mirror of
https://github.com/lordmathis/lemma.git
synced 2025-11-06 07:54:22 +00:00
Remove too many debug messages
This commit is contained in:
@@ -61,11 +61,9 @@ func NewJWTService(config JWTConfig) (JWTManager, error) {
|
||||
// Set default expiry times if not provided
|
||||
if config.AccessTokenExpiry == 0 {
|
||||
config.AccessTokenExpiry = 15 * time.Minute
|
||||
log.Debug("using default access token expiry", "expiry", config.AccessTokenExpiry)
|
||||
}
|
||||
if config.RefreshTokenExpiry == 0 {
|
||||
config.RefreshTokenExpiry = 7 * 24 * time.Hour
|
||||
log.Debug("using default refresh token expiry", "expiry", config.RefreshTokenExpiry)
|
||||
}
|
||||
|
||||
log.Info("initialized JWT service",
|
||||
@@ -87,7 +85,6 @@ func (s *jwtService) GenerateRefreshToken(userID int, role, sessionID string) (s
|
||||
|
||||
// generateToken is an internal helper function that creates a new JWT token
|
||||
func (s *jwtService) generateToken(userID int, role string, sessionID string, tokenType TokenType, expiry time.Duration) (string, error) {
|
||||
log := getJWTLogger()
|
||||
now := time.Now()
|
||||
|
||||
// Add a random nonce to ensure uniqueness
|
||||
@@ -114,12 +111,6 @@ func (s *jwtService) generateToken(userID int, role string, sessionID string, to
|
||||
return "", err
|
||||
}
|
||||
|
||||
log.Debug("generated JWT token",
|
||||
"userId", userID,
|
||||
"role", role,
|
||||
"tokenType", tokenType,
|
||||
"expiresAt", claims.ExpiresAt)
|
||||
|
||||
return signedToken, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -20,9 +20,6 @@ type Middleware struct {
|
||||
|
||||
// NewMiddleware creates a new authentication middleware
|
||||
func NewMiddleware(jwtManager JWTManager, sessionManager SessionManager, cookieManager CookieManager) *Middleware {
|
||||
log := getMiddlewareLogger()
|
||||
log.Info("initialized auth middleware")
|
||||
|
||||
return &Middleware{
|
||||
jwtManager: jwtManager,
|
||||
sessionManager: sessionManager,
|
||||
@@ -33,11 +30,15 @@ func NewMiddleware(jwtManager JWTManager, sessionManager SessionManager, cookieM
|
||||
// Authenticate middleware validates JWT tokens and sets user information in context
|
||||
func (m *Middleware) Authenticate(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
log := getMiddlewareLogger()
|
||||
log := getMiddlewareLogger().With(
|
||||
"handler", "Authenticate",
|
||||
"clientIP", r.RemoteAddr,
|
||||
)
|
||||
|
||||
// Extract token from cookie
|
||||
cookie, err := r.Cookie("access_token")
|
||||
if err != nil {
|
||||
log.Warn("attempt to access protected route without token")
|
||||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
@@ -45,12 +46,14 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler {
|
||||
// Validate token
|
||||
claims, err := m.jwtManager.ValidateToken(cookie.Value)
|
||||
if err != nil {
|
||||
log.Warn("attempt to access protected route with invalid token", "error", err.Error())
|
||||
http.Error(w, "Invalid token", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
// Check token type
|
||||
if claims.Type != AccessToken {
|
||||
log.Warn("attempt to access protected route with invalid token type", "type", claims.Type)
|
||||
http.Error(w, "Invalid token type", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
@@ -58,6 +61,7 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler {
|
||||
// Check if session is still valid in database
|
||||
session, err := m.sessionManager.ValidateSession(claims.ID)
|
||||
if err != nil || session == nil {
|
||||
log.Warn("attempt to access protected route with invalid session", "error", err.Error())
|
||||
m.cookieManager.InvalidateCookie("access_token")
|
||||
m.cookieManager.InvalidateCookie("refresh_token")
|
||||
m.cookieManager.InvalidateCookie("csrf_token")
|
||||
@@ -69,17 +73,20 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler {
|
||||
if r.Method != http.MethodGet && r.Method != http.MethodHead && r.Method != http.MethodOptions {
|
||||
csrfCookie, err := r.Cookie("csrf_token")
|
||||
if err != nil {
|
||||
log.Warn("attempt to access protected route without CSRF token", "error", err.Error())
|
||||
http.Error(w, "CSRF cookie not found", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
csrfHeader := r.Header.Get("X-CSRF-Token")
|
||||
if csrfHeader == "" {
|
||||
log.Warn("attempt to access protected route without CSRF header")
|
||||
http.Error(w, "CSRF token header not found", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
if subtle.ConstantTimeCompare([]byte(csrfCookie.Value), []byte(csrfHeader)) != 1 {
|
||||
log.Warn("attempt to access protected route with invalid CSRF token")
|
