Merge branch 'master' into feat/get-path-should-append-existing-query-strings

Author: dogukanakkaya

README.md

@@ -597,11 +597,11 @@ Email subject to use for email changed notification. Defaults to `Your email add
 
 `GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_ENROLLED_NOTIFICATION` - `string`
 
-Email subject to use for MFA factor enrolled notification. Defaults to `MFA factor enrolled`.
+Email subject to use for MFA factor enrolled notification. Defaults to `A new MFA factor has been enrolled`.
 
 `GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_UNENROLLED_NOTIFICATION` - `string`
 
-Email subject to use for MFA factor unenrolled notification. Defaults to `MFA factor unenrolled`.
+Email subject to use for MFA factor unenrolled notification. Defaults to `An MFA factor has been unenrolled`.
 
 `MAILER_TEMPLATES_INVITE` - `string`
 

example.env

@@ -40,8 +40,8 @@ GOTRUE_MAILER_SUBJECTS_EMAIL_CHANGED_NOTIFICATION="Your email address has been c
 GOTRUE_MAILER_SUBJECTS_PHONE_CHANGED_NOTIFICATION="Your phone number has been changed"
 GOTRUE_MAILER_SUBJECTS_IDENTITY_LINKED_NOTIFICATION="A new identity has been linked"
 GOTRUE_MAILER_SUBJECTS_IDENTITY_UNLINKED_NOTIFICATION="An identity has been unlinked"
-GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_ENROLLED_NOTIFICATION="MFA factor enrolled"
-GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_UNENROLLED_NOTIFICATION="MFA factor unenrolled"
+GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_ENROLLED_NOTIFICATION="A new MFA factor has been enrolled"
+GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_UNENROLLED_NOTIFICATION="An MFA factor has been unenrolled"
 GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED="true"
 
 # Custom mailer template config

internal/api/api.go

@@ -174,7 +174,8 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 	}
 
 	r.Get("/health", api.HealthCheck)
-	r.Get("/.well-known/jwks.json", api.Jwks)
+	r.Get("/.well-known/jwks.json", api.WellKnownJwks)
+	r.Get("/.well-known/openid-configuration", api.WellKnownOpenID)
 
 	if globalConfig.OAuthServer.Enabled {
 		r.Get("/.well-known/oauth-authorization-server", api.oauthServer.OAuthServerMetadata)

internal/api/jwks.go

@@ -11,7 +11,7 @@ type JwksResponse struct {
 	Keys []jwk.Key `json:"keys"`
 }
 
-func (a *API) Jwks(w http.ResponseWriter, r *http.Request) error {
+func (a *API) WellKnownJwks(w http.ResponseWriter, r *http.Request) error {
 	config := a.config
 	resp := JwksResponse{
 		Keys: []jwk.Key{},
@@ -28,3 +28,19 @@ func (a *API) Jwks(w http.ResponseWriter, r *http.Request) error {
 	w.Header().Set("Cache-Control", "public, max-age=600")
 	return sendJSON(w, http.StatusOK, resp)
 }
+
+type OpenIDConfigurationResponse struct {
+	Issuer  string `json:"issuer"`
+	JWKSURL string `json:"jwks_uri"`
+}
+
+func (a *API) WellKnownOpenID(w http.ResponseWriter, r *http.Request) error {
+	config := a.config
+
+	w.Header().Set("Cache-Control", "public, max-age=600")
+
+	return sendJSON(w, http.StatusOK, OpenIDConfigurationResponse{
+		Issuer:  config.JWT.Issuer,
+		JWKSURL: config.JWT.Issuer + "/.well-known/jwks.json",
+	})
+}

internal/api/oauthserver/handlers.go

@@ -437,7 +437,7 @@ func (s *Server) handleAuthorizationCodeGrant(ctx context.Context, w http.Respon
 
