chore: clear access token when user not found

feb700f3 · Steven · 5334fdf1 · feb700f3
Commit feb700f3 authored Dec 19, 2023 by Steven
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

auth_service.go api/v2/auth_service.go +18 -0

No files found.
--- a/api/v2/auth_service.go
+++ b/api/v2/auth_service.go
@@ -2,10 +2,15 @@ package v2

 import (
 	"context"
+	"fmt"

+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"

+	"github.com/usememos/memos/api/auth"
 	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
 )

@@ -15,9 +20,22 @@ func (s *APIV2Service) GetAuthStatus(ctx context.Context, _ *apiv2pb.GetAuthStat
 		return nil, status.Errorf(codes.Unauthenticated, "failed to get current user: %v", err)
 	}
 	if user == nil {
+		// Set the cookie header to expire access token.
+		if err := clearAccessTokenCookie(ctx); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to set grpc header")
+		}
 		return nil, status.Errorf(codes.Unauthenticated, "user not found")
 	}
 	return &apiv2pb.GetAuthStatusResponse{
 		User: convertUserFromStore(user),
 	}, nil
 }
+
+func clearAccessTokenCookie(ctx context.Context) error {
+	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
+		"Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName),
+	})); err != nil {
+		return errors.Wrap(err, "failed to set grpc header")
+	}
+	return nil
+}