If the user is logged out, someone else can take the token and use it to fetch the details about user.

Massad / gin-boilerplate

The fastest way to deploy a restful api's with Gin Framework with a structured project that defaults to PostgreSQL database and JWT authentication middleware stored in Redis

MIT License

1.07k stars 193 forks source link

If the user is logged out, someone else can take the token and use it to fetch the details about user. #12

Closed ladrahul00 closed 4 years ago

ladrahul00 commented 4 years ago

You have deleted user token from redis store but the token is still valid(authorized=true), it is not invalidated. In middleware you are only checking if the token is authorized or not.

Massad commented 4 years ago

@wolf00 yes, to check if the token is valid or not as an example. However, in the "controllers" where user needs to be verified you can use getUserID() to validate it.

Example: https://github.com/Massad/gin-boilerplate/blob/master/controllers/article.go#L21

Which eventually calls FetchAuth that verifies both the token and existence in redis:

https://github.com/Massad/gin-boilerplate/blob/74273606cd727adb12688ed4f12f3385ecb6f17a/models/auth.go#L158

You can move this layer to the middleware if you want.

Let me know if that clarifies your concern.

Massad commented 4 years ago

On second thought, I've modified it to validate both the token and Redis at the same time in the middleware itself and then it will pass the userID from Redis using c.MustGet("userID").(int64) in getUserID()

Take a look at this commit: https://github.com/Massad/gin-boilerplate/commit/6fd4f8070fa3d87f0706bd97f3ce5d7907fea09d and let me know your thoughts.

Thanks for pointing it out.

ladrahul00 commented 4 years ago

Thanks @Massad looks good now.