 		// Issue the refresh token and access token
 		var terr error
-		tokenResponse, terr = tokenService.IssueRefreshToken(r, tx, user, authMethod, grantParams)
+		tokenResponse, terr = tokenService.IssueRefreshToken(r, w.Header(), tx, user, authMethod, grantParams)
 		if terr != nil {
 			return terr
 		}
@@ -488,7 +488,7 @@ func (s *Server) handleRefreshTokenGrant(ctx context.Context, w http.ResponseWri
 	}
 
 	db := s.db.WithContext(ctx)
-	tokenResponse, err := tokenService.RefreshTokenGrant(ctx, db, r, tokens.RefreshTokenGrantParams{
+	tokenResponse, err := tokenService.RefreshTokenGrant(ctx, db, r, w.Header(), tokens.RefreshTokenGrantParams{
 		RefreshToken: params.RefreshToken,
 		ClientID:     clientID,
 	})

internal/api/token.go

@@ -190,7 +190,7 @@ func (a *API) ResourceOwnerPasswordGrant(ctx context.Context, w http.ResponseWri
 		}); terr != nil {
 			return terr
 		}
-		token, terr = a.tokenService.IssueRefreshToken(r, tx, user, models.PasswordGrant, grantParams)
+		token, terr = a.tokenService.IssueRefreshToken(r, w.Header(), tx, user, models.PasswordGrant, grantParams)
 		if terr != nil {
 			return terr
 		}
@@ -260,7 +260,7 @@ func (a *API) PKCE(ctx context.Context, w http.ResponseWriter, r *http.Request)
 		}); terr != nil {
 			return terr
 		}
-		token, terr = a.tokenService.IssueRefreshToken(r, tx, user, authMethod, grantParams)
+		token, terr = a.tokenService.IssueRefreshToken(r, w.Header(), tx, user, authMethod, grantParams)
 		if terr != nil {
 			// error type is already handled in issueRefreshToken
 			return terr
@@ -295,7 +295,7 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 }
 
 func (a *API) issueRefreshToken(r *http.Request, conn *storage.Connection, user *models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {
-	return a.tokenService.IssueRefreshToken(r, conn, user, authenticationMethod, grantParams)
+	return a.tokenService.IssueRefreshToken(r, make(http.Header), conn, user, authenticationMethod, grantParams)
 }
 
 func (a *API) updateMFASessionAndClaims(r *http.Request, tx *storage.Connection, user *models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {

internal/api/token_refresh.go

@@ -3,7 +3,10 @@ package api
 import (
 	"context"
 	"net/http"
+	"regexp"
 
+	"github.com/supabase/auth/internal/api/apierrors"
+	"github.com/supabase/auth/internal/crypto"
 	"github.com/supabase/auth/internal/tokens"
 )
 
@@ -12,15 +15,42 @@ type RefreshTokenGrantParams struct {
 	RefreshToken string `json:"refresh_token"`
 }
 
+var legacyRefreshTokenPattern = regexp.MustCompile("^[a-z0-9]{12}$")
+
+func (p *RefreshTokenGrantParams) Validate() error {
+	if len(p.RefreshToken) < 12 {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Refresh token is not valid")
+	}
+
+	if len(p.RefreshToken) == 12 {
+		if !legacyRefreshTokenPattern.MatchString(p.RefreshToken) {
+			return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Refresh token is not valid")
+		}
+
+		return nil
+	}
+
+	_, err := crypto.ParseRefreshToken(p.RefreshToken)
+	if err != nil {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Refresh token is not valid").WithInternalError(err)
+	}
+
+	return nil
+}
+
 // RefreshTokenGrant implements the refresh_token grant type flow
 func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 	params := &RefreshTokenGrantParams{}
 	if err := retrieveRequestParams(r, params); err != nil {
 		return err
 	}
 
