blasphem/pkg/auth/session.go

package auth

import (
	"encoding/json"
	"fmt"
	"net/http"
	"time"

	"github.com/golang-jwt/jwt"
	"github.com/labstack/echo/v4"
	"github.com/rs/zerolog/log"

	"dynatron.me/x/blasphem/internal/common"
	"dynatron.me/x/blasphem/internal/generate"
	"dynatron.me/x/blasphem/pkg/auth/provider"
)

type authCodeStore struct {
	s        map[authCodeTuple]flowResult
	lastCull time.Time
}

type authCodeTuple struct {
	ClientID ClientID
	Code     AuthCode
}

func (t *authCodeTuple) IsValid() bool {
	// TODO: more validation than this
	return t.Code != ""
}

type flowResult struct {
	Time time.Time
	Cred *Credentials
}

// OAuth 4.2.1 spec recommends 10 minutes
const authCodeExpire = 10 * time.Minute

func (f *flowResult) IsValid(now time.Time) bool {
	if now.After(f.Time.Add(authCodeExpire)) {
		return false
	}

	return true
}

func (ss *authCodeStore) init() {
	ss.s = make(map[authCodeTuple]flowResult)
}

const cullInterval = 5 * time.Minute

func (ss *authCodeStore) cull() {
	if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {
		for k, v := range ss.s {
			if !v.IsValid(now) {
				delete(ss.s, k)
			}
		}
	}
}

func (ss *authCodeStore) put(clientID ClientID, cred *Credentials) string {
	ss.cull()
	code := generate.UUID()
	ss.s[authCodeTuple{clientID, AuthCode(code)}] = flowResult{Time: time.Now(), Cred: cred}

	return code
}

func (ss *authCodeStore) get(tr *TokenRequest) (*Credentials, bool) {
	key := authCodeTuple{tr.ClientID, tr.Code}
	if t, hasCode := ss.s[key]; hasCode {
		defer delete(ss.s, key)
		if t.IsValid(time.Now()) {
			return t.Cred, true
		}
	}

	return nil, false
}

type Credentials struct {
	ID               CredID           `json:"id"`
	UserID           UserID           `json:"user_id"`
	AuthProviderType string           `json:"auth_provider_type"`
	AuthProviderID   *string          `json:"auth_provider_id"`
	DataRaw          *json.RawMessage `json:"data,omitempty"`

	User provider.ProviderUser `json:"-"`
}

func (cred *Credentials) MarshalJSON() ([]byte, error) {
	type CredAlias Credentials // alias so ø method set and we don't recurse
	nCd := (*CredAlias)(cred)

	if cred.User != nil {
		providerData := cred.User.UserData()
		if providerData != nil {
			b, err := json.Marshal(providerData)
			if err != nil {
				return nil, err
			}

			dr := json.RawMessage(b)
			nCd.DataRaw = &dr
		}
	}

	return json.Marshal(nCd)
}

type (
	TokenType         string
	RefreshTokenID    string
	RefreshTokenToken string
)

func (rti RefreshTokenID) String() string { return string(rti) }

func (rti RefreshTokenToken) IsValid() bool { return rti != "" }

const (
	TokenTypeSystem    TokenType = "system"
	TokenTypeNormal    TokenType = "normal"
	TokenTypeLongLived TokenType = "long_lived_access_token"
	TokenTypeNone      TokenType = ""
)

func (tt TokenType) IsValid() bool {
	switch tt {
	case TokenTypeSystem, TokenTypeNormal, TokenTypeLongLived:
		return true
	}

	return false
}

type RefreshToken struct {
	ID                    RefreshTokenID      `json:"id"`
	UserID                UserID              `json:"user_id"`
	ClientID              *ClientID           `json:"client_id"`
	ClientName            *string             `json:"client_name"`
	ClientIcon            *string             `json:"client_icon"`
	TokenType             TokenType           `json:"token_type"`
	CreatedAt             *common.PyTimestamp `json:"created_at"`
	AccessTokenExpiration json.Number         `json:"access_token_expiration"`
	Token                 RefreshTokenToken   `json:"token"`
	JWTKey                string              `json:"jwt_key"`
	LastUsedAt            *common.PyTimestamp `json:"last_used_at"`
	LastUsedIP            *string             `json:"last_used_ip"`
	CredentialID          *CredID             `json:"credential_id"`
	Version               *string             `json:"version"`

