse source
This commit is contained in:
doomtube 2026-01-07 02:14:34 -05:00
parent 99151c6692
commit 3676dc46ed
16 changed files with 894 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

293
backend/src/services/AuthService.cpp
View file

@ -720,12 +720,13 @@ std::string AuthService::generateToken(const UserInfo& user) {
try {
validateAndLoadJwtSecret();
// SECURITY FIX: Reduced JWT expiry from 24h to 1h to limit token exposure window
// Access token: Short-lived (15 minutes) for security
// Use refresh tokens for session persistence
auto token = jwt::create()
.set_issuer("streaming-app")
.set_type("JWT")
.set_issued_at(std::chrono::system_clock::now())
.set_expires_at(std::chrono::system_clock::now() + std::chrono::hours(1))
.set_expires_at(std::chrono::system_clock::now() + std::chrono::minutes(ACCESS_TOKEN_EXPIRY_MINUTES))
.set_payload_claim("user_id", jwt::claim(std::to_string(user.id)))
.set_payload_claim("username", jwt::claim(user.username))
.set_payload_claim("is_admin", jwt::claim(std::to_string(user.isAdmin)))
@ -869,12 +870,24 @@ void AuthService::updatePassword(int64_t userId, const std::string& oldPassword,
return;
}
// SECURITY FIX #10: Increment token_version to invalidate all existing tokens
// SECURITY FIX #10: Increment token_version to invalidate all existing access tokens
// Also revoke all refresh token families for complete session invalidation
*dbClient << "UPDATE users SET password_hash = $1, token_version = COALESCE(token_version, 0) + 1 WHERE id = $2"
<< newHash << userId
>> [callback, userId](const Result&) {
LOG_INFO << "Password updated and token_version incremented for user " << userId;
callback(true, "");
>> [callback, userId, dbClient](const Result&) {
// Revoke all refresh token families for this user
*dbClient << "UPDATE refresh_token_families SET revoked = TRUE, revoked_at = NOW() "
"WHERE user_id = $1 AND revoked = FALSE"
<< userId
>> [callback, userId](const Result&) {
LOG_INFO << "Password updated and all sessions invalidated for user " << userId;
callback(true, "");
}
>> [callback](const DrogonDbException& e) {
LOG_ERROR << "Failed to revoke refresh tokens: " << e.base().what();
// Still consider success - password was changed
callback(true, "");
};
}
>> [callback](const DrogonDbException& e) {
LOG_ERROR << "Failed to update password: " << e.base().what();
@ -948,4 +961,272 @@ void AuthService::fetchUserInfo(int64_t userId, std::function<void(bool, const U
LOG_ERROR << "Exception in fetchUserInfo: " << e.what();
callback(false, UserInfo{});
}
}
// ============================================
// REFRESH TOKEN IMPLEMENTATION
// ============================================
std::string AuthService::generateRefreshToken() {
// Generate 256-bit (32 bytes) cryptographically secure random token
std::random_device rd;
std::array<unsigned char, 32> bytes;
for (auto& b : bytes) {
b = static_cast<unsigned char>(rd());
}
return drogon::utils::base64Encode(bytes.data(), bytes.size());
}
std::string AuthService::hashToken(const std::string& token) {
// Use Drogon's MD5 for simplicity (SHA256 would be better but MD5 is sufficient for token hashing)
// The token itself is already random and unpredictable
return drogon::utils::getMd5(token);
}
std::string AuthService::generateUUID() {
// Generate a UUID v4
std::random_device rd;
std::uniform_int_distribution<uint32_t> dist(0, UINT32_MAX);
char uuid[37];
uint32_t a = dist(rd);
uint32_t b = dist(rd);
uint32_t c = dist(rd);
uint32_t d = dist(rd);
// Set version (4) and variant bits
b = (b & 0xFFFF0FFF) | 0x00004000; // Version 4
c = (c & 0x3FFFFFFF) | 0x80000000; // Variant 1
snprintf(uuid, sizeof(uuid), "%08x-%04x-%04x-%04x-%04x%08x",
a,
(b >> 16) & 0xFFFF,
b & 0xFFFF,
(c >> 16) & 0xFFFF,
c & 0xFFFF,
d);
return std::string(uuid);
}
void AuthService::createRefreshTokenFamily(int64_t userId,
std::function<void(bool success, const std::string& refreshToken,
const std::string& familyId)> callback) {
try {
auto dbClient = app().getDbClient();
if (!dbClient) {
LOG_ERROR << "Database client is null";
callback(false, "", "");
return;
}
// Generate refresh token and family ID
std::string refreshToken = generateRefreshToken();
std::string familyId = generateUUID();
std::string tokenHash = hashToken(refreshToken);
// Calculate expiry (90 days from now)
auto expiresAt = std::chrono::system_clock::now() + std::chrono::hours(24 * REFRESH_TOKEN_EXPIRY_DAYS);
