absmach · dborovcanin · Dec 1, 2023 · Nov 27, 2023 · Nov 29, 2023 · Nov 30, 2023
diff --git a/auth/api/grpc/endpoint_test.go b/auth/api/grpc/endpoint_test.go
@@ -36,6 +36,7 @@ const (
 	memberRelation  = "member"
 	loginDuration   = 30 * time.Minute
 	refreshDuration = 24 * time.Hour
+	invalidDuration = 7 * 24 * time.Hour
 )
 
 var svc auth.Service
@@ -48,7 +49,7 @@ func newService() auth.Service {
 
 	t := jwt.New([]byte(secret))
 
-	return auth.New(krepo, drepo, idProvider, t, prepo, loginDuration, refreshDuration)
+	return auth.New(krepo, drepo, idProvider, t, prepo, loginDuration, refreshDuration, invalidDuration)
 }
 
 func startGRPCServer(svc auth.Service, port int) {

diff --git a/auth/api/http/keys/endpoint_test.go b/auth/api/http/keys/endpoint_test.go
@@ -31,6 +31,7 @@ const (
 	email           = "[email protected]"
 	loginDuration   = 30 * time.Minute
 	refreshDuration = 24 * time.Hour
+	invalidDuration = 7 * 24 * time.Hour
 )
 
 type issueRequest struct {
@@ -71,7 +72,7 @@ func newService() auth.Service {
 
 	t := jwt.New([]byte(secret))
 
-	return auth.New(krepo, drepo, idProvider, t, prepo, loginDuration, refreshDuration)
+	return auth.New(krepo, drepo, idProvider, t, prepo, loginDuration, refreshDuration, invalidDuration)
 }
 
 func newServer(svc auth.Service) *httptest.Server {

diff --git a/auth/service.go b/auth/service.go
@@ -16,10 +16,7 @@ import (
 	svcerr "github.com/absmach/magistrala/pkg/errors/service"
 )
 
-const (
-	recoveryDuration   = 5 * time.Minute
-	invitationDuration = 24 * time.Hour
-)
+const recoveryDuration = 5 * time.Minute
 
 var (
 	errRollbackPolicy     = errors.New("failed to rollback policy")
@@ -90,25 +87,27 @@ type Service interface {
 var _ Service = (*service)(nil)
 
 type service struct {
-	keys            KeyRepository
-	domains         DomainsRepository
-	idProvider      magistrala.IDProvider
-	agent           PolicyAgent
-	tokenizer       Tokenizer
-	loginDuration   time.Duration
-	refreshDuration time.Duration
+	keys               KeyRepository
+	domains            DomainsRepository
+	idProvider         magistrala.IDProvider
+	agent              PolicyAgent
+	tokenizer          Tokenizer
+	loginDuration      time.Duration
+	refreshDuration    time.Duration
+	invitationDuration time.Duration
 }
 
 // New instantiates the auth service implementation.
-func New(keys KeyRepository, domains DomainsRepository, idp magistrala.IDProvider, tokenizer Tokenizer, policyAgent PolicyAgent, loginDuration, refreshDuration time.Duration) Service {
+func New(keys KeyRepository, domains DomainsRepository, idp magistrala.IDProvider, tokenizer Tokenizer, policyAgent PolicyAgent, loginDuration, refreshDuration, invitationDuration time.Duration) Service {
 	return &service{
-		tokenizer:       tokenizer,
-		domains:         domains,
-		keys:            keys,
-		idProvider:      idp,
-		agent:           policyAgent,
-		loginDuration:   loginDuration,
-		refreshDuration: refreshDuration,
+		tokenizer:          tokenizer,
+		domains:            domains,
+		keys:               keys,
+		idProvider:         idp,
+		agent:              policyAgent,
+		loginDuration:      loginDuration,
+		refreshDuration:    refreshDuration,
+		invitationDuration: invitationDuration,
 	}
 }
 
@@ -122,7 +121,7 @@ func (svc service) Issue(ctx context.Context, token string, key Key) (Token, err
 	case RecoveryKey:
 		return svc.tmpKey(recoveryDuration, key)
 	case InvitationKey:
-		return svc.tmpKey(invitationDuration, key)
+		return svc.invitationKey(ctx, key)
 	default:
 		return svc.accessKey(ctx, key)
 	}
@@ -333,6 +332,24 @@ func (svc service) accessKey(ctx context.Context, key Key) (Token, error) {
 	return Token{AccessToken: access, RefreshToken: refresh}, nil
 }
 
+func (svc service) invitationKey(ctx context.Context, key Key) (Token, error) {
+	var err error
+	key.Type = InvitationKey
+	key.ExpiresAt = time.Now().Add(svc.invitationDuration)
+
+	key.Subject, err = svc.checkUserDomain(ctx, key)
+	if err != nil {
+		return Token{}, err
+	}
+
+	access, err := svc.tokenizer.Issue(key)
+	if err != nil {
+		return Token{}, errors.Wrap(errIssueTmp, err)
+	}
+
+	return Token{AccessToken: access}, nil
+}
+
 func (svc service) refreshKey(ctx context.Context, token string, key Key) (Token, error) {
 	k, err := svc.tokenizer.Parse(token)
 	if err != nil {

diff --git a/auth/service_test.go b/auth/service_test.go
@@ -31,6 +31,7 @@ const (
 	authoritiesObj  = "authorities"
 	loginDuration   = 30 * time.Minute
 	refreshDuration = 24 * time.Hour
+	invalidDuration = 7 * 24 * time.Hour
 )
 
 var (
@@ -55,7 +56,7 @@ func newService() (auth.Service, *mocks.Keys, string) {
 	}
 	token, _ := t.Issue(key)
 