	User *User `json:"-"`
}

func (rt *RefreshToken) IsValid() bool {
	return rt.JWTKey != ""
}

func (rt *RefreshToken) AccessExpiration() (exp int64) {
	exp, err := rt.AccessTokenExpiration.Int64()
	if err != nil {
		panic(err)
	}

	return
}

type RefreshOption func(*RefreshToken)

func WithClientID(cid ClientID) RefreshOption {
	return func(rt *RefreshToken) {
		rt.ClientID = &cid
	}
}

func WithClientName(n string) RefreshOption {
	return func(rt *RefreshToken) {
		rt.ClientName = &n
	}
}

func WithClientIcon(n string) RefreshOption {
	return func(rt *RefreshToken) {
		rt.ClientIcon = &n
	}
}

func WithTokenType(t TokenType) RefreshOption {
	return func(rt *RefreshToken) {
		rt.TokenType = t
	}
}

func WithCredential(c *Credentials) RefreshOption {
	return func(rt *RefreshToken) {
		rt.CredentialID = &c.ID
	}
}

const DefaultAccessExpiration = "1800" // json 🤮

func (a *authenticator) NewRefreshToken(user *User, opts ...RefreshOption) (*RefreshToken, error) {
	e := func(es string, arg ...interface{}) (*RefreshToken, error) {
		return nil, fmt.Errorf(es, arg...)
	}

	now := common.PyTimestamp(time.Now())

	r := &RefreshToken{
		ID:                    RefreshTokenID(generate.UUID()),
		UserID:                user.ID,
		Token:                 RefreshTokenToken(generate.Hex(64)),
		JWTKey:                generate.Hex(64),
		CreatedAt:             &now,
		AccessTokenExpiration: DefaultAccessExpiration,
		User:                  user,
	}

	for _, opt := range opts {
		opt(r)
	}

	if r.TokenType == TokenTypeNone {
		if user.SystemGenerated {
			r.TokenType = TokenTypeSystem
		} else {
			r.TokenType = TokenTypeNormal
		}
	}

	switch {
	case !r.TokenType.IsValid():
		return e("invalid token type")
	case !user.Active:
		return e("user is not active")
	case user.SystemGenerated && r.ClientID != nil:
		return e("system generated users cannot have refresh tokens connected to a client")
	case !r.TokenType.IsValid():
		return e("invalid token type '%v'", r.TokenType)
	case user.SystemGenerated != (r.TokenType == TokenTypeSystem):
		return e("system generated user can only have system type refresh tokens")
	case r.TokenType == TokenTypeNormal && r.ClientID == nil:
		return e("client is required to generate a refresh token")
	case r.TokenType == TokenTypeLongLived && r.ClientName == nil:
		return e("client name is required for long-lived token")
	}

	if r.TokenType == TokenTypeLongLived {
		for _, lv := range user.RefreshTokens {
			if strPtrEq(lv.ClientName, r.ClientName) && lv.TokenType == TokenTypeLongLived {
				return e("client name '%v' already exists", *r.ClientName)
			}
		}
	}

	return a.store.PutRefreshToken(r)
}

func (r *RefreshToken) AccessToken(req *http.Request) (string, error) {
	now := time.Now()

	pytnow := common.PyTimestamp(now)
	r.LastUsedAt = &pytnow
	r.LastUsedIP = &req.RemoteAddr

	return jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{
		Issuer:    r.ID.String(),
		IssuedAt:  now.Unix(),
		ExpiresAt: now.Add(time.Duration(r.AccessExpiration()) * time.Second).Unix(),
	}).SignedString([]byte(r.JWTKey))
}

func (a *authenticator) ValidateAccessToken(token AccessToken) *RefreshToken {
	panic("not implemented")
	return nil
}

func (a *authenticator) verifyAndGetCredential(tr *TokenRequest) *Credentials {
	cred, success := a.authCodes.get(tr)
	if !success {
		return nil
	}

	return cred
}

const defaultExpiration = 15 * time.Minute

func (a *authenticator) NewAuthCode(clientID ClientID, cred *Credentials) string {
	return a.authCodes.put(clientID, cred)
}

type GrantType string

const (
	GrantAuthCode     GrantType = "authorization_code"
	GrantRefreshToken GrantType = "refresh_token"
)

type ClientID common.ClientID

func (c *ClientID) IsValid() bool {
	// TODO: || !indieauth.VerifyClientID(rq.ClientID)?
	return *c != ""
}

