simplify api, we don't like users who don't use js

danielstaleiny · danielstaleiny · commit cf6f84745c96 · 2020-07-28T19:17:23.000+02:00
diff --git a/db/src/api/login.sql b/db/src/api/login.sql
@@ -1,14 +1,8 @@
--- we have multiple scenarious.
--- base case everything is allowed
--- no cookie allowed in frontend
--- no js allowed in frontend
---
-
 -- BASE CASE
 -- Token should be saved to sessionStorage
 -- Refresh-token should be saved in cookie which only server can setup.
 
-create or replace function login(email text, password text, jwt_cookie boolean DEFAULT false, rt_cookie boolean DEFAULT false, csrf boolean DEFAULT true, csrf_token text DEFAULT null ) returns json as $$
+create or replace function login(email text, password text, cookie boolean DEFAULT false, csrf text DEFAULT null ) returns json as $$
 declare
     usr record;
     ses record;
@@ -23,68 +17,40 @@ begin
         raise invalid_password using detail = 'Invalid email or password', hint = 'Make sure your email and password are correct!';
     else
         head := request.header('host') || '-' ||  request.header('user-agent');
-        if jwt_cookie is true then
-           token := pgjwt.sign(
-                 json_build_object(
-                    'role', usr.role,
-                    'user_id', usr.id,
-                    'exp', extract(epoch from now())::integer + settings.get('jwt_lifetime')::int,
-                    'user-agent', head
-                ),
-                settings.get('jwt_secret')
-            );
-        else
-            token := pgjwt.sign(
-                        json_build_object(
-                             'role', usr.role,
-                             'user_id', usr.id,
-                             'exp', extract(epoch from now())::integer + settings.get('jwt_lifetime')::int
-                        ),
-                        settings.get('jwt_secret')
-                    );
-        end if;
-
-        if csrf_token is not null then
-           delete from data."session" where csrf=csrf_token; -- remove old refresh token for this user with device
+        token := pgjwt.sign(
+                    json_build_object(
+                         'role', usr.role,
+                         'user_id', usr.id,
+                         'exp', extract(epoch from now())::integer + settings.get('jwt_lifetime')::int
+                    ),
+                    settings.get('jwt_secret')
+                );
+
+        if csrf is not null then
+           delete from data."session" where csrf=csrf; -- remove old refresh token for this user with device
         end if;
 
         -- TODO add more info, like IP address, Location to logs, and to session.
         insert into data."session" as s
-        (user_id, device_name, csrf, exp) values (usr.id, head, util.ifnull(csrf, pgjwt.url_encode(convert_to(replace(uuid_generate_v4()::text, '-', ''), 'utf8'))), extract(epoch from now())::integer + settings.get('refresh_token_lifetime')::int)
+        (user_id, device_name, csrf, exp) values (usr.id, head, pgjwt.url_encode(convert_to(replace(uuid_generate_v4()::text, '-', ''), 'utf8')), extract(epoch from now())::integer + settings.get('refresh_token_lifetime')::int)
         returning *
         into ses;
 
-        if jwt_cookie is true then
-           perform response.set_cookie('JWTTOKEN', token, settings.get('jwt_lifetime')::int,'/');
-        end if;
-
-        if rt_cookie is true then
+        if cookie is true then
            perform response.set_cookie('REFRESHTOKEN', ses.id::text, settings.get('refresh_token_lifetime')::int,'/'::text);
         end if;
 
-        if csrf is true then
-                return json_build_object(
-                       'id', usr.id,
-                       'name', usr.name,
-                       'email', usr.email,
-                       'role', usr.role::text,
-                       'token', token::text,
-                       'refresh_token', ses.id::text,
-                       'csrf', ses.csrf::text
-                       );
-        else
-                return json_build_object(
-                       'id', usr.id,
-                       'name', usr.name,
-                       'email', usr.email,
-                       'role', usr.role::text,
-                       'token', token::text,
-                       'refresh_token', ses.id::text
-                       );
-        end if;
-
+        return json_build_object(
+               'id', usr.id,
+               'name', usr.name,
+               'email', usr.email,
+               'role', usr.role::text,
+               'token', token::text,
+               'refresh_token', ses.id::text,
+               'csrf', ses.csrf::text
+               );
     end if;
 end
 $$ volatile security definer language plpgsql;
 -- by default all functions are accessible to the public, we need to remove that and define our specific access rules
-revoke all privileges on function login(text, text, boolean, boolean, boolean, text) from public;
+revoke all privileges on function login(text, text, boolean, text) from public;
diff --git a/db/src/api/logout.sql b/db/src/api/logout.sql
@@ -4,7 +4,6 @@ begin
     if refresh_token is not null then
        delete from data."session" where id=refresh_token::uuid;
     end if;
-    perform response.delete_cookie('JWTTOKEN');
     perform response.delete_cookie('REFRESHTOKEN');
     return json_build_object('ok', true);
 
diff --git a/db/src/api/refresh_token.sql b/db/src/api/refresh_token.sql
@@ -1,4 +1,4 @@
-create or replace function refresh_token(refresh_token text, csrf text default null, jwt_cookie boolean default false ) returns json as $$
+create or replace function refresh_token(refresh_token text, csrf text default null ) returns json as $$
 declare
     usr record;
     ses record;
@@ -28,30 +28,17 @@ begin
         where id = ses.id;
 
