blasphem/pkg/auth/session.go

package auth

import (
	"encoding/json"
	"net/http"
	"time"

	"github.com/labstack/echo/v4"

	"dynatron.me/x/blasphem/pkg/auth/provider"
)

type SessionStore struct {
	s        map[TokenID]*Token
	lastCull time.Time
}

type TokenID string

func (t *TokenID) IsValid() bool {
	// TODO: more validation than this
	return *t != ""
}

type Token struct { // TODO: jwt bro
	ID      TokenID
	Ctime   time.Time
	Expires time.Time
	Addr    string

	user provider.ProviderUser `json:"-"`
}

func (ss *SessionStore) init() {
	ss.s = make(map[TokenID]*Token)
}

const cullInterval = 5 * time.Minute

func (ss *SessionStore) cull() {
	if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {
		for k, v := range ss.s {
			if now.After(v.Expires) {
				delete(ss.s, k)
			}
		}
	}
}

func (ss *SessionStore) register(t *Token) {
	ss.cull()
	ss.s[t.ID] = t
}

func (ss *SessionStore) verify(tr *TokenRequest, r *http.Request) (provider.ProviderUser, bool) {
	if t, hasToken := ss.s[tr.Code]; hasToken {
		// TODO: JWT
		if t.Expires.After(time.Now()) {
			return t.user, true
		} else {
			delete(ss.s, t.ID)
		}
	}

	return nil, false
}

type Credential struct {
	ID               CredID          `json:"id"`
	UserID           UserID          `json:"user_id"`
	AuthProviderType string          `json:"auth_provider_type"`
	AuthProviderID   *string         `json:"auth_provider_id"`
	DataRaw          json.RawMessage `json:"data,omitempty"`
	user             provider.ProviderUser
}

func (cred *Credential) MarshalJSON() ([]byte, error) {
	rm := map[string]interface{}{
		"id":                 cred.ID,
		"user_id":            cred.UserID,
		"auth_provider_type": cred.user.ProviderType(),
		"auth_provider_id":   cred.user.ProviderID(),
	}

	providerData := cred.user.ProviderUserData()
	if providerData != nil {
		rm["data"] = providerData
	}

	return json.Marshal(rm)
}

func (ss *SessionStore) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credential {
	user, success := ss.verify(tr, r)
	if !success {
		return nil
	}

	return &Credential{user: user}
}

const defaultExpiration = 2 * time.Hour

func (a *Authenticator) NewToken(r *http.Request, user provider.ProviderUser, f *Flow) TokenID {
	id := TokenID(genUUID())
	now := time.Now()

	t := &Token{
		ID:      id,
		Ctime:   now,
		Expires: now.Add(defaultExpiration),
		Addr:    r.RemoteAddr,

		user: user,
	}

	a.sessions.register(t)

	return id
}

type GrantType string

const (
	GTAuthorizationCode GrantType = "authorization_code"
	GTRefreshToken      GrantType = "refresh_token"
)

type ClientID string

func (c *ClientID) IsValid() bool {
	// TODO: || !indieauth.VerifyClientID(rq.ClientID)?
	return *c != ""
}

type TokenRequest struct {
	ClientID  ClientID  `form:"client_id"`
	Code      TokenID   `form:"code"`
	GrantType GrantType `form:"grant_type"`
}

func (a *Authenticator) TokenHandler(c echo.Context) error {
	rq := new(TokenRequest)
	err := c.Bind(rq)
	if err != nil {
		return err
	}

	switch rq.GrantType {
	case GTAuthorizationCode:
		if !rq.ClientID.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})
		}

		if !rq.Code.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})
		}

		if cred := a.sessions.verifyAndGetCredential(rq, c.Request()); cred != nil {
			// TODO: success
			user, err := a.getOrCreateUser(cred)
			if err != nil {
				return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: "bad user"})
			}

			if err := user.allowedToAuth(); err != nil {
				return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
			}
			return c.String(http.StatusOK, "token good I guess")
		}
	case GTRefreshToken:
		return c.String(http.StatusNotImplemented, "not implemented")
	}

	return c.String(http.StatusUnauthorized, "token bad I guess")
}
Sessions 2022-10-26 19:13:50 -04:00			`package auth`

			`import (`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`"encoding/json"`
Sessions 2022-10-26 19:13:50 -04:00			`"net/http"`
			`"time"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00
			`"github.com/labstack/echo/v4"`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00
			`"dynatron.me/x/blasphem/pkg/auth/provider"`
Sessions 2022-10-26 19:13:50 -04:00			`)`

			`type SessionStore struct {`
			`s map[TokenID]*Token`
			`lastCull time.Time`
			`}`

			`type TokenID string`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`func (t *TokenID) IsValid() bool {`
			`// TODO: more validation than this`
			`return *t != ""`
			`}`

Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`type Token struct { // TODO: jwt bro`
Sessions 2022-10-26 19:13:50 -04:00			`ID TokenID`
			`Ctime time.Time`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`Expires time.Time`
Sessions 2022-10-26 19:13:50 -04:00			`Addr string`
WIP: binding issues 2022-11-11 18:02:52 -05:00
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			user provider.ProviderUser `json:"-"`
Sessions 2022-10-26 19:13:50 -04:00			`}`