type AuthCode string

func (ac *AuthCode) IsValid() bool {
	return *ac != ""
}

type TokenRequest struct {
	ClientID     ClientID          `form:"client_id"`
	Code         AuthCode          `form:"code"`
	GrantType    GrantType         `form:"grant_type"`
	RefreshToken RefreshTokenToken `form:"refresh_token"`
}

const AuthFailed = "authentication failure"

func (a *authenticator) TokenHandler(c echo.Context) error {
	a.Lock()
	defer a.Unlock()

	rq := new(TokenRequest)
	err := c.Bind(rq)
	if err != nil {
		return err
	}

	switch rq.GrantType {
	case GrantAuthCode:
		if !rq.ClientID.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})
		}

		if !rq.Code.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})
		}

		cred := a.verifyAndGetCredential(rq)
		if cred == nil {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})
		}

		user, err := a.getOrCreateUser(cred)
		if err != nil {
			log.Error().Err(err).Msg("getOrCreateUser")
			return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})
		}

		if err := user.allowedToAuth(c.Request()); err != nil {
			log.Error().Err(err).Msg("allowedToAuth")
			return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})
		}

		rt, err := a.NewRefreshToken(user, WithClientID(rq.ClientID), WithCredential(cred))
		if err != nil {
			log.Error().Err(err).Msg("NewRefreshToken")
			return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})
		}

		at, err := rt.AccessToken(c.Request())
		if err != nil {
			log.Error().Err(err).Msg("AccessToken")
			return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})
		}

		return common.NoCache(c).JSON(http.StatusOK, &struct {
			AccessToken    string            `json:"access_token"`
			TokenType      string            `json:"token_type"`
			RefreshToken   RefreshTokenToken `json:"refresh_token"`
			ExpiresIn      int64             `json:"expires_in"`
			HAAuthProvider string            `json:"ha_auth_provider"`
		}{
			AccessToken:    at,
			TokenType:      "Bearer",
			RefreshToken:   rt.Token,
			ExpiresIn:      rt.AccessExpiration(),
			HAAuthProvider: cred.AuthProviderType,
		})
	case GrantRefreshToken:
		log.Debug().Interface("request", c.Request()).Interface("tokenRequest", rq).Msg("grant_type=refresh_token")

		if !rq.ClientID.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})
		}

		if !rq.RefreshToken.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request"})
		}

		rt := a.store.GetRefreshTokenByToken(rq.RefreshToken)
		if rt == nil {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_grant"})
		}

		if rt.ClientID == nil || *rt.ClientID != rq.ClientID {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request"})
		}

		if err := rt.User.allowedToAuth(c.Request()); err != nil {
			return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: err.Error()})
		}

		at, err := rt.AccessToken(c.Request())
		if err != nil {
			return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: err.Error()})
		}

		return common.NoCache(c).JSON(http.StatusOK, &struct {
			AccessToken string `json:"access_token"`
			TokenType   string `json:"token_type"`
			ExpiresIn   int64  `json:"expires_in"`
		}{
			AccessToken: at,
			TokenType:   "Bearer",
			ExpiresIn:   rt.AccessExpiration(),
		})
	}

	return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request"})
}

type AccessToken string
Sessions 2022-10-26 19:13:50 -04:00			`package auth`

			`import (`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`"encoding/json"`
JWT working 2022-12-19 02:42:01 -05:00			`"fmt"`
Sessions 2022-10-26 19:13:50 -04:00			`"net/http"`
			`"time"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00
JWT working 2022-12-19 02:42:01 -05:00			`"github.com/golang-jwt/jwt"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`"github.com/labstack/echo/v4"`
JWT working 2022-12-19 02:42:01 -05:00			`"github.com/rs/zerolog/log"`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00
move common types 2022-11-13 12:03:58 -05:00			`"dynatron.me/x/blasphem/internal/common"`
refresh token 2022-11-13 11:55:10 -05:00			`"dynatron.me/x/blasphem/internal/generate"`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`"dynatron.me/x/blasphem/pkg/auth/provider"`
Sessions 2022-10-26 19:13:50 -04:00			`)`

pre-model 2022-12-18 09:55:08 -05:00			`type authCodeStore struct {`
			`s map[authCodeTuple]flowResult`
Sessions 2022-10-26 19:13:50 -04:00			`lastCull time.Time`
			`}`

pre-model 2022-12-18 09:55:08 -05:00			`type authCodeTuple struct {`
			`ClientID ClientID`
prejwt 2022-12-18 21:26:34 -05:00			`Code AuthCode`
pre-model 2022-12-18 09:55:08 -05:00			`}`
Sessions 2022-10-26 19:13:50 -04:00
pre-model 2022-12-18 09:55:08 -05:00			`func (t *authCodeTuple) IsValid() bool {`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`// TODO: more validation than this`
pre-model 2022-12-18 09:55:08 -05:00			`return t.Code != ""`
			`}`

