Update jwt token version (#27)

* add sdk svr to docker script

* panic handle

* fix build from dockerfile on docker-compose

* Update deploy.Dockerfile

* log and scripts optimization

* ci: ignore files created by docker-compose (#19)

* feat: optimise get server ip (#20)

* feat: optimise get server ip

* feat: test ServerIP

* fix issue#15 (#18)

Co-authored-by: Gordon <46924906+FGadvancer@users.noreply.github.com>

* Modify bug for getting lastest seq

* Reduce the MongoDB version to adapt to a few machine (#22)

* Feature/optimise jwt token (#24)

* Pr branch (#25)

* fix update jwt-token version to avoid attackers to bypass intended access restrictions in situations with []string{} for m["aud"]

* del accountAddr

* Create codeql-analysis.yml

* del unuse filed

* fix update jwt-token version to avoid attackers to bypass intended access restrictions in situations with []string{} for m["aud"]

Co-authored-by: Gordon <1432970085@qq.com>
Co-authored-by: Yaxian <yaxian.gu@gmail.com>
Co-authored-by: Zzr <bhg889@163.com>
Co-authored-by: Gordon <46924906+FGadvancer@users.noreply.github.com>
Co-authored-by: brennanli <brennanli@tencent.com>

config/config.yaml

@@ -134,8 +134,8 @@ multiloginpolicy:
 tokenpolicy:
   accessSecret: "open_im_server"
   # Token effective time seconds as a unit
-  #Seven days   7*24*60*60
-  accessExpire: 604800
+  #Seven days
+  accessExpire: 7
 
 messagecallback:
   callbackSwitch: false

src/utils/jwt_token.go

@@ -19,24 +19,18 @@ var (
 type Claims struct {
 	UID      string
 	Platform string //login platform
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 }
 
 func BuildClaims(uid, platform string, ttl int64) Claims {
-	now := time.Now().Unix()
-	//if ttl=-1 Permanent token
-	expiresAt := int64(-1)
-	if ttl != -1 {
-		expiresAt = now + ttl
-	}
-
+	now := time.Now()
 	return Claims{
 		UID:      uid,
 		Platform: platform,
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: expiresAt, //Expiration time
-			IssuedAt:  now,       //Issuing time
-			NotBefore: now,       //Begin Effective time
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(now.Add(time.Duration(ttl*24) * time.Hour)), //Expiration time
+			IssuedAt:  jwt.NewNumericDate(now),                                        //Issuing time
+			NotBefore: jwt.NewNumericDate(now),                                        //Begin Effective time
 		}}
 }
 
@@ -45,7 +39,7 @@ func CreateToken(userID string, platform int32) (string, int64, error) {
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	tokenString, err := token.SignedString([]byte(config.Config.TokenPolicy.AccessSecret))
 
-	return tokenString, claims.ExpiresAt, err
+	return tokenString, claims.ExpiresAt.Time.Unix(), err
 }
 
 func secret() jwt.Keyfunc {
@@ -105,7 +99,7 @@ func ParseToken(tokensString string) (claims *Claims, err error) {
 
 		exists = existsInterface.(int64)
 		if exists == 1 {
-			res, err := MakeTheTokenInvalid(*claims, platform)
+			res, err := MakeTheTokenInvalid(claims, platform)
 			if err != nil {
 				return nil, err
 			}
@@ -118,7 +112,7 @@ func ParseToken(tokensString string) (claims *Claims, err error) {
 	// or  PC/Mobile validate success
 	// final check
 	if exists == 1 {
-		res, err := MakeTheTokenInvalid(*claims, Platform2class[claims.Platform])
+		res, err := MakeTheTokenInvalid(claims, Platform2class[claims.Platform])
 		if err != nil {
 			return nil, err
 		}
@@ -129,7 +123,7 @@ func ParseToken(tokensString string) (claims *Claims, err error) {
 	return claims, nil
 }
 
-func MakeTheTokenInvalid(currentClaims Claims, platformClass string) (bool, error) {
+func MakeTheTokenInvalid(currentClaims *Claims, platformClass string) (bool, error) {
 	storedRedisTokenInterface, err := db.DB.GetPlatformToken(currentClaims.UID, platformClass)
 	if err != nil {
 		return false, err
@@ -139,7 +133,7 @@ func MakeTheTokenInvalid(currentClaims Claims, platformClass string) (bool, erro
 		return false, err
 	}
 	//if issue time less than redis token then make this token invalid
-	if currentClaims.IssuedAt < storedRedisPlatformClaims.IssuedAt {
+	if currentClaims.IssuedAt.Time.Unix() < storedRedisPlatformClaims.IssuedAt.Time.Unix() {
 		return true, TokenInvalid
 	}
 	return false, nil

src/utils/jwt_token_test.go

@@ -17,18 +17,18 @@ func Test_BuildClaims(t *testing.T) {
 
 	assert.Equal(t, claim.UID, uid, "uid should equal")
 	assert.Equal(t, claim.Platform, platform, "platform should equal")
-	assert.Equal(t, claim.StandardClaims.ExpiresAt, int64(-1), "StandardClaims.ExpiresAt should be equal")
+	assert.Equal(t, claim.RegisteredClaims.ExpiresAt, int64(-1), "StandardClaims.ExpiresAt should be equal")
 	// time difference within 1s
-	assert.Equal(t, claim.StandardClaims.IssuedAt, now, "StandardClaims.IssuedAt should be equal")
-	assert.Equal(t, claim.StandardClaims.NotBefore, now, "StandardClaims.NotBefore should be equal")
+	assert.Equal(t, claim.RegisteredClaims.IssuedAt, now, "StandardClaims.IssuedAt should be equal")
+	assert.Equal(t, claim.RegisteredClaims.NotBefore, now, "StandardClaims.NotBefore should be equal")
 
 	ttl = int64(60)
 	now = time.Now().Unix()
 	claim = BuildClaims(uid, platform, ttl)
 	// time difference within 1s
-	assert.Equal(t, claim.StandardClaims.ExpiresAt, int64(60)+now, "StandardClaims.ExpiresAt should be equal")
-	assert.Equal(t, claim.StandardClaims.IssuedAt, now, "StandardClaims.IssuedAt should be equal")
-	assert.Equal(t, claim.StandardClaims.NotBefore, now, "StandardClaims.NotBefore should be equal")
+	assert.Equal(t, claim.RegisteredClaims.ExpiresAt, int64(60)+now, "StandardClaims.ExpiresAt should be equal")
+	assert.Equal(t, claim.RegisteredClaims.IssuedAt, now, "StandardClaims.IssuedAt should be equal")
+	assert.Equal(t, claim.RegisteredClaims.NotBefore, now, "StandardClaims.NotBefore should be equal")
 }
 
 func Test_CreateToken(t *testing.T) {