From 6b22b22d090a07f7292f8e35ae4b4a93f16832b5 Mon Sep 17 00:00:00 2001 From: Sumanth Chinthagunta Date: Sat, 30 Nov 2024 19:31:56 -0800 Subject: [PATCH 1/7] fix: allow custom claims to overwrite the default claims --- go/controller/jwt.go | 8 ++++---- go/controller/jwt_test.go | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go/controller/jwt.go b/go/controller/jwt.go index 0acf1c7bd..3aa0aee94 100644 --- a/go/controller/jwt.go +++ b/go/controller/jwt.go @@ -226,10 +226,10 @@ func (j *JWTGetter) GetToken( } k = strings.ToLower("x-hasura-" + k) - if _, ok := c[k]; ok { - // we do not allow custom claims to overwrite the default claims - continue - } + //if _, ok := c[k]; ok { + // // we do not allow custom claims to overwrite the default claims + // continue + //} c[k] = value } diff --git a/go/controller/jwt_test.go b/go/controller/jwt_test.go index a7ffe9587..82088edf4 100644 --- a/go/controller/jwt_test.go +++ b/go/controller/jwt_test.go @@ -179,7 +179,7 @@ func TestGetJWTFunc(t *testing.T) { }, "x-hasura-default-role": "user", "x-hasura-float": "123.456", - "x-hasura-user-id": "585e21fc-3664-4d03-8539-69945342a4f4", + "x-hasura-user-id": "custom-claims-that-shadow-default-claims-are-ignored", "x-hasura-user-is-anonymous": "false", "x-hasura-custom-claim": "custom-claim-value", "x-hasura-custom-claim-2": "custom-claim-value-2", From df70e92d14ffdfd4455350cb482d1bffe7a35a79 Mon Sep 17 00:00:00 2001 From: Sumanth Chinthagunta Date: Thu, 5 Dec 2024 09:36:02 -0800 Subject: [PATCH 2/7] fix: make NewSession behave same way as UpdateSession and add DefaultRole to allowedRoles if missing in it --- go/controller/workflows.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/controller/workflows.go b/go/controller/workflows.go index cab9ee43b..d818934a1 100644 --- a/go/controller/workflows.go +++ b/go/controller/workflows.go @@ -485,6 +485,10 @@ func (wf *Workflows) NewSession( return nil, fmt.Errorf("error updating user last seen: %w", err) } + if !slices.Contains(allowedRoles, user.DefaultRole) { + allowedRoles = append(allowedRoles, user.DefaultRole) + } + accessToken, expiresIn, err := wf.jwtGetter.GetToken( ctx, user.ID, user.IsAnonymous, allowedRoles, user.DefaultRole, logger, ) From a077ab8d2a6db5a56c1e722ac5f086dd08d69d42 Mon Sep 17 00:00:00 2001 From: Sumanth Chinthagunta Date: Thu, 5 Dec 2024 11:30:26 -0800 Subject: [PATCH 3/7] fix: rollback jwt.go changes --- go/controller/jwt.go | 8 ++++---- go/controller/jwt_test.go | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go/controller/jwt.go b/go/controller/jwt.go index 3aa0aee94..0acf1c7bd 100644 --- a/go/controller/jwt.go +++ b/go/controller/jwt.go @@ -226,10 +226,10 @@ func (j *JWTGetter) GetToken( } k = strings.ToLower("x-hasura-" + k) - //if _, ok := c[k]; ok { - // // we do not allow custom claims to overwrite the default claims - // continue - //} + if _, ok := c[k]; ok { + // we do not allow custom claims to overwrite the default claims + continue + } c[k] = value } diff --git a/go/controller/jwt_test.go b/go/controller/jwt_test.go index 82088edf4..a7ffe9587 100644 --- a/go/controller/jwt_test.go +++ b/go/controller/jwt_test.go @@ -179,7 +179,7 @@ func TestGetJWTFunc(t *testing.T) { }, "x-hasura-default-role": "user", "x-hasura-float": "123.456", - "x-hasura-user-id": "custom-claims-that-shadow-default-claims-are-ignored", + "x-hasura-user-id": "585e21fc-3664-4d03-8539-69945342a4f4", "x-hasura-user-is-anonymous": "false", "x-hasura-custom-claim": "custom-claim-value", "x-hasura-custom-claim-2": "custom-claim-value-2", From 08a14c3b43a33bcf156ba598b99e49f8137d318d Mon Sep 17 00:00:00 2001 From: Sumanth Chinthagunta Date: Fri, 6 Dec 2024 14:34:02 -0800 Subject: [PATCH 4/7] fix: fix makezero lint error --- go/controller/workflows.