			`type flowResult struct {`
			`Time time.Time`
			`Cred *Credentials`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`}`

pre-model 2022-12-18 09:55:08 -05:00			`// OAuth 4.2.1 spec recommends 10 minutes`
			`const authCodeExpire = 10 * time.Minute`
WIP: binding issues 2022-11-11 18:02:52 -05:00
pre-model 2022-12-18 09:55:08 -05:00			`func (f *flowResult) IsValid(now time.Time) bool {`
			`if now.After(f.Time.Add(authCodeExpire)) {`
			`return false`
			`}`

			`return true`
Sessions 2022-10-26 19:13:50 -04:00			`}`

pre-model 2022-12-18 09:55:08 -05:00			`func (ss *authCodeStore) init() {`
			`ss.s = make(map[authCodeTuple]flowResult)`
Sessions 2022-10-26 19:13:50 -04:00			`}`

			`const cullInterval = 5 * time.Minute`

pre-model 2022-12-18 09:55:08 -05:00			`func (ss *authCodeStore) cull() {`
Sessions 2022-10-26 19:13:50 -04:00			`if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {`
			`for k, v := range ss.s {`
pre-model 2022-12-18 09:55:08 -05:00			`if !v.IsValid(now) {`
Sessions 2022-10-26 19:13:50 -04:00			`delete(ss.s, k)`
			`}`
			`}`
			`}`
			`}`

refresh token 2022-12-19 13:09:01 -05:00			`func (ss authCodeStore) put(clientID ClientID, cred Credentials) string {`
Sessions 2022-10-26 19:13:50 -04:00			`ss.cull()`
pre-model 2022-12-18 09:55:08 -05:00			`code := generate.UUID()`
			`ss.s[authCodeTuple{clientID, AuthCode(code)}] = flowResult{Time: time.Now(), Cred: cred}`

			`return code`
Sessions 2022-10-26 19:13:50 -04:00			`}`

refresh token 2022-12-19 13:09:01 -05:00			`func (ss authCodeStore) get(tr TokenRequest) (*Credentials, bool) {`
pre-model 2022-12-18 09:55:08 -05:00			`key := authCodeTuple{tr.ClientID, tr.Code}`
			`if t, hasCode := ss.s[key]; hasCode {`
			`defer delete(ss.s, key)`
			`if t.IsValid(time.Now()) {`
			`return t.Cred, true`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`
			`}`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`return nil, false`
			`}`

pre-model 2022-12-18 09:55:08 -05:00			`type Credentials struct {`
prejwt 2022-12-18 21:26:34 -05:00			ID CredID `json:"id"`
			UserID UserID `json:"user_id"`
			AuthProviderType string `json:"auth_provider_type"`
			AuthProviderID *string `json:"auth_provider_id"`
			DataRaw *json.RawMessage `json:"data,omitempty"`

			User provider.ProviderUser `json:"-"`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`}`

pre-model 2022-12-18 09:55:08 -05:00			`func (cred *Credentials) MarshalJSON() ([]byte, error) {`
			`type CredAlias Credentials // alias so ø method set and we don't recurse`
WIP: panics on shutdown 2022-11-13 09:05:09 -05:00			`nCd := (*CredAlias)(cred)`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00
prejwt 2022-12-18 21:26:34 -05:00			`if cred.User != nil {`
			`providerData := cred.User.UserData()`
refresh token 2022-11-13 11:55:10 -05:00			`if providerData != nil {`
			`b, err := json.Marshal(providerData)`
			`if err != nil {`
			`return nil, err`
			`}`
WIP: panics on shutdown 2022-11-13 09:05:09 -05:00
refresh token 2022-11-13 11:55:10 -05:00			`dr := json.RawMessage(b)`
			`nCd.DataRaw = &dr`
			`}`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`}`

WIP: panics on shutdown 2022-11-13 09:05:09 -05:00			`return json.Marshal(nCd)`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`}`

