added “single login” feature

Author: BonneVoyager

README.md

@@ -82,9 +82,9 @@ func main() {
 
 ```
 
-In order to use basicserver, you need to at least provide `MongoString` and `ServerPort` [configuration options](https://github.com/bonnevoyager/basicserver/blob/master/main.go#L21-L35) to `basicserver.CreateApp(settings)`.
+In order to use basicserver, you need to at least provide `MongoString` and `ServerPort` [configuration options](https://github.com/bonnevoyager/basicserver/blob/master/main.go#L21-L49) to `basicserver.CreateApp(settings)`.
 
-Preconfigured [routes](https://github.com/bonnevoyager/basicserver/blob/master/routes.go#L7-L17) are:
+Preconfigured [routes](https://github.com/bonnevoyager/basicserver/blob/master/routes.go#L7-L20) are:
 
 - [POST /register](https://github.com/bonnevoyager/basicserver/blob/master/register_post.go)
 - [POST /signin](https://github.com/bonnevoyager/basicserver/blob/master/signin_post.go)

keepalive_get.go

@@ -32,10 +32,14 @@ func (app *BasicApp) ServeKeepAliveGet() iris.Handler {
 		uid := ctx.Values().Get("uid").(string)
 
 		expiresAt := time.Now().Add(time.Hour * time.Duration(72)).Unix() // 72 hours
-		token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		claimsMap := jwt.MapClaims{
 			"uid": uid,
 			"exp": expiresAt,
-		})
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claimsMap)
+		if app.Settings.SingleLogin { // substain single login value
+			claimsMap["sl"] = ctx.Values().Get("sl").(string)
+		}
 		tokenString, err := token.SignedString(app.Settings.Secret)
 		if err != nil {
 			log.Print(err)

main.go

@@ -33,6 +33,7 @@ type SMTPSettings struct {
 //   `LogLevel` - available values are: "disable", "fatal", "error", "warn", "info", "debug"
 //   `MongoString` - URI format described at http://docs.mongodb.org/manual/reference/connection-string/
 //   `Secret` - secret value used by JWT parser
+//   `SingleLogin` - allows to access restricted resources only with fresh token received from signin
 //   `ServerPort` - port on which the server should listen to
 //   `RecoverTemplate` - html content to be sent along with password recovery email
 //   `SMTP` - SMTP configuration to send emails
@@ -41,6 +42,7 @@ type Settings struct {
 	LogLevel        string
 	MongoString     string
 	Secret          []byte
+	SingleLogin     bool
 	ServerPort      string
 	RecoverTemplate string
 	SMTP            SMTPSettings

main_test.go

@@ -1,6 +1,7 @@
 package basicserver
 
 import (
+	"strconv"
 	"testing"
 	"time"
 
@@ -308,3 +309,40 @@ func TestApiFile(t *testing.T) {
 
 	app.Coll.Files.Remove(testUID.Hex() + ":golang.jpg")
 }
+
+func TestSingleLogin(t *testing.T) {
+	e := httptest.New(t, app.Iris)
+
+	app.Settings.SingleLogin = true
+
+	createTestUser()
+
+	timeNow := time.Now()
+	expiresAt := timeNow.Add(time.Minute * time.Duration(1)).Unix()
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"uid": testUID.Hex(),
+		"exp": expiresAt,
+		"sl":  strconv.FormatInt(timeNow.Unix(), 10),
+	})
+	tokenString, _ := token.SignedString([]byte(testSecret))
+
+	app.Coll.Users.UpdateId(testUID, bson.M{
+		"$set": bson.M{"last_login_at": timeNow},
+	})
+
+	e.GET("/api/data").
+		WithHeader("Authorization", "Bearer "+tokenString).
+		Expect().Status(httptest.StatusOK)
+
+	app.Coll.Users.UpdateId(testUID, bson.M{
+		"$set": bson.M{"last_login_at": timeNow.Add(time.Minute)},
+	})
+
+	e.GET("/api/data").
