fixed fatal bug after access token expires

hwsauth/logout.go

@@ -33,14 +33,18 @@ func (auth *Authenticator[T, TX]) Logout(tx TX, w http.ResponseWriter, r *http.R
 	if err != nil {
 		return errors.Wrap(err, "auth.getTokens")
 	}
+	if aT != nil {
 		err = aT.Revoke(jwt.DBTransaction(tx))
 		if err != nil {
 			return errors.Wrap(err, "aT.Revoke")
 		}
+	}
+	if rT != nil {
 		err = rT.Revoke(jwt.DBTransaction(tx))
 		if err != nil {
 			return errors.Wrap(err, "rT.Revoke")
 		}
+	}
 	cookies.DeleteCookie(w, "access", "/")
 	cookies.DeleteCookie(w, "refresh", "/")
 	return nil

hwsauth/middleware.go

@@ -16,12 +16,20 @@ import (
 //
 // Example:
 //
-//	server.AddMiddleware(auth.Authenticate())
-func (auth *Authenticator[T, TX]) Authenticate() hws.Middleware {
-	return auth.server.NewMiddleware(auth.authenticate())
+//	server.AddMiddleware(auth.Authenticate(nil))
+//
+// If extraCheck is provided, it will run just before the user is added to the context,
+// and the return will determine if the user will be added, or the request passed on
+// without the user.
+func (auth *Authenticator[T, TX]) Authenticate(
+	extraCheck func(ctx context.Context, model T, tx TX, w http.ResponseWriter, r *http.Request) (bool, *hws.HWSError),
+) hws.Middleware {
+	return auth.server.NewMiddleware(auth.authenticate(extraCheck))
 }
 
-func (auth *Authenticator[T, TX]) authenticate() hws.MiddlewareFunc {
+func (auth *Authenticator[T, TX]) authenticate(
+	extraCheck func(ctx context.Context, model T, tx TX, w http.ResponseWriter, r *http.Request) (bool, *hws.HWSError),
+) hws.MiddlewareFunc {
 	return func(w http.ResponseWriter, r *http.Request) (*http.Request, *hws.HWSError) {
 		if globTest(r.URL.Path, auth.ignoredPaths) {
 			return r, nil
@@ -66,6 +74,14 @@ func (auth *Authenticator[T, TX]) authenticate() hws.MiddlewareFunc {
 				Msg("Failed to authenticate user")
 			return r, nil
 		}
+		var check bool
+		if extraCheck != nil {
+			var err *hws.HWSError
+			check, err = extraCheck(ctx, model.model, txTyped, w, r)
+			if err != nil {
+				return nil, err
+			}
+		}
 		err = tx.Commit()
 		if err != nil {
 			return nil, &hws.HWSError{
@@ -76,8 +92,11 @@ func (auth *Authenticator[T, TX]) authenticate() hws.MiddlewareFunc {
 		}
 		authContext := setAuthenticatedModel(r.Context(), model)
 		newReq := r.WithContext(authContext)
+		if extraCheck == nil || check {
 			return newReq, nil
 		}
+		return r, nil
+	}
 }
 
 func globTest(testPath string, globs []glob.Glob) bool {

hwsauth/reauthenticate.go

@@ -34,7 +34,7 @@ func (auth *Authenticator[T, TX]) RefreshAuthTokens(tx TX, w http.ResponseWriter
 	rememberMe := map[string]bool{
 		"session": false,
 		"exp":     true,
-	}[aT.TTL]
+	}[rT.TTL]
 	// issue new tokens for the user
 	err = jwt.SetTokenCookies(w, r, auth.tokenGenerator, rT.SUB, true, rememberMe, auth.SSL)
 	if err != nil {
@@ -55,14 +55,21 @@ func (auth *Authenticator[T, TX]) getTokens(
 ) (*jwt.AccessToken, *jwt.RefreshToken, error) {
 	// get the existing tokens from the cookies
 	atStr, rtStr := jwt.GetTokenCookies(r)
-	aT, err := auth.tokenGenerator.ValidateAccess(jwt.DBTransaction(tx), atStr)
+	var aT *jwt.AccessToken
+	var rT *jwt.RefreshToken
+	var err error
+	if atStr != "" {
+		aT, err = auth.tokenGenerator.ValidateAccess(jwt.DBTransaction(tx), atStr)
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "tokenGenerator.ValidateAccess")
 		}
-	rT, err := auth.tokenGenerator.ValidateRefresh(jwt.DBTransaction(tx), rtStr)
+	}
+	if rtStr != "" {
+		rT, err = auth.tokenGenerator.ValidateRefresh(jwt.DBTransaction(tx), rtStr)
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "tokenGenerator.ValidateRefresh")
 		}
+	}
 	return aT, rT, nil
 }
 
@@ -72,13 +79,17 @@ func revokeTokenPair(
 	aT *jwt.AccessToken,
 	rT *jwt.RefreshToken,
 ) error {
+	if aT != nil {
 		err := aT.Revoke(tx)
 		if err != nil {
 			return errors.Wrap(err, "aT.Revoke")
 		}
-	err = rT.Revoke(tx)
+	}
+	if rT != nil {
+		err := rT.Revoke(tx)
 		if err != nil {
 			return errors.Wrap(err, "rT.Revoke")
 		}
+	}
 	return nil
 }