ory · aeneasr · Jul 10, 2024 · Jul 10, 2024
@@ -31,10 +31,8 @@ type HMACSHAStrategyConfigurator interface {
 
 func NewOAuth2HMACStrategy(config HMACSHAStrategyConfigurator) *oauth2.HMACSHAStrategy {
 	return &oauth2.HMACSHAStrategy{
-		BaseHMACSHAStrategy: &oauth2.BaseHMACSHAStrategy{
-			Enigma: &hmac.HMACStrategy{Config: config},
-			Config: config,
-		},
+		Enigma: &hmac.HMACStrategy{Config: config},
+		Config: config,
 	}
 }
 

@@ -5,6 +5,8 @@ package oauth2
 
 import (
 	"context"
+	"fmt"
+	"strings"
 	"time"
 
 	"github.com/ory/x/errorsx"
@@ -13,39 +15,55 @@ import (
 	enigma "github.com/ory/fosite/token/hmac"
 )
 
-var _ CoreStrategy = (*BaseHMACSHAStrategy)(nil)
-
-type BaseHMACSHAStrategy struct {
+type HMACSHAStrategy struct {
 	Enigma *enigma.HMACStrategy
 	Config interface {
 		fosite.AccessTokenLifespanProvider
 		fosite.RefreshTokenLifespanProvider
 		fosite.AuthorizeCodeLifespanProvider
 	}
+	prefix *string
 }
 
-func (h *BaseHMACSHAStrategy) AccessTokenSignature(_ context.Context, token string) string {
+func (h *HMACSHAStrategy) AccessTokenSignature(ctx context.Context, token string) string {
 	return h.Enigma.Signature(token)
 }
-
-func (h *BaseHMACSHAStrategy) RefreshTokenSignature(_ context.Context, token string) string {
+func (h *HMACSHAStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
 	return h.Enigma.Signature(token)
 }
-
-func (h *BaseHMACSHAStrategy) AuthorizeCodeSignature(_ context.Context, token string) string {
+func (h *HMACSHAStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
 	return h.Enigma.Signature(token)
 }
 
-func (h *BaseHMACSHAStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
+func (h *HMACSHAStrategy) getPrefix(part string) string {
+	if h.prefix == nil {
+		prefix := "ory_%s_"
+		h.prefix = &prefix
+	} else if len(*h.prefix) == 0 {
+		return ""
+	}
+
+	return fmt.Sprintf(*h.prefix, part)
+}
+
+func (h *HMACSHAStrategy) trimPrefix(token, part string) string {
+	return strings.TrimPrefix(token, h.getPrefix(part))
+}
+
+func (h *HMACSHAStrategy) setPrefix(token, part string) string {
+	return h.getPrefix(part) + token
+}
+
+func (h *HMACSHAStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
 	token, sig, err := h.Enigma.Generate(ctx)
 	if err != nil {
 		return "", "", err
 	}
 
-	return token, sig, nil
+	return h.setPrefix(token, "at"), sig, nil
 }
 
-func (h *BaseHMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) {
+func (h *HMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) {
 	var exp = r.GetSession().GetExpiresAt(fosite.AccessToken)
 	if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) {
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx))))
@@ -55,42 +73,42 @@ func (h *BaseHMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))
 	}
 
-	return h.Enigma.Validate(ctx, token)
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, "at"))
 }
 
-func (h *BaseHMACSHAStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
+func (h *HMACSHAStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
 	token, sig, err := h.Enigma.Generate(ctx)
 	if err != nil {
 		return "", "", err
 	}
 
-	return token, sig, nil
+	return h.setPrefix(token, "rt"), sig, nil
 }
 
-func (h *BaseHMACSHAStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
+func (h *HMACSHAStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
 	var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)
 	if exp.IsZero() {
 		// Unlimited lifetime
-		return h.Enigma.Validate(ctx, token)
+		return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
 	}
 
 	if !exp.IsZero() && exp.Before(time.Now().UTC()) {
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))
 	}
 
-	return h.Enigma.Validate(ctx, token)
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
 }
 
-func (h *BaseHMACSHAStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
+func (h *HMACSHAStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
 	token, sig, err := h.Enigma.Generate(ctx)
 	if err != nil {
 		return "", "", err
 	}
 
-	return token, sig, nil
+	return h.setPrefix(token, "ac"), sig, nil
 }
 
-func (h *BaseHMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
+func (h *HMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
 	var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)
 	if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))
@@ -100,5 +118,5 @@ func (h *BaseHMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosit
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))
 	}
 
-	return h.Enigma.Validate(ctx, token)
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, "ac"))
 }
@@ -17,12 +17,10 @@ import (
 )
 
 var hmacshaStrategy = HMACSHAStrategy{
-	BaseHMACSHAStrategy: &BaseHMACSHAStrategy{
-		Enigma: &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}},
-		Config: &fosite.Config{
-			AccessTokenLifespan:   time.Hour * 24,
-			AuthorizeCodeLifespan: time.Hour * 24,
-		},
+	Enigma: &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}},
+	Config: &fosite.Config{
+		AccessTokenLifespan:   time.Hour * 24,
+		AuthorizeCodeLifespan: time.Hour * 24,
 	},
 }
 

@@ -27,11 +27,9 @@ import (
 )
 
 var hmacStrategy = &oauth2.HMACSHAStrategy{
-	BaseHMACSHAStrategy: &oauth2.BaseHMACSHAStrategy{
-		Enigma: &hmac.HMACStrategy{
-			Config: &fosite.Config{
-				GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows-nobody-knows"),
-			},
+	Enigma: &hmac.HMACStrategy{
+		Config: &fosite.Config{
+			GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows-nobody-knows"),
 		},
 	},
 }

@@ -38,11 +38,9 @@ func (m *mockCodeStrategy) ValidateAuthorizeCode(ctx context.Context, requester
 func TestPKCEHandleAuthorizeEndpointRequest(t *testing.T) {
 	var config fosite.Config
 	h := &Handler{
-		Storage: storage.NewMemoryStore(),
-		AuthorizeCodeStrategy: &oauth2.HMACSHAStrategy{
-			BaseHMACSHAStrategy: new(oauth2.BaseHMACSHAStrategy),
-		},
-		Config: &config,
+		Storage:               storage.NewMemoryStore(),
+		AuthorizeCodeStrategy: new(oauth2.HMACSHAStrategy),
+		Config:                &config,
 	}
 	w := fosite.NewAuthorizeResponse()
 	r := fosite.NewAuthorizeRequest()

@@ -173,17 +173,15 @@ func newJWTBearerAppClient(ts *httptest.Server) *clients.JWTBearer {
 }
 
 var hmacStrategy = &oauth2.HMACSHAStrategy{
-	BaseHMACSHAStrategy: &oauth2.BaseHMACSHAStrategy{
-		Enigma: &hmac.HMACStrategy{
-			Config: &fosite.Config{
-				GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"),
-			},
-		},
+	Enigma: &hmac.HMACStrategy{
 		Config: &fosite.Config{
-			AccessTokenLifespan:   accessTokenLifespan,
-			AuthorizeCodeLifespan: authCodeLifespan,
+			GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"),
 		},
 	},
+	Config: &fosite.Config{
+		AccessTokenLifespan:   accessTokenLifespan,
+		AuthorizeCodeLifespan: authCodeLifespan,
+	},
 }
 
 var defaultRSAKey = gen.MustRSAKey()