fix: cleanup PR

supabase · Mar 6, 2024 · f665e51 · f665e51
1 parent ea0c72c
commit f665e51
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 3 deletions.
diff --git a/internal/api/external.go b/internal/api/external.go
@@ -223,6 +223,9 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 			flowState.ProviderAccessToken = providerAccessToken
 			flowState.ProviderRefreshToken = providerRefreshToken
 			flowState.UserID = &(user.ID)
+			issueTime := time.Now()
+			flowState.IssuedAt = &issueTime
+
 			terr = tx.Update(flowState)
 		} else {
 			token, terr = a.issueRefreshToken(ctx, tx, user, models.OAuth, grantParams)

diff --git a/internal/api/pkce.go b/internal/api/pkce.go
@@ -40,11 +40,15 @@ func addFlowPrefixToToken(token string, flowType models.FlowType) string {
 
 func issueAuthCode(tx *storage.Connection, user *models.User, authenticationMethod models.AuthenticationMethod) (string, error) {
 	flowState, err := models.FindFlowStateByUserID(tx, user.ID.String(), authenticationMethod)
-	if models.IsNotFoundError(err) {
+	if err != nil && models.IsNotFoundError(err) {
 		return "", badRequestError("No valid flow state found for user.")
 	} else if err != nil {
 		return "", err
 	}
+	if err := flowState.RecordIssuedTime(tx); err != nil {
+		return "", err
+	}
+
 	return flowState.AuthCode, nil
 }
 

diff --git a/internal/api/token.go b/internal/api/token.go
@@ -246,8 +246,7 @@ func (a *API) PKCE(ctx context.Context, w http.ResponseWriter, r *http.Request)
 	} else if err != nil {
 		return err
 	}
-	// We exempt Magic Links from the requirement and fallback to
-	if flowState.AuthenticationMethod != models.MagicLink.String() && flowState.IsExpired(a.config.External.FlowStateExpiryDuration) {
+	if flowState.IsExpired(a.config.External.FlowStateExpiryDuration) {
 		return forbiddenError("invalid flow state, flow state has expired")
 	}
 

diff --git a/internal/api/verify.go b/internal/api/verify.go
@@ -181,11 +181,13 @@ func (a *API) verifyGet(w http.ResponseWriter, r *http.Request, params *VerifyPa
 		if terr := tx.Reload(user); err != nil {
 			return terr
 		}
+
 		if isImplicitFlow(flowType) {
 			token, terr = a.issueRefreshToken(ctx, tx, user, models.OTP, grantParams)
 			if terr != nil {
 				return terr
 			}
+
 			if terr = a.setCookieTokens(config, token, false, w); terr != nil {
 				return internalServerError("Failed to set JWT cookie. %s", terr)
 			}

diff --git a/internal/models/flow_state.go b/internal/models/flow_state.go
@@ -28,6 +28,7 @@ type FlowState struct {
 	ProviderType         string     `json:"provider_type" db:"provider_type"`
 	ProviderAccessToken  string     `json:"provider_access_token" db:"provider_access_token"`
 	ProviderRefreshToken string     `json:"provider_refresh_token" db:"provider_refresh_token"`
+	IssuedAt             *time.Time `json:"issued_at" db:"issued_at"`
 	CreatedAt            time.Time  `json:"created_at" db:"created_at"`
 	UpdatedAt            time.Time  `json:"updated_at" db:"updated_at"`
 }
@@ -152,5 +153,17 @@ func (f *FlowState) VerifyPKCE(codeVerifier string) error {
 }
 
 func (f *FlowState) IsExpired(expiryDuration time.Duration) bool {
+	if f.AuthenticationMethod == MagicLink.String() {
+		return time.Now().After(f.IssuedAt.Add(expiryDuration))
+	}
 	return time.Now().After(f.CreatedAt.Add(expiryDuration))
 }
+
+func (f *FlowState) RecordIssuedTime(tx *storage.Connection) error {
+	issueTime := time.Now()
+	f.IssuedAt = &issueTime
+	if err := tx.Update(f); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/migrations/20240221100230_add_issued_at_to_flow_state.up.sql b/migrations/20240221100230_add_issued_at_to_flow_state.up.sql
@@ -0,0 +1 @@
+alter table {{ index .Options "Namespace" }}.flow_state add column if not exists issued_at timestamptz null;