			`func (ss *SessionStore) init() {`
			`ss.s = make(map[TokenID]*Token)`
			`}`

			`const cullInterval = 5 * time.Minute`

			`func (ss *SessionStore) cull() {`
			`if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {`
			`for k, v := range ss.s {`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`if now.After(v.Expires) {`
Sessions 2022-10-26 19:13:50 -04:00			`delete(ss.s, k)`
			`}`
			`}`
			`}`
			`}`

			`func (ss SessionStore) register(t Token) {`
			`ss.cull()`
			`ss.s[t.ID] = t`
			`}`

WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`func (ss SessionStore) verify(tr TokenRequest, r *http.Request) (provider.ProviderUser, bool) {`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`if t, hasToken := ss.s[tr.Code]; hasToken {`
			`// TODO: JWT`
			`if t.Expires.After(time.Now()) {`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`return t.user, true`
			`} else {`
			`delete(ss.s, t.ID)`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`
			`}`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`return nil, false`
			`}`

			`type Credential struct {`
gofmt 2022-11-12 17:42:51 -05:00			ID CredID `json:"id"`
			UserID UserID `json:"user_id"`
			AuthProviderType string `json:"auth_provider_type"`
			AuthProviderID *string `json:"auth_provider_id"`
			DataRaw json.RawMessage `json:"data,omitempty"`
			`user provider.ProviderUser`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`}`

			`func (cred *Credential) MarshalJSON() ([]byte, error) {`
			`rm := map[string]interface{}{`
gofmt 2022-11-12 17:42:51 -05:00			`"id": cred.ID,`
			`"user_id": cred.UserID,`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`"auth_provider_type": cred.user.ProviderType(),`
gofmt 2022-11-12 17:42:51 -05:00			`"auth_provider_id": cred.user.ProviderID(),`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`}`

			`providerData := cred.user.ProviderUserData()`
			`if providerData != nil {`
			`rm["data"] = providerData`
			`}`

			`return json.Marshal(rm)`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`}`

			`func (ss SessionStore) verifyAndGetCredential(tr TokenRequest, r http.Request) Credential {`
			`user, success := ss.verify(tr, r)`
			`if !success {`
			`return nil`
			`}`

			`return &Credential{user: user}`
			`}`

Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`const defaultExpiration = 2 * time.Hour`

WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`func (a Authenticator) NewToken(r http.Request, user provider.ProviderUser, f *Flow) TokenID {`
Sessions 2022-10-26 19:13:50 -04:00			`id := TokenID(genUUID())`
fix now 2022-11-12 17:42:36 -05:00			`now := time.Now()`
Sessions 2022-10-26 19:13:50 -04:00
			`t := &Token{`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`ID: id,`
fix now 2022-11-12 17:42:36 -05:00			`Ctime: now,`
			`Expires: now.Add(defaultExpiration),`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`Addr: r.RemoteAddr,`
WIP: binding issues 2022-11-11 18:02:52 -05:00
			`user: user,`
Sessions 2022-10-26 19:13:50 -04:00			`}`

Unexport 2022-10-27 09:51:11 -04:00			`a.sessions.register(t)`
Sessions 2022-10-26 19:13:50 -04:00
			`return id`
			`}`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00
WIP: binding issues 2022-11-11 18:02:52 -05:00			`type GrantType string`

			`const (`
			`GTAuthorizationCode GrantType = "authorization_code"`
gofmt 2022-11-12 17:42:51 -05:00			`GTRefreshToken GrantType = "refresh_token"`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`)`

			`type ClientID string`

			`func (c *ClientID) IsValid() bool {`
			`// TODO: \|\| !indieauth.VerifyClientID(rq.ClientID)?`
			`return *c != ""`
			`}`

Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`type TokenRequest struct {`
fix binding 2022-11-12 12:45:25 -05:00			ClientID ClientID `form:"client_id"`
gofmt 2022-11-12 17:42:51 -05:00			Code TokenID `form:"code"`
			GrantType GrantType `form:"grant_type"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`

			`func (a *Authenticator) TokenHandler(c echo.Context) error {`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`rq := new(TokenRequest)`
			`err := c.Bind(rq)`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`if err != nil {`
			`return err`
			`}`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`switch rq.GrantType {`
			`case GTAuthorizationCode:`
			`if !rq.ClientID.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})`
			`}`

			`if !rq.Code.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})`
			`}`

			`if cred := a.sessions.verifyAndGetCredential(rq, c.Request()); cred != nil {`
			`// TODO: success`
			`user, err := a.getOrCreateUser(cred)`
			`if err != nil {`
			`return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: "bad user"})`
			`}`

gofmt 2022-11-12 17:42:51 -05:00			`if err := user.allowedToAuth(); err != nil {`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})`
			`}`
			`return c.String(http.StatusOK, "token good I guess")`
			`}`
			`case GTRefreshToken:`
			`return c.String(http.StatusNotImplemented, "not implemented")`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`

			`return c.String(http.StatusUnauthorized, "token bad I guess")`
			`}`