+		WithHeader("Authorization", "Bearer "+tokenString).
+		Expect().Status(httptest.StatusConflict)
+
+	removeTestUser()
+
+	app.Settings.SingleLogin = false
+}

require_auth.go

@@ -2,6 +2,7 @@ package basicserver
 
 import (
 	"errors"
+	"strconv"
 	"strings"
 
 	jwt "github.com/dgrijalva/jwt-go"
@@ -18,6 +19,8 @@ import (
 // In case of invalid/expired token, this returns status code `401` and `text/plain`
 // error message as a response.
 //
+// In case of single login enabled and locked token provided, this returns status code `409`.
+//
 func (app *BasicApp) RequireAuth() iris.Handler {
 	return func(ctx iris.Context) {
 		authHeader := ctx.GetHeader("Authorization")
@@ -55,10 +58,19 @@ func (app *BasicApp) RequireAuth() iris.Handler {
 				app.HandleError(err, ctx, iris.StatusInternalServerError)
 			}
 			return
+		} else if app.Settings.SingleLogin && // handle single login
+			strconv.FormatInt(user.LastLoginAt.Unix(), 10) != token.Claims.(jwt.MapClaims)["sl"] {
+			err := errors.New("Token Locked")
+			app.HandleError(err, ctx, iris.StatusConflict)
+			return
 		}
 
 		// pass on the "uid"
 		ctx.Values().Set("uid", uid)
+		if app.Settings.SingleLogin {
+			sl := token.Claims.(jwt.MapClaims)["sl"]
+			ctx.Values().Set("sl", sl)
+		}
 		ctx.Next()
 	}
 }

signin_post.go

@@ -2,6 +2,7 @@ package basicserver
 
 import (
 	"log"
+	"strconv"
 	"time"
 
 	jwt "github.com/dgrijalva/jwt-go"
@@ -72,18 +73,27 @@ func (app *BasicApp) ServeSigninPost() iris.Handler {
 			return
 		}
 
-		expiresAt := time.Now().Add(time.Hour * time.Duration(72)).Unix() // 72 hours
-		token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		timeNow := time.Now()
+		expiresAt := timeNow.Add(time.Hour * time.Duration(72)).Unix() // 72 hours
+		claimsMap := jwt.MapClaims{
 			"uid": user.ID.Hex(),
 			"exp": expiresAt,
-		})
+		}
+		if app.Settings.SingleLogin { // single login value
+			claimsMap["sl"] = strconv.FormatInt(timeNow.Unix(), 10)
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claimsMap)
 		tokenString, err := token.SignedString(app.Settings.Secret)
 		if err != nil {
 			log.Print(err)
 			app.HandleError(err, ctx, iris.StatusInternalServerError)
 			return
 		}
 
+		app.Coll.Users.UpdateId(user.ID, bson.M{
+			"$set": bson.M{"last_login_at": timeNow},
+		})
+
 		ctx.JSON(iris.Map{
 			"expires": expiresAt,
 			"token":   tokenString,

state.go

@@ -4,8 +4,8 @@ import "github.com/globalsign/mgo/bson"
 
 // State is an user's state data entity:
 //
-//    `ID` is user uid
-//    `Data` is user data
+//    `ID` user uid
+//    `Data` user data
 //
 type State struct {
 	ID   bson.ObjectId `bson:"_id" json:"id"`

user.go

@@ -2,21 +2,25 @@ package basicserver
 
 import (
 	"math/rand"
+	"time"
 
 	"github.com/globalsign/mgo/bson"
 )
 
 // User is an user data entity:
 //
-//    `ID` is user uid
+//    `ID` user uid
 //    `Email` user email
 //    `Password` encrypted password
+//    `RecoveryCode` optional recovery code for password reset
+//    `LastLoginAt` time at which last login happened
 //
 type User struct {
 	ID           bson.ObjectId `bson:"_id" json:"id"`
 	Email        string        `bson:"email"`
 	Password     string        `bson:"password"`
 	RecoveryCode string        `bson:"recovery_code"`
+	LastLoginAt  time.Time     `bson:"last_login_at"`
 }
 
 var codeLetters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")