Skip to content

Commit

Permalink
Add option to logout all previous JWTS
Browse files Browse the repository at this point in the history
This new function call, will expire all jwts created prior to the one in the request
related to descope/etc#8242
+ tests
  • Loading branch information
aviadl committed Nov 13, 2024
1 parent f2d72b8 commit c9d4aad
Show file tree
Hide file tree
Showing 6 changed files with 113 additions and 20 deletions.
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -642,6 +642,14 @@ invalidate all user's refresh tokens. After calling this function, you must inva
descopeClient.Auth.LogoutAll(request, w)
```

It is also possible to sign the user out of previous session. Calling `logoutPrevious` will
invalidate all user's refresh tokens that were generated prior to the given session.

```go
// Refresh token will be taken from the request header or cookies automatically
descopeClient.Auth.LogoutPrevious(request)
```

### History

You can get the current session user history.
Expand Down
46 changes: 26 additions & 20 deletions descope/api/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -203,30 +203,32 @@ var (
fgaDeleteRelations: "mgmt/fga/relations/delete",
fgaCheck: "mgmt/fga/check",
},
logout: "auth/logout",
logoutAll: "auth/logoutall",
keys: "/keys/",
refresh: "auth/refresh",
selectTenant: "auth/tenant/select",
me: "auth/me",
meTenants: "auth/me/tenants",
history: "auth/me/history",
logout: "auth/logout",
logoutAll: "auth/logoutall",
logoutPrevious: "auth/logoutprevious",
keys: "/keys/",
refresh: "auth/refresh",
selectTenant: "auth/tenant/select",
me: "auth/me",
meTenants: "auth/me/tenants",
history: "auth/me/history",
}
)

type endpoints struct {
version string
versionV2 string
auth authEndpoints
mgmt mgmtEndpoints
logout string
logoutAll string
keys string
refresh string
selectTenant string
me string
meTenants string
history string
version string
versionV2 string
auth authEndpoints
mgmt mgmtEndpoints
logout string
logoutAll string
logoutPrevious string
keys string
refresh string
selectTenant string
me string
meTenants string
history string
}

type authEndpoints struct {
Expand Down Expand Up @@ -601,6 +603,10 @@ func (e *endpoints) LogoutAll() string {
return path.Join(e.version, e.logoutAll)
}

func (e *endpoints) LogoutPrevious() string {
return path.Join(e.version, e.logoutPrevious)
}

func (e *endpoints) Me() string {
return path.Join(e.version, e.me)
}
Expand Down
31 changes: 31 additions & 0 deletions descope/internal/auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,37 @@ func (auth *authenticationService) logoutAll(request *http.Request, w http.Respo
return nil
}

func (auth *authenticationService) LogoutPrevious(request *http.Request) error {
return auth.logoutPrevious(request)
}

func (auth *authenticationService) LogoutPreviousWithToken(refreshToken string) error {
request := &http.Request{Header: http.Header{}}
request.AddCookie(&http.Cookie{Name: descope.RefreshCookieName, Value: refreshToken})
return auth.logoutPrevious(request)
}

func (auth *authenticationService) logoutPrevious(request *http.Request) error {
if request == nil {
return utils.NewInvalidArgumentError("request")
}

_, refreshToken := provideTokens(request)
if refreshToken == "" {
logger.LogDebug("Unable to find tokens from cookies")
return descope.ErrRefreshToken.WithMessage("Unable to find tokens from cookies")
}

_, err := auth.validateJWT(refreshToken)
if err != nil {
logger.LogDebug("Invalid refresh token")
return descope.ErrRefreshToken.WithMessage("Invalid refresh token")
}

_, err = auth.client.DoPostRequest(request.Context(), api.Routes.LogoutPrevious(), nil, &api.HTTPRequest{}, refreshToken)
return err
}

func (auth *authenticationService) Me(request *http.Request) (*descope.UserResponse, error) {
if request == nil {
return nil, utils.NewInvalidArgumentError("request")
Expand Down
22 changes: 22 additions & 0 deletions descope/internal/auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -762,6 +762,28 @@ func TestLogoutAllWithToken(t *testing.T) {
require.NoError(t, err)
}

func TestLogoutPrevious(t *testing.T) {
a, err := newTestAuth(nil, func(_ *http.Request) (*http.Response, error) {
return &http.Response{StatusCode: http.StatusOK, Body: io.NopCloser(bytes.NewBufferString(mockAuthSessionBody))}, nil
})
require.NoError(t, err)
request := &http.Request{Header: http.Header{}}
request.AddCookie(&http.Cookie{Name: descope.RefreshCookieName, Value: jwtRTokenValid})

err = a.LogoutPrevious(request)
require.NoError(t, err)
}

func TestLogoutPreviousWithToken(t *testing.T) {
a, err := newTestAuth(nil, func(_ *http.Request) (*http.Response, error) {
return &http.Response{StatusCode: http.StatusOK, Body: io.NopCloser(bytes.NewBufferString(mockAuthSessionBody))}, nil
})
require.NoError(t, err)

err = a.LogoutPreviousWithToken(jwtRTokenValid)
require.NoError(t, err)
}

func TestLogoutNoClaims(t *testing.T) {
a, err := newTestAuth(nil, func(_ *http.Request) (*http.Response, error) {
return &http.Response{StatusCode: http.StatusOK}, nil
Expand Down
6 changes: 6 additions & 0 deletions descope/sdk/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,12 @@ type Authentication interface {
// Use the ResponseWriter (optional) to apply the cookies to the response automatically.
LogoutAllWithToken(refreshToken string, w http.ResponseWriter) error

// LogoutPrevious - Use to perform logout from all active sessions that were created prior to the given token.
LogoutPrevious(request *http.Request) error

// LogoutPreviousWithToken - Use to perform logout from all active sessions that were created prior to the given token.
LogoutPreviousWithToken(refreshToken string) error

// Me - Use to retrieve current session user details. The request requires a valid refresh token.
// returns the user details or error if the refresh token is not valid.
Me(request *http.Request) (*descope.UserResponse, error)
Expand Down
20 changes: 20 additions & 0 deletions descope/tests/mocks/auth/authenticationmock.go
Original file line number Diff line number Diff line change
Expand Up @@ -692,6 +692,12 @@ type MockSession struct {
LogoutAllWithTokenAssert func(refreshToken string, w http.ResponseWriter)
LogoutAllWithTokenError error

LogoutPreviousAssert func(r *http.Request)
LogoutPreviousError error

LogoutPreviousWithTokenAssert func(refreshToken string)
LogoutPreviousWithTokenError error

MeAssert func(r *http.Request)
MeError error
MeResponse *descope.UserResponse
Expand Down Expand Up @@ -885,6 +891,20 @@ func (m *MockSession) LogoutAllWithToken(refreshToken string, w http.ResponseWri
return m.LogoutAllWithTokenError
}

func (m *MockSession) LogoutPrevious(r *http.Request) error {
if m.LogoutPreviousAssert != nil {
m.LogoutPreviousAssert(r)
}
return m.LogoutPreviousError
}

func (m *MockSession) LogoutPreviousWithToken(refreshToken string) error {
if m.LogoutPreviousWithTokenAssert != nil {
m.LogoutPreviousWithTokenAssert(refreshToken)
}
return m.LogoutPreviousWithTokenError
}

func (m *MockSession) Me(r *http.Request) (*descope.UserResponse, error) {
if m.MeAssert != nil {
m.MeAssert(r)
Expand Down

0 comments on commit c9d4aad

Please sign in to comment.