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/controller/workflows.go b/go/controller/workflows.go index d818934a1..350f9ec60 100644 --- a/go/controller/workflows.go +++ b/go/controller/workflows.go @@ -408,7 +408,7 @@ func (wf *Workflows) UpdateSession( //nolint:funlen return nil, ErrInternalServerError } - allowedRoles := make([]string, 0, len(userRoles)) + allowedRoles := make([]string, len(userRoles)) for _, role := range userRoles { if role.Role.Valid { allowedRoles = append(allowedRoles, role.Role.String) From 0c2c7765878e4450d147ff7f5040174d708a8e7a Mon Sep 17 00:00:00 2001 From: Sumanth Chinthagunta Date: Sat, 7 Dec 2024 12:19:55 -0800 Subject: [PATCH 5/7] fix: fix makezero lint error --- go/controller/workflows.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/go/controller/workflows.go b/go/controller/workflows.go index 350f9ec60..a8cbcbf81 100644 --- a/go/controller/workflows.go +++ b/go/controller/workflows.go @@ -408,7 +408,7 @@ func (wf *Workflows) UpdateSession( //nolint:funlen return nil, ErrInternalServerError } - allowedRoles := make([]string, len(userRoles)) + allowedRoles := make([]string, 0, len(userRoles)) for _, role := range userRoles { if role.Role.Valid { allowedRoles = append(allowedRoles, role.Role.String) @@ -467,11 +467,15 @@ func (wf *Workflows) NewSession( if err != nil { return nil, fmt.Errorf("error getting roles by user id: %w", err) } - allowedRoles := make([]string, len(userRoles)) + allowedRoles := make([]string, 0, len(userRoles)) for i, role := range userRoles { allowedRoles[i] = role.Role } + if !slices.Contains(allowedRoles, user.DefaultRole) { + allowedRoles = append(allowedRoles, user.DefaultRole) + } + refreshToken := uuid.New() expiresAt := time.Now().Add(time.Duration(wf.config.RefreshTokenExpiresIn) * time.Second) refreshTokenID, apiErr := wf.InsertRefreshtoken( @@ -485,10 +489,6 @@ func (wf *Workflows) NewSession( return nil, fmt.Errorf("error updating user last seen: %w", err) } - if !slices.Contains(allowedRoles, user.DefaultRole) { - allowedRoles = append(allowedRoles, user.DefaultRole) - } - accessToken, expiresIn, err := wf.jwtGetter.GetToken( ctx, user.ID, user.IsAnonymous, allowedRoles, user.DefaultRole, logger, ) From bdbbc41c2df483443ff067b3275091178bef0071 Mon Sep 17 00:00:00 2001 From: Sumanth Chinthagunta Date: Sat, 7 Dec 2024 13:30:08 -0800 Subject: [PATCH 6/7] fix: fix makezero lint error --- go/controller/workflows.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/go/controller/workflows.go b/go/controller/workflows.go index a8cbcbf81..a45870006 100644 --- a/go/controller/workflows.go +++ b/go/controller/workflows.go @@ -468,8 +468,8 @@ func (wf *Workflows) NewSession( return nil, fmt.Errorf("error getting roles by user id: %w", err) } allowedRoles := make([]string, 0, len(userRoles)) - for i, role := range userRoles { - allowedRoles[i] = role.Role + for _, role := range userRoles { + allowedRoles = append(allowedRoles, role.Role) } if !slices.Contains(allowedRoles, user.DefaultRole) { From 6622f86944bb007c85172d7ebd47df723b541dac Mon Sep 17 00:00:00 2001 From: Sumanth Chinthagunta Date: Mon, 9 Dec 2024 07:22:11 -0800 Subject: [PATCH 7/7] fix: added nolint:funlen comment --- go/controller/workflows.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/controller/workflows.go b/go/controller/workflows.go index a45870006..e7f33e4e3 100644 --- a/go/controller/workflows.go +++ b/go/controller/workflows.go @@ -458,7 +458,7 @@ func (wf *Workflows) UpdateSession( //nolint:funlen }, nil } -func (wf *Workflows) NewSession( +func (wf *Workflows) NewSession( //nolint:funlen ctx context.Context, user sql.AuthUser, logger *slog.Logger,