Fix F-03: make token renewal atomic
- db/accounts.go: add RenewToken(oldJTI, reason, newJTI, accountID, issuedAt, expiresAt) which wraps RevokeToken + TrackToken in a single BEGIN/COMMIT transaction; if either step fails the whole tx rolls back, so the user is never left with neither old nor new token valid - server.go (handleRenewToken): replace separate RevokeToken + TrackToken calls with single RenewToken call; failure now returns 500 instead of silently losing revocation - grpcserver/auth.go (RenewToken): same replacement - db/db_test.go: TestRenewTokenAtomic verifies old token is revoked with correct reason, new token is tracked and not revoked, and a second renewal on the already-revoked old token returns an error - AUDIT.md: mark F-03 as fixed Security: without atomicity a crash/error between revoke and track could leave the old token active alongside the new one (two live tokens) or revoke the old token without tracking the new one (user locked out). The transaction ensures exactly one of the two tokens is valid at all times.
This commit is contained in:
@@ -559,6 +559,56 @@ func (db *DB) RevokeToken(jti, reason string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// RenewToken atomically revokes the old token and tracks the new one in a
|
||||
// single SQLite transaction.
|
||||
//
|
||||
// Security: the two operations must be atomic so that a failure between them
|
||||
// cannot leave the user with neither a valid old token nor a new one. With
|
||||
// MaxOpenConns(1) and SQLite's serialised write path, BEGIN IMMEDIATE acquires
|
||||
// the write lock immediately and prevents any other writer from interleaving.
|
||||
func (db *DB) RenewToken(oldJTI, reason, newJTI string, accountID int64, issuedAt, expiresAt time.Time) error {
|
||||
tx, err := db.sql.Begin()
|
||||
if err != nil {
|
||||
return fmt.Errorf("db: renew token begin tx: %w", err)
|
||||
}
|
||||
defer func() { _ = tx.Rollback() }()
|
||||
|
||||
n := now()
|
||||
|
||||
// Revoke the old token.
|
||||
result, err := tx.Exec(`
|
||||
UPDATE token_revocation
|
||||
SET revoked_at = ?, revoke_reason = ?
|
||||
WHERE jti = ? AND revoked_at IS NULL
|
||||
`, n, nullString(reason), oldJTI)
|
||||
if err != nil {
|
||||
return fmt.Errorf("db: renew token revoke old %q: %w", oldJTI, err)
|
||||
}
|
||||
rows, err := result.RowsAffected()
|
||||
if err != nil {
|
||||
return fmt.Errorf("db: renew token revoke rows affected: %w", err)
|
||||
}
|
||||
if rows == 0 {
|
||||
return fmt.Errorf("db: renew token: old token %q not found or already revoked", oldJTI)
|
||||
}
|
||||
|
||||
// Track the new token.
|
||||
_, err = tx.Exec(`
|
||||
INSERT INTO token_revocation (jti, account_id, issued_at, expires_at)
|
||||
VALUES (?, ?, ?, ?)
|
||||
`, newJTI, accountID,
|
||||
issuedAt.UTC().Format(time.RFC3339),
|
||||
expiresAt.UTC().Format(time.RFC3339))
|
||||
if err != nil {
|
||||
return fmt.Errorf("db: renew token track new %q: %w", newJTI, err)
|
||||
}
|
||||
|
||||
if err := tx.Commit(); err != nil {
|
||||
return fmt.Errorf("db: renew token commit: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// RevokeAllUserTokens revokes all non-expired, non-revoked tokens for an account.
|
||||
func (db *DB) RevokeAllUserTokens(accountID int64, reason string) error {
|
||||
n := now()
|
||||
|
||||
Reference in New Issue
Block a user