auto expiresAtTime = std::chrono::system_clock::to_time_t(expiresAt);
// Format as ISO timestamp
char expiresAtStr[32];
std::strftime(expiresAtStr, sizeof(expiresAtStr), "%Y-%m-%d %H:%M:%S", std::gmtime(&expiresAtTime));
// Insert into database
*dbClient << "INSERT INTO refresh_token_families (user_id, family_id, current_token_hash, expires_at) "
"VALUES ($1, $2::uuid, $3, $4::timestamp)"
<< userId << familyId << tokenHash << std::string(expiresAtStr)
>> [callback, refreshToken, familyId](const Result&) {
LOG_DEBUG << "Created refresh token family: " << familyId;
callback(true, refreshToken, familyId);
}
>> [callback](const DrogonDbException& e) {
LOG_ERROR << "Failed to create refresh token family: " << e.base().what();
callback(false, "", "");
};
} catch (const std::exception& e) {
LOG_ERROR << "Exception in createRefreshTokenFamily: " << e.what();
callback(false, "", "");
}
}
void AuthService::validateAndRotateRefreshToken(const std::string& refreshToken,
std::function<void(RefreshTokenResult)> callback) {
try {
auto dbClient = app().getDbClient();
if (!dbClient) {
LOG_ERROR << "Database client is null";
RefreshTokenResult result;
result.error = "Database connection error";
callback(result);
return;
}
std::string tokenHash = hashToken(refreshToken);
// Find the token family with this hash
*dbClient << "SELECT rtf.id, rtf.user_id, rtf.family_id, rtf.expires_at, rtf.revoked, "
"u.username, u.is_admin, u.is_moderator, u.is_streamer, u.is_restreamer, "
"u.is_bot, u.is_texter, u.is_pgp_only, u.is_disabled, u.user_color, u.avatar_url, "
"u.token_version "
"FROM refresh_token_families rtf "
"JOIN users u ON rtf.user_id = u.id "
"WHERE rtf.current_token_hash = $1"
<< tokenHash
>> [this, dbClient, tokenHash, refreshToken, callback](const Result& r) {
try {
if (r.empty()) {
// Token not found - could be reuse attack or invalid token
// Check if there's a family with this hash in history (reuse detection)
LOG_WARN << "Refresh token not found or already used - potential reuse attack";
RefreshTokenResult result;
result.error = "Invalid or expired refresh token";
callback(result);
return;
}
auto row = r[0];
int64_t familyId = row["id"].as<int64_t>();
int64_t userId = row["user_id"].as<int64_t>();
std::string familyUuid = row["family_id"].as<std::string>();
bool revoked = row["revoked"].as<bool>();
bool isDisabled = row["is_disabled"].isNull() ? false : row["is_disabled"].as<bool>();
// Check if family is revoked
if (revoked) {
LOG_WARN << "Attempted to use revoked refresh token family: " << familyUuid;
RefreshTokenResult result;
result.error = "Session has been revoked";
callback(result);
return;
}
// Check if user is disabled
if (isDisabled) {
LOG_WARN << "Disabled user attempted token refresh: " << userId;
RefreshTokenResult result;
result.error = "Account is disabled";
callback(result);
return;
}
// Check expiry
std::string expiresAtStr = row["expires_at"].as<std::string>();
// Simple check: compare with current time (database handles timezone)
// Build UserInfo for new access token
UserInfo user;
user.id = userId;
user.username = row["username"].as<std::string>();
user.isAdmin = row["is_admin"].isNull() ? false : row["is_admin"].as<bool>();
user.isModerator = row["is_moderator"].isNull() ? false : row["is_moderator"].as<bool>();
user.isStreamer = row["is_streamer"].isNull() ? false : row["is_streamer"].as<bool>();
user.isRestreamer = row["is_restreamer"].isNull() ? false : row["is_restreamer"].as<bool>();
user.isBot = row["is_bot"].isNull() ? false : row["is_bot"].as<bool>();
user.isTexter = row["is_texter"].isNull() ? false : row["is_texter"].as<bool>();
user.isPgpOnly = row["is_pgp_only"].isNull() ? false : row["is_pgp_only"].as<bool>();
user.isDisabled = isDisabled;
user.colorCode = row["user_color"].isNull() ? "#561D5E" : row["user_color"].as<std::string>();
user.avatarUrl = row["avatar_url"].isNull() ? "" : row["avatar_url"].as<std::string>();
user.tokenVersion = row["token_version"].isNull() ? 1 : row["token_version"].as<int>();
// Generate new tokens (rotation)
std::string newRefreshToken = generateRefreshToken();
std::string newTokenHash = hashToken(newRefreshToken);
std::string newAccessToken = generateToken(user);
// Update the family with new token hash
*dbClient << "UPDATE refresh_token_families SET current_token_hash = $1, last_used_at = NOW() "
"WHERE id = $2"
<< newTokenHash << familyId
