blasphem/pkg/auth/session.go

235 lines
5.7 KiB
Go
Raw Normal View History

2022-10-26 19:13:50 -04:00
package auth
import (
2022-11-12 15:56:17 -05:00
"encoding/json"
2022-11-13 11:55:10 -05:00
"fmt"
2022-10-26 19:13:50 -04:00
"net/http"
2022-11-13 11:55:10 -05:00
"strconv"
"strings"
2022-10-26 19:13:50 -04:00
"time"
2022-10-26 19:43:51 -04:00
"github.com/labstack/echo/v4"
2022-11-12 15:56:17 -05:00
2022-11-13 11:55:10 -05:00
"dynatron.me/x/blasphem/internal/generate"
2022-11-12 15:56:17 -05:00
"dynatron.me/x/blasphem/pkg/auth/provider"
2022-10-26 19:13:50 -04:00
)
2022-11-13 11:55:10 -05:00
type (
TokenType string
TokenTimestamp time.Time
RefreshTokenID string
2022-11-13 11:59:15 -05:00
ExpireSecs float64
2022-11-13 11:55:10 -05:00
)
2022-11-13 11:59:15 -05:00
func (f ExpireSecs) MarshalJSON() ([]byte, error) {
2022-11-13 11:55:10 -05:00
if float64(f) == float64(int(f)) {
return []byte(strconv.FormatFloat(float64(f), 'f', 1, 32)), nil
}
return []byte(strconv.FormatFloat(float64(f), 'f', -1, 32)), nil
}
const PytTimeFormat = "2006-01-02T15:04:05.999999-07:00"
func (t *TokenTimestamp) MarshalJSON() ([]byte, error) {
rv := fmt.Sprintf("%q", time.Time(*t).Format(PytTimeFormat))
return []byte(rv), nil
}
func (t *TokenTimestamp) UnmarshalJSON(b []byte) error {
s := strings.Trim(string(b), `"`)
tm, err := time.Parse(PytTimeFormat, s)
*t = TokenTimestamp(tm)
return err
}
type RefreshToken struct {
ID RefreshTokenID `json:"id"`
UserID UserID `json:"user_id"`
ClientID *ClientID `json:"client_id"`
ClientName *string `json:"client_name"`
ClientIcon *string `json:"client_icon"`
TokenType TokenType `json:"token_type"`
CreatedAt *TokenTimestamp `json:"created_at"`
2022-11-13 11:59:15 -05:00
AccessTokenExpiration ExpireSecs `json:"access_token_expiration"`
2022-11-13 11:55:10 -05:00
Token string `json:"token"`
JWTKey string `json:"jwt_key"`
LastUsedAt *TokenTimestamp `json:"last_used_at"`
LastUsedIP *string `json:"last_used_ip"`
CredentialID *CredID `json:"credential_id"`
Version *string `json:"version"`
}
type AccessSessionStore struct {
s map[AccessTokenID]*AccessToken
2022-10-26 19:13:50 -04:00
lastCull time.Time
}
2022-11-13 11:55:10 -05:00
type AccessTokenID string
2022-10-26 19:13:50 -04:00
2022-11-13 11:55:10 -05:00
func (t *AccessTokenID) IsValid() bool {
2022-11-11 18:02:52 -05:00
// TODO: more validation than this
return *t != ""
}
2022-11-13 11:55:10 -05:00
type AccessToken struct { // TODO: jwt bro
ID AccessTokenID
2022-10-26 19:13:50 -04:00
Ctime time.Time
2022-10-26 19:43:51 -04:00
Expires time.Time
2022-10-26 19:13:50 -04:00
Addr string
2022-11-11 18:02:52 -05:00
2022-11-12 15:56:17 -05:00
user provider.ProviderUser `json:"-"`
2022-10-26 19:13:50 -04:00
}
2022-11-13 11:55:10 -05:00
func (ss *AccessSessionStore) init() {
ss.s = make(map[AccessTokenID]*AccessToken)
2022-10-26 19:13:50 -04:00
}
const cullInterval = 5 * time.Minute
2022-11-13 11:55:10 -05:00
func (ss *AccessSessionStore) cull() {
2022-10-26 19:13:50 -04:00
if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {
for k, v := range ss.s {
2022-10-26 19:43:51 -04:00
if now.After(v.Expires) {
2022-10-26 19:13:50 -04:00
delete(ss.s, k)
}
}
}
}
2022-11-13 11:55:10 -05:00
func (ss *AccessSessionStore) register(t *AccessToken) {
2022-10-26 19:13:50 -04:00
ss.cull()
ss.s[t.ID] = t
}
2022-11-13 11:55:10 -05:00
func (ss *AccessSessionStore) verify(tr *TokenRequest, r *http.Request) (provider.ProviderUser, bool) {
2022-10-26 19:43:51 -04:00
if t, hasToken := ss.s[tr.Code]; hasToken {
// TODO: JWT
if t.Expires.After(time.Now()) {
2022-11-11 18:02:52 -05:00
return t.user, true
} else {
delete(ss.s, t.ID)
2022-10-26 19:43:51 -04:00
}
}
2022-11-11 18:02:52 -05:00
return nil, false
}