JWT working 2022-12-19 02:42:01 -05:00			`type (`
refresh token 2022-12-19 13:09:01 -05:00			`TokenType string`
			`RefreshTokenID string`
			`RefreshTokenToken string`
JWT working 2022-12-19 02:42:01 -05:00			`)`

refresh token 2022-12-19 13:09:01 -05:00			`func (rti RefreshTokenID) String() string { return string(rti) }`

			`func (rti RefreshTokenToken) IsValid() bool { return rti != "" }`

JWT working 2022-12-19 02:42:01 -05:00			`const (`
			`TokenTypeSystem TokenType = "system"`
			`TokenTypeNormal TokenType = "normal"`
			`TokenTypeLongLived TokenType = "long_lived_access_token"`
			`TokenTypeNone TokenType = ""`
			`)`

			`func (tt TokenType) IsValid() bool {`
			`switch tt {`
			`case TokenTypeSystem, TokenTypeNormal, TokenTypeLongLived:`
			`return true`
			`}`

			`return false`
			`}`

			`type RefreshToken struct {`
			ID RefreshTokenID `json:"id"`
			UserID UserID `json:"user_id"`
			ClientID *ClientID `json:"client_id"`
			ClientName *string `json:"client_name"`
			ClientIcon *string `json:"client_icon"`
			TokenType TokenType `json:"token_type"`
			CreatedAt *common.PyTimestamp `json:"created_at"`
			AccessTokenExpiration json.Number `json:"access_token_expiration"`
refresh token 2022-12-19 13:09:01 -05:00			Token RefreshTokenToken `json:"token"`
JWT working 2022-12-19 02:42:01 -05:00			JWTKey string `json:"jwt_key"`
			LastUsedAt *common.PyTimestamp `json:"last_used_at"`
			LastUsedIP *string `json:"last_used_ip"`
			CredentialID *CredID `json:"credential_id"`
			Version *string `json:"version"`
WIP: websocket 2022-12-19 19:24:01 -05:00
			User *User `json:"-"`
JWT working 2022-12-19 02:42:01 -05:00			`}`

			`func (rt *RefreshToken) IsValid() bool {`
			`return rt.JWTKey != ""`
			`}`

refresh token 2022-12-19 13:09:01 -05:00			`func (rt *RefreshToken) AccessExpiration() (exp int64) {`
			`exp, err := rt.AccessTokenExpiration.Int64()`
			`if err != nil {`
			`panic(err)`
			`}`

			`return`
			`}`

JWT working 2022-12-19 02:42:01 -05:00			`type RefreshOption func(*RefreshToken)`

			`func WithClientID(cid ClientID) RefreshOption {`
			`return func(rt *RefreshToken) {`
			`rt.ClientID = &cid`
			`}`
			`}`

			`func WithClientName(n string) RefreshOption {`
			`return func(rt *RefreshToken) {`
			`rt.ClientName = &n`
			`}`
			`}`

			`func WithClientIcon(n string) RefreshOption {`
			`return func(rt *RefreshToken) {`
			`rt.ClientIcon = &n`
			`}`
			`}`

			`func WithTokenType(t TokenType) RefreshOption {`
			`return func(rt *RefreshToken) {`
			`rt.TokenType = t`
			`}`
			`}`

			`func WithCredential(c *Credentials) RefreshOption {`
			`return func(rt *RefreshToken) {`
			`rt.CredentialID = &c.ID`
			`}`
			`}`

WIP: websocket 2022-12-19 19:24:01 -05:00			`const DefaultAccessExpiration = "1800" // json 🤮`
JWT working 2022-12-19 02:42:01 -05:00
WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a authenticator) NewRefreshToken(user User, opts ...RefreshOption) (*RefreshToken, error) {`
refresh token 2022-12-19 13:09:01 -05:00			`e := func(es string, arg ...interface{}) (*RefreshToken, error) {`
			`return nil, fmt.Errorf(es, arg...)`
JWT working 2022-12-19 02:42:01 -05:00			`}`

			`now := common.PyTimestamp(time.Now())`

			`r := &RefreshToken{`
			`ID: RefreshTokenID(generate.UUID()),`
			`UserID: user.ID,`
refresh token 2022-12-19 13:09:01 -05:00			`Token: RefreshTokenToken(generate.Hex(64)),`
JWT working 2022-12-19 02:42:01 -05:00			`JWTKey: generate.Hex(64),`
			`CreatedAt: &now,`
			`AccessTokenExpiration: DefaultAccessExpiration,`
compiles 2022-12-20 13:16:30 -05:00			`User: user,`
JWT working 2022-12-19 02:42:01 -05:00			`}`