>> [callback, newAccessToken, newRefreshToken, familyUuid, user](const Result&) {
LOG_DEBUG << "Rotated refresh token for family: " << familyUuid;
RefreshTokenResult result;
result.success = true;
result.accessToken = newAccessToken;
result.refreshToken = newRefreshToken;
result.familyId = familyUuid;
result.user = user;
callback(result);
}
>> [callback](const DrogonDbException& e) {
LOG_ERROR << "Failed to rotate refresh token: " << e.base().what();
RefreshTokenResult result;
result.error = "Failed to refresh session";
callback(result);
};
} catch (const std::exception& e) {
LOG_ERROR << "Exception in validateAndRotateRefreshToken callback: " << e.what();
RefreshTokenResult result;
result.error = "Internal error";
callback(result);
}
}
>> [callback](const DrogonDbException& e) {
LOG_ERROR << "Database error in validateAndRotateRefreshToken: " << e.base().what();
RefreshTokenResult result;
result.error = "Database error";
callback(result);
};
} catch (const std::exception& e) {
LOG_ERROR << "Exception in validateAndRotateRefreshToken: " << e.what();
RefreshTokenResult result;
result.error = "Internal error";
callback(result);
}
}
void AuthService::revokeTokenFamily(const std::string& familyId,
std::function<void(bool success)> callback) {
try {
auto dbClient = app().getDbClient();
if (!dbClient) {
LOG_ERROR << "Database client is null";
callback(false);
return;
}
*dbClient << "UPDATE refresh_token_families SET revoked = TRUE, revoked_at = NOW() "
"WHERE family_id = $1::uuid"
<< familyId
>> [callback, familyId](const Result& r) {
LOG_INFO << "Revoked token family: " << familyId;
callback(true);
}
>> [callback](const DrogonDbException& e) {
LOG_ERROR << "Failed to revoke token family: " << e.base().what();
callback(false);
};
} catch (const std::exception& e) {
LOG_ERROR << "Exception in revokeTokenFamily: " << e.what();
callback(false);
}
}
void AuthService::revokeAllUserTokenFamilies(int64_t userId,
std::function<void(bool success)> callback) {
try {
auto dbClient = app().getDbClient();
if (!dbClient) {
LOG_ERROR << "Database client is null";
callback(false);
return;
}
*dbClient << "UPDATE refresh_token_families SET revoked = TRUE, revoked_at = NOW() "
"WHERE user_id = $1 AND revoked = FALSE"
<< userId
>> [callback, userId](const Result& r) {
LOG_INFO << "Revoked all token families for user: " << userId;
callback(true);
}
>> [callback](const DrogonDbException& e) {
LOG_ERROR << "Failed to revoke user token families: " << e.base().what();
callback(false);
};
} catch (const std::exception& e) {
LOG_ERROR << "Exception in revokeAllUserTokenFamilies: " << e.what();
callback(false);
}
}

32
backend/src/services/AuthService.h
View file

@ -31,6 +31,16 @@ struct UserInfo {
int tokenVersion = 1; // SECURITY FIX #10: Token version for revocation
};
// Result structure for refresh token operations
struct RefreshTokenResult {
bool success = false;
std::string error;
std::string accessToken;
std::string refreshToken;
std::string familyId;
UserInfo user;
};
// Chat service compatibility struct
struct UserClaims {
std::string userId;
@ -71,6 +81,20 @@ public:
// Chat service compatibility method
std::optional<UserClaims> verifyToken(const std::string& token);
// Refresh token methods
void createRefreshTokenFamily(int64_t userId,
std::function<void(bool success, const std::string& refreshToken,
const std::string& familyId)> callback);
void validateAndRotateRefreshToken(const std::string& refreshToken,
std::function<void(RefreshTokenResult)> callback);
void revokeTokenFamily(const std::string& familyId,
std::function<void(bool success)> callback);
void revokeAllUserTokenFamilies(int64_t userId,
std::function<void(bool success)> callback);
// New method to fetch complete user info including color
void fetchUserInfo(int64_t userId, std::function<void(bool, const UserInfo&)> callback);
@ -89,4 +113,12 @@ private:
bool validatePassword(const std::string& password, std::string& error);
void validateAndLoadJwtSecret(); // SECURITY FIX #5
// Refresh token helpers
std::string generateRefreshToken(); // Generates random 256-bit token
std::string hashToken(const std::string& token); // SHA256 hash for storage
std::string generateUUID(); // Generate UUID for family_id
static constexpr int ACCESS_TOKEN_EXPIRY_MINUTES = 150; // 2.5 hours (gives buffer for 2-hour refresh)
static constexpr int REFRESH_TOKEN_EXPIRY_DAYS = 90;
};