||||
http.Error(w, "CSRF token mismatch", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
@@ -91,12 +98,6 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler {
|
||||
UserRole: claims.Role,
|
||||
}
|
||||
|
||||
log.Debug("authentication completed",
|
||||
"userId", claims.UserID,
|
||||
"role", claims.Role,
|
||||
"method", r.Method,
|
||||
"path", r.URL.Path)
|
||||
|
||||
// Add context to request and continue
|
||||
next.ServeHTTP(w, context.WithHandlerContext(r, hctx))
|
||||
})
|
||||
@@ -106,7 +107,11 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler {
|
||||
func (m *Middleware) RequireRole(role string) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
log := getMiddlewareLogger()
|
||||
log := getMiddlewareLogger().With(
|
||||
"handler", "RequireRole",
|
||||
"requiredRole", role,
|
||||
"clientIP", r.RemoteAddr,
|
||||
)
|
||||
|
||||
ctx, ok := context.GetRequestContext(w, r)
|
||||
if !ok {
|
||||
@@ -114,15 +119,11 @@ func (m *Middleware) RequireRole(role string) func(http.Handler) http.Handler {
|
||||
}
|
||||
|
||||
if ctx.UserRole != role && ctx.UserRole != "admin" {
|
||||
log.Warn("attempt to access protected route without required role")
|
||||
http.Error(w, "Insufficient permissions", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
log.Debug("role requirement satisfied",
|
||||
"requiredRole", role,
|
||||
"userRole", ctx.UserRole,
|
||||
"path", r.URL.Path)
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
@@ -131,14 +132,19 @@ func (m *Middleware) RequireRole(role string) func(http.Handler) http.Handler {
|
||||
// RequireWorkspaceAccess returns a middleware that ensures the user has access to the workspace
|
||||
func (m *Middleware) RequireWorkspaceAccess(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
log := getMiddlewareLogger()
|
||||
|
||||
ctx, ok := context.GetRequestContext(w, r)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
|
||||
// If no workspace in context, allow the request (might be a non-workspace endpoint)
|
||||
log := getMiddlewareLogger().With(
|
||||
"handler", "RequireWorkspaceAccess",
|
||||
"clientIP", r.RemoteAddr,
|
||||
"userId", ctx.UserID,
|
||||
"workspaceId", ctx.Workspace.ID,
|
||||
)
|
||||
|
||||
// If no workspace in context, allow the request
|
||||
if ctx.Workspace == nil {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
@@ -146,15 +152,11 @@ func (m *Middleware) RequireWorkspaceAccess(next http.Handler) http.Handler {
|
||||
|
||||
// Check if user has access (either owner or admin)
|
||||
if ctx.Workspace.UserID != ctx.UserID && ctx.UserRole != "admin" {
|
||||
log.Warn("attempt to access workspace without permission")
|
||||
http.Error(w, "Not Found", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
log.Debug("workspace access granted",
|
||||
"userId", ctx.UserID,
|
||||
"workspaceId", ctx.Workspace.ID,
|
||||
"path", r.URL.Path)
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
@@ -32,9 +32,6 @@ type sessionManager struct {
|
||||
// NewSessionService creates a new session service with the given database and JWT manager
|
||||
// revive:disable:unexported-return
|
||||
func NewSessionService(db db.SessionStore, jwtManager JWTManager) *sessionManager {
|
||||
log := getSessionLogger()
|
||||
log.Info("initialized session manager")
|
||||
|
||||
return &sessionManager{
|
||||
db: db,
|
||||
jwtManager: jwtManager,
|
||||
@@ -90,9 +87,7 @@ func (s *sessionManager) CreateSession(userID int, role string) (*models.Session
|
||||
|
||||
// RefreshSession creates a new access token using a refreshToken
|
||||
func (s *sessionManager) RefreshSession(refreshToken string) (string, error) {
|
||||
log := getSessionLogger()
|
||||
|
||||
// Get session from database first
|
||||
// Get session from database
|
||||
session, err := s.db.GetSessionByRefreshToken(refreshToken)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("invalid session: %w", err)
|
||||
@@ -104,7 +99,6 @@ func (s *sessionManager) RefreshSession(refreshToken string) (string, error) {
|
||||
return "", fmt.Errorf("invalid refresh token: %w", err)
|
||||
}
|
||||
|
||||
// Double check that the claims match the session
|
||||
if claims.UserID != session.UserID {
|
||||
return "", fmt.Errorf("token does not match session")
|
||||
}
|
||||
@@ -115,11 +109,6 @@ func (s *sessionManager) RefreshSession(refreshToken string) (string, error) {
|
||||
return "", err
|
||||
}
|
||||
|
||||
log.Debug("refreshed session",
|
||||
"userId", claims.UserID,
|
||||
"role", claims.Role,
|
||||
"sessionId", session.ID)
|
||||
|
||||
return newToken, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user