-	return auth.New(krepo, drepo, idProvider, t, prepo, loginDuration, refreshDuration), krepo, token
+	return auth.New(krepo, drepo, idProvider, t, prepo, loginDuration, refreshDuration, invalidDuration), krepo, token
 }
 
 func TestIssue(t *testing.T) {

diff --git a/cmd/auth/main.go b/cmd/auth/main.go
@@ -54,17 +54,18 @@ const (
 )
 
 type config struct {
-	LogLevel          string        `env:"MG_AUTH_LOG_LEVEL"               envDefault:"info"`
-	SecretKey         string        `env:"MG_AUTH_SECRET_KEY"              envDefault:"secret"`
-	JaegerURL         url.URL       `env:"MG_JAEGER_URL"                   envDefault:"http://jaeger:14268/api/traces"`
-	SendTelemetry     bool          `env:"MG_SEND_TELEMETRY"               envDefault:"true"`
-	InstanceID        string        `env:"MG_AUTH_ADAPTER_INSTANCE_ID"     envDefault:""`
-	AccessDuration    time.Duration `env:"MG_AUTH_ACCESS_TOKEN_DURATION"   envDefault:"1h"`
-	RefreshDuration   time.Duration `env:"MG_AUTH_REFRESH_TOKEN_DURATION"  envDefault:"24h"`
-	SpicedbHost       string        `env:"MG_SPICEDB_HOST"                 envDefault:"localhost"`
-	SpicedbPort       string        `env:"MG_SPICEDB_PORT"                 envDefault:"50051"`
-	SpicedbSchemaFile string        `env:"MG_SPICEDB_SCHEMA_FILE"          envDefault:"./docker/spicedb/schema.zed"`
-	TraceRatio        float64       `env:"MG_JAEGER_TRACE_RATIO"           envDefault:"1.0"`
+	LogLevel           string        `env:"MG_AUTH_LOG_LEVEL"               envDefault:"info"`
+	SecretKey          string        `env:"MG_AUTH_SECRET_KEY"              envDefault:"secret"`
+	JaegerURL          url.URL       `env:"MG_JAEGER_URL"                   envDefault:"http://jaeger:14268/api/traces"`
+	SendTelemetry      bool          `env:"MG_SEND_TELEMETRY"               envDefault:"true"`
+	InstanceID         string        `env:"MG_AUTH_ADAPTER_INSTANCE_ID"     envDefault:""`
+	AccessDuration     time.Duration `env:"MG_AUTH_ACCESS_TOKEN_DURATION"   envDefault:"1h"`
+	RefreshDuration    time.Duration `env:"MG_AUTH_REFRESH_TOKEN_DURATION"  envDefault:"24h"`
+	InvitationDuration time.Duration `env:"MG_AUTH_INVITATION_DURATION"     envDefault:"168h"`
+	SpicedbHost        string        `env:"MG_SPICEDB_HOST"                 envDefault:"localhost"`
+	SpicedbPort        string        `env:"MG_SPICEDB_PORT"                 envDefault:"50051"`
+	SpicedbSchemaFile  string        `env:"MG_SPICEDB_SCHEMA_FILE"          envDefault:"./docker/spicedb/schema.zed"`
+	TraceRatio         float64       `env:"MG_JAEGER_TRACE_RATIO"           envDefault:"1.0"`
 }
 
 func main() {
@@ -207,7 +208,7 @@ func newService(db *sqlx.DB, tracer trace.Tracer, cfg config, dbConfig pgclient.
 	idProvider := uuid.New()
 	t := jwt.New([]byte(cfg.SecretKey))
 
-	svc := auth.New(keysRepo, domainsRepo, idProvider, t, pa, cfg.AccessDuration, cfg.RefreshDuration)
+	svc := auth.New(keysRepo, domainsRepo, idProvider, t, pa, cfg.AccessDuration, cfg.RefreshDuration, cfg.InvitationDuration)
 	svc = api.LoggingMiddleware(svc, logger)
 	counter, latency := internal.MakeMetrics("groups", "api")
 	svc = api.MetricsMiddleware(svc, counter, latency)

diff --git a/docker/.env b/docker/.env
@@ -95,6 +95,7 @@ MG_AUTH_DB_SSL_ROOT_CERT=
 MG_AUTH_SECRET_KEY=HyE2D4RUt9nnKG6v8zKEqAp6g6ka8hhZsqUpzgKvnwpXrNVQSH
 MG_AUTH_ACCESS_TOKEN_DURATION="1h"
 MG_AUTH_REFRESH_TOKEN_DURATION="24h"
+MG_AUTH_INVITATION_DURATION="168h"
 MG_AUTH_ADAPTER_INSTANCE_ID=
 
 #### Auth GRPC Client Config

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -101,6 +101,7 @@ services:
       MG_SPICEDB_PORT: ${MG_SPICEDB_PORT}
       MG_AUTH_ACCESS_TOKEN_DURATION: ${MG_AUTH_ACCESS_TOKEN_DURATION}
       MG_AUTH_REFRESH_TOKEN_DURATION: ${MG_AUTH_REFRESH_TOKEN_DURATION}
+      MG_AUTH_INVITATION_DURATION: ${MG_AUTH_INVITATION_DURATION}
       MG_AUTH_SECRET_KEY: ${MG_AUTH_SECRET_KEY}
       MG_AUTH_HTTP_HOST: ${MG_AUTH_HTTP_HOST}
       MG_AUTH_HTTP_PORT: ${MG_AUTH_HTTP_PORT}