+	if err := params.Validate(); err != nil {
+		return err
+	}
+
 	db := a.db.WithContext(ctx)
-	tokenResponse, err := a.tokenService.RefreshTokenGrant(ctx, db, r, tokens.RefreshTokenGrantParams{
+	tokenResponse, err := a.tokenService.RefreshTokenGrant(ctx, db, r, w.Header(), tokens.RefreshTokenGrantParams{
 		RefreshToken: params.RefreshToken,
 	})
 	if err != nil {

internal/api/token_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/stretchr/testify/suite"
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/crypto"
 	"github.com/supabase/auth/internal/models"
 )
 
@@ -435,9 +436,11 @@ func (ts *TokenTestSuite) TestRefreshTokenReuseRevocation() {
 
 	// ensure that the 4 refresh tokens are setup correctly
 	for i, refreshToken := range refreshTokens {
-		_, token, _, err := models.FindUserWithRefreshToken(ts.API.db, refreshToken, false)
+		_, anyToken, _, err := models.FindUserWithRefreshToken(ts.API.db, ts.Config.Security.DBEncryption, refreshToken, false)
 		require.NoError(ts.T(), err)
 
+		token := anyToken.(*models.RefreshToken)
+
 		if i == len(refreshTokens)-1 {
 			require.False(ts.T(), token.Revoked)
 		} else {
@@ -470,9 +473,10 @@ func (ts *TokenTestSuite) TestRefreshTokenReuseRevocation() {
 
 	// ensure that the refresh tokens are marked as revoked in the database
 	for _, refreshToken := range refreshTokens {
-		_, token, _, err := models.FindUserWithRefreshToken(ts.API.db, refreshToken, false)
+		_, anyToken, _, err := models.FindUserWithRefreshToken(ts.API.db, ts.Config.Security.DBEncryption, refreshToken, false)
 		require.NoError(ts.T(), err)
 
+		token := anyToken.(*models.RefreshToken)
 		require.True(ts.T(), token.Revoked)
 	}
 
@@ -887,3 +891,26 @@ $$;`
 		})
 	}
 }
+
+func TestRefreshTokenGrantParamsValidate(t *testing.T) {
+	examples := []string{
+		"",
+		"01234567890",
+		"AAAAAAAAAAAA",
+		"------------",
+		"0000000000000",
+	}
+
+	p := &RefreshTokenGrantParams{}
+
+	for _, example := range examples {
+		p.RefreshToken = example
+		require.Error(t, p.Validate())
+	}
+
+	p.RefreshToken = "0123456abcde"
+	require.NoError(t, p.Validate())
+
+	p.RefreshToken = (&crypto.RefreshToken{}).Encode(make([]byte, 32))
+	require.NoError(t, p.Validate())
+}

internal/conf/configuration.go

@@ -723,8 +723,10 @@ func (c *DatabaseEncryptionConfiguration) Validate() error {
 
 type SecurityConfiguration struct {
 	Captcha                               CaptchaConfiguration `json:"captcha"`
+	RefreshTokenAlgorithmVersion          int                  `json:"refresh_token_algorithm_version" split_words:"true"`
 	RefreshTokenRotationEnabled           bool                 `json:"refresh_token_rotation_enabled" split_words:"true" default:"true"`
 	RefreshTokenReuseInterval             int                  `json:"refresh_token_reuse_interval" split_words:"true"`
+	RefreshTokenAllowReuse                bool                 `json:"refresh_token_allow_reuse" split_words:"true"`
 	UpdatePasswordRequireReauthentication bool                 `json:"update_password_require_reauthentication" split_words:"true"`
 	ManualLinkingEnabled                  bool                 `json:"manual_linking_enabled" split_words:"true" default:"false"`
 

internal/crypto/crypto.go

@@ -29,6 +29,7 @@ func GenerateOtp(digits int) string {
 
 	return otp
 }
+
 func GenerateTokenHash(emailOrPhone, otp string) string {
 	return fmt.Sprintf("%x", sha256.Sum224([]byte(emailOrPhone+otp)))
 }