fix(storage): don't check exp against time using sql (#2676)

This is already checked by JWT validation. There is no need and it's leading to timezone issues.

Fixes #2672
This commit is contained in:
James Elliott 2021-12-04 15:34:20 +11:00 committed by GitHub
parent 09fbffa3ac
commit 5a223b5a56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 15 deletions

View File

@ -51,6 +51,8 @@ func (ip *IP) Scan(src interface{}) (err error) {
switch v := src.(type) {
case string:
value = v
case []byte:
value = string(v)
default:
return fmt.Errorf("invalid type %T for IP %v", src, src)
}
@ -86,6 +88,8 @@ func (ip *NullIP) Scan(src interface{}) (err error) {
switch v := src.(type) {
case string:
value = v
case []byte:
value = string(v)
default:
return fmt.Errorf("invalid type %T for NullIP %v", src, src)
}

View File

@ -33,9 +33,9 @@ func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceNa
sqlInsertAuthenticationAttempt: fmt.Sprintf(queryFmtInsertAuthenticationLogEntry, tableAuthenticationLogs),
sqlSelectAuthenticationAttemptsByUsername: fmt.Sprintf(queryFmtSelect1FAAuthenticationLogEntryByUsername, tableAuthenticationLogs),
sqlInsertIdentityVerification: fmt.Sprintf(queryFmtInsertIdentityVerification, tableIdentityVerification),
sqlConsumeIdentityVerification: fmt.Sprintf(queryFmtConsumeIdentityVerification, tableIdentityVerification),
sqlSelectExistsIdentityVerification: fmt.Sprintf(queryFmtSelectExistsIdentityVerification, tableIdentityVerification),
sqlInsertIdentityVerification: fmt.Sprintf(queryFmtInsertIdentityVerification, tableIdentityVerification),
sqlConsumeIdentityVerification: fmt.Sprintf(queryFmtConsumeIdentityVerification, tableIdentityVerification),
sqlSelectIdentityVerification: fmt.Sprintf(queryFmtSelectIdentityVerification, tableIdentityVerification),
sqlUpsertTOTPConfig: fmt.Sprintf(queryFmtUpsertTOTPConfiguration, tableTOTPConfigurations),
sqlDeleteTOTPConfig: fmt.Sprintf(queryFmtDeleteTOTPConfiguration, tableTOTPConfigurations),
@ -90,9 +90,9 @@ type SQLProvider struct {
sqlSelectAuthenticationAttemptsByUsername string
// Table: identity_verification.
sqlInsertIdentityVerification string
sqlConsumeIdentityVerification string
sqlSelectExistsIdentityVerification string
sqlInsertIdentityVerification string
sqlConsumeIdentityVerification string
sqlSelectIdentityVerification string
// Table: totp_configurations.
sqlUpsertTOTPConfig string
@ -245,11 +245,21 @@ func (p *SQLProvider) ConsumeIdentityVerification(ctx context.Context, jti strin
// FindIdentityVerification checks if an identity verification record is in the database and active.
func (p *SQLProvider) FindIdentityVerification(ctx context.Context, jti string) (found bool, err error) {
if err = p.db.GetContext(ctx, &found, p.sqlSelectExistsIdentityVerification, jti); err != nil {
verification := models.IdentityVerification{}
if err = p.db.GetContext(ctx, &verification, p.sqlSelectIdentityVerification, jti); err != nil {
if errors.Is(err, sql.ErrNoRows) {
return false, nil
}
return false, fmt.Errorf("error selecting identity verification exists: %w", err)
}
return found, nil
switch {
case verification.Consumed != nil, verification.ExpiresAt.Before(time.Now()):
return false, nil
default:
return true, nil
}
}
// SaveTOTPConfiguration save a TOTP configuration of a given user in the database.

View File

@ -36,7 +36,7 @@ func NewPostgreSQLProvider(config *schema.Configuration) (provider *PostgreSQLPr
provider.sqlFmtRenameTable = provider.db.Rebind(provider.sqlFmtRenameTable)
provider.sqlSelectPreferred2FAMethod = provider.db.Rebind(provider.sqlSelectPreferred2FAMethod)
provider.sqlSelectUserInfo = provider.db.Rebind(provider.sqlSelectUserInfo)
provider.sqlSelectExistsIdentityVerification = provider.db.Rebind(provider.sqlSelectExistsIdentityVerification)
provider.sqlSelectIdentityVerification = provider.db.Rebind(provider.sqlSelectIdentityVerification)
provider.sqlInsertIdentityVerification = provider.db.Rebind(provider.sqlInsertIdentityVerification)
provider.sqlConsumeIdentityVerification = provider.db.Rebind(provider.sqlConsumeIdentityVerification)
provider.sqlSelectTOTPConfig = provider.db.Rebind(provider.sqlSelectTOTPConfig)

View File

@ -56,12 +56,10 @@ const (
)
const (
queryFmtSelectExistsIdentityVerification = `
SELECT EXISTS (
SELECT id
FROM %s
WHERE jti = ? AND exp > CURRENT_TIMESTAMP AND consumed IS NULL
);`
queryFmtSelectIdentityVerification = `
SELECT id, jti, iat, issued_ip, exp, username, action, consumed, consumed_ip
FROM %s
WHERE jti = ?;`
queryFmtInsertIdentityVerification = `
INSERT INTO %s (jti, iat, issued_ip, exp, username, action)