 
-        if jwt_cookie is true then
-           head := request.header('host') || '-' ||  request.header('user-agent');
-           token := pgjwt.sign(
-                 json_build_object(
-                    'role', usr.role,
-                    'user_id', usr.id,
-                    'exp', extract(epoch from now())::integer + settings.get('jwt_lifetime')::int,
-                    'user-agent', head
-                ),
-                settings.get('jwt_secret')
-            );
-        else
-            token := pgjwt.sign(
-                        json_build_object(
-                             'role', usr.role,
-                             'user_id', usr.id,
-                             'exp', extract(epoch from now())::integer + settings.get('jwt_lifetime')::int
-                        ),
-                        settings.get('jwt_secret')
-                    );
-        end if;
+        token := pgjwt.sign(
+                    json_build_object(
+                         'role', usr.role,
+                         'user_id', usr.id,
+                         'exp', extract(epoch from now())::integer + settings.get('jwt_lifetime')::int
+                    ),
+                    settings.get('jwt_secret')
+                );
         return json_build_object('token', token);
     end if;
 end
 $$ volatile security definer language plpgsql;
 -- by default all functions are accessible to the public, we need to remove that and define our specific access rules
-revoke all privileges on function refresh_token(text, text, boolean) from public;
+revoke all privileges on function refresh_token(text, text) from public;
diff --git a/db/src/api/register.sql b/db/src/api/register.sql
@@ -1,4 +1,4 @@
-create or replace function register(name text, email text, password text,jwt_cookie boolean DEFAULT false, rt_cookie boolean DEFAULT false, csrf boolean DEFAULT true) returns json as $$
+create or replace function register(name text, email text, password text,cookie boolean DEFAULT false) returns json as $$
 declare
     usr record;
 begin
@@ -7,8 +7,8 @@ begin
     returning *
     into usr;
 
-    return login(usr.email, password, jwt_cookie, rt_cookie, csrf);
+    return login(usr.email, password, cookie);
 end
 $$ security definer language plpgsql;
 
-revoke all privileges on function register(text, text, text, boolean, boolean, boolean) from public;
+revoke all privileges on function register(text, text, text, boolean) from public;
diff --git a/db/src/authorization/firewall.sql b/db/src/authorization/firewall.sql
diff --git a/db/src/authorization/privileges.sql b/db/src/authorization/privileges.sql
@@ -8,13 +8,13 @@
 grant usage on schema api to anonymous, webuser;
 
 -- set privileges to all the auth flow functions
-grant execute on function api.login(text,text,boolean,boolean,boolean,text) to anonymous;
-grant execute on function api.login(text,text,boolean,boolean,boolean,text) to webuser;
-grant execute on function api.register(text,text,text,boolean,boolean,boolean) to anonymous;
+grant execute on function api.login(text,text,boolean,text) to anonymous;
+grant execute on function api.login(text,text,boolean,text) to webuser;
+grant execute on function api.register(text,text,text,boolean) to anonymous;
 grant execute on function api.logout(text) to webuser;
 grant execute on function api.me() to webuser;
-grant execute on function api.refresh_token(text,text,boolean) to anonymous;
-grant execute on function api.refresh_token(text,text,boolean) to webuser;
+grant execute on function api.refresh_token(text,text) to anonymous;
+grant execute on function api.refresh_token(text,text) to webuser;
 
 -- define the who can access todo model data
 -- enable RLS on the table holding the data
diff --git a/db/src/init.sql b/db/src/init.sql
@@ -56,7 +56,6 @@ select settings.set('refresh_token_lifetime', '2592000'); -- 30 days
 \echo # Loading roles and privilege settings
 \ir authorization/roles.sql
 \ir authorization/privileges.sql
-\ir authorization/firewall.sql
 
 \echo # Loading sample data
 \ir sample_data/data.sql
diff --git a/lib/shortcodes/test.js b/lib/shortcodes/test.js
diff --git a/openresty/nginx/rest.conf b/openresty/nginx/rest.conf
@@ -14,10 +14,6 @@ location /api/rpc/refresh_token {
 location /api {
     include cors.conf;
 
-    if ($cookie_JWTTOKEN != ""){
-        more_set_input_headers 'Authorization: Bearer $cookie_JWTTOKEN';
-    }
-
     # rewrite for the main internal location
     rewrite ^/api/(.*)$ /internal/api/$1;
 }
diff --git a/rest.conf b/rest.conf
@@ -3,4 +3,3 @@ db-schema="api"
 db-anon-role="anonymous"
 db-pool=10
 jwt-secret="reallyreallyreallyreallyverysafe"
-pre-request = "firewall"
diff --git a/scripts/reset-db-now.js b/scripts/reset-db-now.js
@@ -1,2 +1,2 @@
-const reset = require('../util/reset-db')
+const reset = require('../util/reset-db.js')
 reset()
diff --git a/todo.org b/todo.org
@@ -81,23 +81,17 @@ JWT
 if js
  - use session storage, check tab count for not reseting refresh_token \\ maybe in memory is better, because sessionStorage can be accessed ??
  - each tab has its own jwt token, no problem
-if not js
-    if no js is allowed use cookie and check headers and origin / device, it would be nice to add it to JWT and check it with lua for security.
 
 REFRESH TOKEN
 if js
   use cookie but make sure it can be written by server only,
   send CSRF token which will be stored in localstorage
 if not cookie
   use sessionstorage
-if not js
-  cookie
-  CSRF is not possible to send with static site :(, simply check for device headers, origins etc. maybe even IP
 
 
 
 
 * TODO
 ** Front-end -> login flow for web.
-** Front-end -> login flow for web without js.
 ** Create script/file to generate tailwind cheatsheet in plain text so it is easily searchable as cheatsheet.

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-const reset = require('../util/reset-db')`
	`1`	`+const reset = require('../util/reset-db.js')`
`2`	`2`	`reset()`