fix(bouncer): add support for JWT revocation BE-11179 (#12165)

2025-07-25 00:09:40 +02:00 · 2024-08-30 20:24:14 -03:00 · 2024-08-30 20:24:14 -03:00 · 6cc95e11ae
commit 6cc95e11ae
parent 9133cbf544
7 changed files with 176 additions and 12 deletions
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@ -103,7 +103,7 @@ func (service *Service) GenerateToken(data *portainer.TokenData) (string, time.T
 }

 // ParseAndVerifyToken parses a JWT token and verify its validity. It returns an error if token is invalid.
-func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData, error) {
+func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData, string, time.Time, error) {
 	scope := parseScope(token)
 	secret := service.secrets[scope]
 	parsedToken, err := jwt.ParseWithClaims(token, &claims{}, func(token *jwt.Token) (interface{}, error) {
@ -119,10 +119,10 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,

 			user, err := service.dataStore.User().Read(portainer.UserID(cl.UserID))
 			if err != nil {
-				return nil, errInvalidJWTToken
+				return nil, "", time.Time{}, errInvalidJWTToken
 			}
 			if user.TokenIssueAt > cl.StandardClaims.IssuedAt {
-				return nil, errInvalidJWTToken
+				return nil, "", time.Time{}, errInvalidJWTToken
 			}

 			return &portainer.TokenData{
@ -131,10 +131,11 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,
 				Role:                portainer.UserRole(cl.Role),
 				Token:               token,
 				ForceChangePassword: cl.ForceChangePassword,
-			}, nil
+			}, cl.Id, time.Unix(cl.ExpiresAt, 0), nil
 		}
 	}
-	return nil, errInvalidJWTToken
+
+	return nil, "", time.Time{}, errInvalidJWTToken
 }

 // parse a JWT token, fallback to defaultScope if no scope is present in the JWT