			`for _, opt := range opts {`
			`opt(r)`
			`}`

			`if r.TokenType == TokenTypeNone {`
			`if user.SystemGenerated {`
			`r.TokenType = TokenTypeSystem`
			`} else {`
			`r.TokenType = TokenTypeNormal`
			`}`
			`}`

			`switch {`
			`case !r.TokenType.IsValid():`
			`return e("invalid token type")`
			`case !user.Active:`
			`return e("user is not active")`
			`case user.SystemGenerated && r.ClientID != nil:`
			`return e("system generated users cannot have refresh tokens connected to a client")`
			`case !r.TokenType.IsValid():`
			`return e("invalid token type '%v'", r.TokenType)`
			`case user.SystemGenerated != (r.TokenType == TokenTypeSystem):`
			`return e("system generated user can only have system type refresh tokens")`
			`case r.TokenType == TokenTypeNormal && r.ClientID == nil:`
			`return e("client is required to generate a refresh token")`
			`case r.TokenType == TokenTypeLongLived && r.ClientName == nil:`
			`return e("client name is required for long-lived token")`
			`}`

			`if r.TokenType == TokenTypeLongLived {`
			`for _, lv := range user.RefreshTokens {`
			`if strPtrEq(lv.ClientName, r.ClientName) && lv.TokenType == TokenTypeLongLived {`
			`return e("client name '%v' already exists", *r.ClientName)`
			`}`
			`}`
			`}`

			`return a.store.PutRefreshToken(r)`
			`}`

			`func (r RefreshToken) AccessToken(req http.Request) (string, error) {`
			`now := time.Now()`

			`pytnow := common.PyTimestamp(now)`
			`r.LastUsedAt = &pytnow`
			`r.LastUsedIP = &req.RemoteAddr`

refresh token 2022-12-19 13:09:01 -05:00			`return jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{`
			`Issuer: r.ID.String(),`
			`IssuedAt: now.Unix(),`
			`ExpiresAt: now.Add(time.Duration(r.AccessExpiration()) * time.Second).Unix(),`
JWT working 2022-12-19 02:42:01 -05:00			`}).SignedString([]byte(r.JWTKey))`
			`}`

compiles 2022-12-20 13:16:30 -05:00			`func (a authenticator) ValidateAccessToken(token AccessToken) RefreshToken {`
			`panic("not implemented")`
			`return nil`
			`}`

WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a authenticator) verifyAndGetCredential(tr TokenRequest) *Credentials {`
refresh token 2022-12-19 13:09:01 -05:00			`cred, success := a.authCodes.get(tr)`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`if !success {`
			`return nil`
			`}`

WIP: panics on shutdown 2022-11-13 09:05:09 -05:00			`return cred`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`}`

refresh token 2022-11-13 11:55:10 -05:00			`const defaultExpiration = 15 * time.Minute`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00
WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a authenticator) NewAuthCode(clientID ClientID, cred Credentials) string {`
refresh token 2022-12-19 13:09:01 -05:00			`return a.authCodes.put(clientID, cred)`
Sessions 2022-10-26 19:13:50 -04:00			`}`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00
WIP: binding issues 2022-11-11 18:02:52 -05:00			`type GrantType string`

			`const (`
refresh token 2022-12-19 13:09:01 -05:00			`GrantAuthCode GrantType = "authorization_code"`
			`GrantRefreshToken GrantType = "refresh_token"`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`)`

Flow split begin 2022-11-20 08:49:24 -05:00			`type ClientID common.ClientID`
WIP: binding issues 2022-11-11 18:02:52 -05:00
			`func (c *ClientID) IsValid() bool {`
			`// TODO: \|\| !indieauth.VerifyClientID(rq.ClientID)?`
			`return *c != ""`
			`}`

pre-model 2022-12-18 09:55:08 -05:00			`type AuthCode string`
prejwt 2022-12-18 21:26:34 -05:00
pre-model 2022-12-18 09:55:08 -05:00			`func (ac *AuthCode) IsValid() bool {`
			`return *ac != ""`
			`}`

Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`type TokenRequest struct {`
refresh token 2022-12-19 13:09:01 -05:00			ClientID ClientID `form:"client_id"`
			Code AuthCode `form:"code"`
			GrantType GrantType `form:"grant_type"`
			RefreshToken RefreshTokenToken `form:"refresh_token"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`

JWT working 2022-12-19 02:42:01 -05:00			`const AuthFailed = "authentication failure"`

WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a *authenticator) TokenHandler(c echo.Context) error {`
refresh token 2022-12-19 13:09:01 -05:00			`a.Lock()`
			`defer a.Unlock()`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`rq := new(TokenRequest)`
			`err := c.Bind(rq)`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`if err != nil {`
			`return err`
			`}`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`switch rq.GrantType {`
refresh token 2022-12-19 13:09:01 -05:00			`case GrantAuthCode:`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`if !rq.ClientID.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})`
			`}`

			`if !rq.Code.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})`
			`}`

refresh token 2022-12-19 13:09:01 -05:00			`cred := a.verifyAndGetCredential(rq)`
			`if cred == nil {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})`
			`}`
WIP: binding issues 2022-11-11 18:02:52 -05:00
refresh token 2022-12-19 13:09:01 -05:00			`user, err := a.getOrCreateUser(cred)`
			`if err != nil {`
			`log.Error().Err(err).Msg("getOrCreateUser")`
			`return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})`
			`}`
JWT working 2022-12-19 02:42:01 -05:00
refresh token 2022-12-19 13:09:01 -05:00			`if err := user.allowedToAuth(c.Request()); err != nil {`
			`log.Error().Err(err).Msg("allowedToAuth")`
			`return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})`
			`}`
JWT working 2022-12-19 02:42:01 -05:00
refresh token 2022-12-19 13:09:01 -05:00			`rt, err := a.NewRefreshToken(user, WithClientID(rq.ClientID), WithCredential(cred))`
			`if err != nil {`
			`log.Error().Err(err).Msg("NewRefreshToken")`
			`return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})`
			`}`
JWT working 2022-12-19 02:42:01 -05:00
refresh token 2022-12-19 13:09:01 -05:00			`at, err := rt.AccessToken(c.Request())`
			`if err != nil {`
			`log.Error().Err(err).Msg("AccessToken")`
			`return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: AuthFailed})`
			`}`

			`return common.NoCache(c).JSON(http.StatusOK, &struct {`
			AccessToken string `json:"access_token"`
			TokenType string `json:"token_type"`
			RefreshToken RefreshTokenToken `json:"refresh_token"`
			ExpiresIn int64 `json:"expires_in"`
			HAAuthProvider string `json:"ha_auth_provider"`
			`}{`
			`AccessToken: at,`
			`TokenType: "Bearer",`
			`RefreshToken: rt.Token,`
			`ExpiresIn: rt.AccessExpiration(),`
			`HAAuthProvider: cred.AuthProviderType,`
			`})`
			`case GrantRefreshToken:`
			`log.Debug().Interface("request", c.Request()).Interface("tokenRequest", rq).Msg("grant_type=refresh_token")`

			`if !rq.ClientID.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})`
			`}`

			`if !rq.RefreshToken.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request"})`
			`}`

			`rt := a.store.GetRefreshTokenByToken(rq.RefreshToken)`
			`if rt == nil {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_grant"})`
			`}`

			`if rt.ClientID == nil \|\| *rt.ClientID != rq.ClientID {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request"})`
			`}`
JWT working 2022-12-19 02:42:01 -05:00
WIP: websocket 2022-12-19 19:24:01 -05:00			`if err := rt.User.allowedToAuth(c.Request()); err != nil {`
refresh token 2022-12-19 13:09:01 -05:00			`return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: err.Error()})`
			`}`

			`at, err := rt.AccessToken(c.Request())`
			`if err != nil {`
			`return c.JSON(http.StatusForbidden, AuthError{Error: "access_denied", Description: err.Error()})`
			`}`

			`return common.NoCache(c).JSON(http.StatusOK, &struct {`
			AccessToken string `json:"access_token"`
			TokenType string `json:"token_type"`
			ExpiresIn int64 `json:"expires_in"`
			`}{`
			`AccessToken: at,`
			`TokenType: "Bearer",`
			`ExpiresIn: rt.AccessExpiration(),`
			`})`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`

refresh token 2022-12-19 13:09:01 -05:00			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request"})`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`
WIP: websocket 2022-12-19 19:24:01 -05:00
			`type AccessToken string`