type Credential struct {
2022-11-13 09:05:52 -05:00
ID CredID `json:"id"`
UserID UserID `json:"user_id"`
AuthProviderType string `json:"auth_provider_type"`
AuthProviderID *string `json:"auth_provider_id"`
DataRaw *json.RawMessage `json:"data,omitempty"`
2022-11-13 09:05:09 -05:00
user provider.ProviderUser `json:"-"`
2022-11-12 15:56:17 -05:00
}
func (cred *Credential) MarshalJSON() ([]byte, error) {
2022-11-13 11:55:10 -05:00
type CredAlias Credential // alias so ø method set and we don't recurse
2022-11-13 09:05:09 -05:00
nCd := (*CredAlias)(cred)
2022-11-12 15:56:17 -05:00
2022-11-13 11:55:10 -05:00
if cred.user != nil {
providerData := cred.user.UserData()
if providerData != nil {
b, err := json.Marshal(providerData)
if err != nil {
return nil, err
}
2022-11-13 09:05:09 -05:00
2022-11-13 11:55:10 -05:00
dr := json.RawMessage(b)
nCd.DataRaw = &dr
}
2022-11-12 15:56:17 -05:00
}
2022-11-13 09:05:09 -05:00
return json.Marshal(nCd)
2022-11-11 18:02:52 -05:00
}
2022-11-13 09:05:09 -05:00
func (a *Authenticator) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credential {
user, success := a.sessions.verify(tr, r)
2022-11-11 18:02:52 -05:00
if !success {
return nil
}
2022-11-13 09:05:09 -05:00
cred := &Credential{
user: user,
}
return cred
2022-11-11 18:02:52 -05:00
}
2022-11-13 11:55:10 -05:00
const defaultExpiration = 15 * time.Minute
2022-10-26 19:43:51 -04:00
2022-11-13 11:55:10 -05:00
func (a *Authenticator) NewAccessToken(r *http.Request, user provider.ProviderUser, f *Flow) AccessTokenID {
id := AccessTokenID(generate.UUID())
2022-11-12 17:42:36 -05:00
now := time.Now()
2022-10-26 19:13:50 -04:00
2022-11-13 11:55:10 -05:00
t := &AccessToken{
2022-10-26 19:43:51 -04:00
ID: id,
2022-11-12 17:42:36 -05:00
Ctime: now,
Expires: now.Add(defaultExpiration),
2022-10-26 19:43:51 -04:00
Addr: r.RemoteAddr,
2022-11-11 18:02:52 -05:00
user: user,
2022-10-26 19:13:50 -04:00
}
2022-10-27 09:51:11 -04:00
a.sessions.register(t)
2022-10-26 19:13:50 -04:00
return id
}
2022-10-26 19:43:51 -04:00
2022-11-11 18:02:52 -05:00
type GrantType string
const (
GTAuthorizationCode GrantType = "authorization_code"
2022-11-12 17:42:51 -05:00
GTRefreshToken GrantType = "refresh_token"
2022-11-11 18:02:52 -05:00
)
type ClientID string
func (c *ClientID) IsValid() bool {
// TODO: || !indieauth.VerifyClientID(rq.ClientID)?
return *c != ""
}
2022-10-26 19:43:51 -04:00
type TokenRequest struct {
2022-11-13 11:55:10 -05:00
ClientID ClientID `form:"client_id"`
Code AccessTokenID `form:"code"`
GrantType GrantType `form:"grant_type"`
2022-10-26 19:43:51 -04:00
}
func (a *Authenticator) TokenHandler(c echo.Context) error {
2022-11-11 18:02:52 -05:00
rq := new(TokenRequest)
err := c.Bind(rq)
2022-10-26 19:43:51 -04:00
if err != nil {
return err
}
2022-11-11 18:02:52 -05:00
switch rq.GrantType {
case GTAuthorizationCode:
if !rq.ClientID.IsValid() {
return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})
}
if !rq.Code.IsValid() {
return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})
}
2022-11-13 09:05:09 -05:00
if cred := a.verifyAndGetCredential(rq, c.Request()); cred != nil {
2022-11-11 18:02:52 -05:00
// TODO: success
user, err := a.getOrCreateUser(cred)
if err != nil {
2022-11-12 17:58:24 -05:00
return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
2022-11-11 18:02:52 -05:00
}
2022-11-12 17:42:51 -05:00
if err := user.allowedToAuth(); err != nil {
2022-11-11 18:02:52 -05:00
return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
}
return c.String(http.StatusOK, "token good I guess")
}
case GTRefreshToken:
return c.String(http.StatusNotImplemented, "not implemented")
2022-10-26 19:43:51 -04:00
}
return c.String(http.StatusUnauthorized, "token bad I guess")
}