[server][breaking] Change api_key schema streamline expiration and validity

server/internal/auth/api_key.go

@@ -11,7 +11,7 @@ import (
 )
 
 func VerifyAPIKey(db db.Handler, apiKey string) (user core.User, err error) {
-	const q = `SELECT k.expires, u.id, u.email, u.name, u.permissions, u.home FROM api_keys k JOIN users u ON k.user_id = u.id WHERE k.id = $1; `
+	const q = `SELECT k.expires, u.id, u.email, u.name, u.permissions, u.home FROM api_keys k JOIN users u ON k.user_id = u.id WHERE k.key = $1; `
 	row := db.QueryRow(q, apiKey)
 
 	var expires pgtype.Timestamp
@@ -27,10 +27,15 @@ func VerifyAPIKey(db db.Handler, apiKey string) (user core.User, err error) {
 }
 
 func insertAPIKey(db db.TxHandler, userID int32) (string, error) {
-	const q = `INSERT INTO api_keys(id, expires, user_id) VALUES ($1::TEXT, NOW() + $2::INTERVAL, $3::INT)`
+	const q = `INSERT INTO api_keys(key, expires, user_id) VALUES (@key::TEXT, @expires::TIMESTAMPTZ, @user_id::INT)`
 
 	token := generateSecureKey(apiKeyLength)
-	if _, err := db.Exec(q, token, apiKeyValidity, userID); err != nil {
+	args := pgx.NamedArgs{
+		"token":   generateSecureKey(apiKeyLength),
+		"expires": time.Now().Add(apiKeyValidity),
+		"user_id": userID,
+	}
+	if _, err := db.Exec(q, args); err != nil {
 		return "", err
 	} else {
 		return token, nil

server/internal/auth/auth.go

@@ -13,7 +13,6 @@ import (
 	"codeberg.org/shroff/phylum/server/internal/auth/ldap"
 	"codeberg.org/shroff/phylum/server/internal/auth/openid"
 	"codeberg.org/shroff/phylum/server/internal/core"
-	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/rs/zerolog"
 )
 
@@ -25,12 +24,8 @@ const apiKeyLength = 15
 const resetTokenLength = 15
 const loginTokenLength = 15
 
-const resetTokenDuration = 10 * time.Minute
-
-var apiKeyValidity = pgtype.Interval{
-	Days:  30,
-	Valid: true,
-}
+const apiKeyValidity = 30 * 24 * time.Hour
+const tokenValidity = 10 * time.Minute
 
 var ErrCredentialsInvalid = core.NewError(http.StatusUnauthorized, "credentials_invalid", "invalid credentials")
 

server/internal/auth/openid.go

@@ -27,7 +27,7 @@ func OpenIDStart(db db.Handler, providerName, redirectURI string, clientType Ope
 		token := generateSecureKey(loginTokenLength)
 		args := pgx.NamedArgs{
 			"token":            token,
-			"expires":          time.Now().Add(resetTokenDuration),
+			"expires":          time.Now().Add(tokenValidity),
 			"oidc_provider":    providerName,
 			"oidc_client_type": clientType,
 		}

server/internal/auth/password_reset.go

@@ -8,7 +8,6 @@ import (
 	"codeberg.org/shroff/phylum/server/internal/core"
 	"codeberg.org/shroff/phylum/server/internal/db"
 	"github.com/jackc/pgx/v5"
-	"github.com/jackc/pgx/v5/pgtype"
 )
 
 func CreateResetToken(db db.TxHandler, email string) (core.User, string, error) {
@@ -54,17 +53,16 @@ func ResetUserPassword(db db.TxHandler, email, resetToken, password string) (cor
 	args := pgx.NamedArgs{
 		"user_id": user.ID,
 		"token":   resetToken,
-		"expires": time.Now().Add(resetTokenDuration),
 	}
 	row := db.QueryRow(q, args)
-	var expires pgtype.Timestamp
+	var expires time.Time
 	if err := row.Scan(&expires); err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
 			err = ErrCredentialsInvalid
 		}
 		return core.User{}, "", err
 	}
-	if time.Now().After(expires.Time) {
+	if time.Now().After(expires) {
 		return core.User{}, "", ErrCredentialsInvalid
 	}
 
@@ -91,7 +89,7 @@ ON CONFLICT(user_id) DO UPDATE SET token = @token::TEXT, expires = @expires::TIM
 	args := pgx.NamedArgs{
 		"user_id": userID,
 		"token":   token,
-		"expires": time.Now().Add(resetTokenDuration),
+		"expires": time.Now().Add(tokenValidity),
 	}
 	if _, err := db.Exec(q, args); err != nil {
 		return "", err

server/internal/db/migrations/004_api_keys.sql

@@ -1,5 +1,5 @@
 CREATE TABLE api_keys(
-    id          TEXT        NOT NULL PRIMARY KEY,
+    key         TEXT        NOT NULL PRIMARY KEY,
     created     TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
     expires     TIMESTAMPTZ NOT NULL,
     user_id     INT         NOT NULL REFERENCES users(id) ON UPDATE CASCADE ON DELETE CASCADE