blasphem/pkg/auth/session.go

package auth

import (
	"errors"
	"net/http"
	"time"

	"github.com/labstack/echo/v4"
)

type SessionStore struct {
	s        map[TokenID]*Token
	lastCull time.Time
}

type TokenID string

func (t *TokenID) IsValid() bool {
	// TODO: more validation than this
	return *t != ""
}

type Token struct { // TODO: jwt bro
	ID      TokenID
	Ctime   time.Time
	Expires time.Time
	Addr    string

	user ProviderUser `json:"-"`
}

func (ss *SessionStore) init() {
	ss.s = make(map[TokenID]*Token)
}

const cullInterval = 5 * time.Minute

func (ss *SessionStore) cull() {
	if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {
		for k, v := range ss.s {
			if now.After(v.Expires) {
				delete(ss.s, k)
			}
		}
	}
}

func (ss *SessionStore) register(t *Token) {
	ss.cull()
	ss.s[t.ID] = t
}

func (ss *SessionStore) verify(tr *TokenRequest, r *http.Request) (ProviderUser, bool) {
	if t, hasToken := ss.s[tr.Code]; hasToken {
		// TODO: JWT
		if t.Expires.After(time.Now()) {
			return t.user, true
		} else {
			delete(ss.s, t.ID)
		}
	}

	return nil, false
}

type Credential struct {
	user ProviderUser
}

func (ss *SessionStore) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credential {
	user, success := ss.verify(tr, r)
	if !success {
		return nil
	}

	return &Credential{user: user}
}

type User struct {
	Username string
	Active bool
}

func (u *User) allowedToAuth() error {
	if !u.Active {
		return errors.New("user disabled")
	}

	return nil
}

func (a *Authenticator) getOrCreateUser(c *Credential) (*User, error) {
	panic("not implemented")
	return &User{}, nil
}

const defaultExpiration = 2 * time.Hour

func (a *Authenticator) NewToken(r *http.Request, user ProviderUser, f *Flow) TokenID {
	id := TokenID(genUUID())

	t := &Token{
		ID:      id,
		Ctime:   time.Now(),
		Expires: time.Now().Add(defaultExpiration),
		Addr:    r.RemoteAddr,

		user: user,
	}

	a.sessions.register(t)

	return id
}

type GrantType string

const (
	GTAuthorizationCode GrantType = "authorization_code"
	GTRefreshToken GrantType = "refresh_token"
)

type ClientID string

func (c *ClientID) IsValid() bool {
	// TODO: || !indieauth.VerifyClientID(rq.ClientID)?
	return *c != ""
}

type TokenRequest struct {
	ClientID  ClientID  `query:"client_id"`
	Code      TokenID `query:"code"`
	GrantType GrantType  `query:"grant_type"`
}

func (a *Authenticator) TokenHandler(c echo.Context) error {
	rq := new(TokenRequest)
	err := c.Bind(rq)
	if err != nil {
		return err
	}

	if *rq == (TokenRequest{}) {
		panic("it didn't bind")
	}

	switch rq.GrantType {
	case GTAuthorizationCode:
		if !rq.ClientID.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})
		}

		if !rq.Code.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})
		}

		if cred := a.sessions.verifyAndGetCredential(rq, c.Request()); cred != nil {
			// TODO: success
			user, err := a.getOrCreateUser(cred)
			if err != nil {
				return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: "bad user"})
			}

			if err := user.allowedToAuth(); err != nil  {
				return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
			}
			return c.String(http.StatusOK, "token good I guess")
		}
	case GTRefreshToken:
		return c.String(http.StatusNotImplemented, "not implemented")
	}

	return c.String(http.StatusUnauthorized, "token bad I guess")
}
Sessions 2022-10-26 19:13:50 -04:00			`package auth`

			`import (`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`"errors"`
Sessions 2022-10-26 19:13:50 -04:00			`"net/http"`
			`"time"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00
			`"github.com/labstack/echo/v4"`
Sessions 2022-10-26 19:13:50 -04:00			`)`

			`type SessionStore struct {`
			`s map[TokenID]*Token`
			`lastCull time.Time`
			`}`

			`type TokenID string`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`func (t *TokenID) IsValid() bool {`
			`// TODO: more validation than this`
			`return *t != ""`
			`}`

Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`type Token struct { // TODO: jwt bro`
Sessions 2022-10-26 19:13:50 -04:00			`ID TokenID`
			`Ctime time.Time`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`Expires time.Time`
Sessions 2022-10-26 19:13:50 -04:00			`Addr string`
WIP: binding issues 2022-11-11 18:02:52 -05:00
			user ProviderUser `json:"-"`
Sessions 2022-10-26 19:13:50 -04:00			`}`

			`func (ss *SessionStore) init() {`
			`ss.s = make(map[TokenID]*Token)`
			`}`

			`const cullInterval = 5 * time.Minute`

			`func (ss *SessionStore) cull() {`
			`if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {`
			`for k, v := range ss.s {`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`if now.After(v.Expires) {`
Sessions 2022-10-26 19:13:50 -04:00			`delete(ss.s, k)`
			`}`
			`}`
			`}`
			`}`

			`func (ss SessionStore) register(t Token) {`
			`ss.cull()`
			`ss.s[t.ID] = t`
			`}`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`func (ss SessionStore) verify(tr TokenRequest, r *http.Request) (ProviderUser, bool) {`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`if t, hasToken := ss.s[tr.Code]; hasToken {`
			`// TODO: JWT`
			`if t.Expires.After(time.Now()) {`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`return t.user, true`
			`} else {`
			`delete(ss.s, t.ID)`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`
			`}`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`return nil, false`
			`}`

			`type Credential struct {`
			`user ProviderUser`
			`}`

			`func (ss SessionStore) verifyAndGetCredential(tr TokenRequest, r http.Request) Credential {`
			`user, success := ss.verify(tr, r)`
			`if !success {`
			`return nil`
			`}`

			`return &Credential{user: user}`
			`}`

			`type User struct {`
			`Username string`
			`Active bool`
			`}`

			`func (u *User) allowedToAuth() error {`
			`if !u.Active {`
			`return errors.New("user disabled")`
			`}`

			`return nil`
			`}`

			`func (a Authenticator) getOrCreateUser(c Credential) (*User, error) {`
			`panic("not implemented")`
			`return &User{}, nil`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`

			`const defaultExpiration = 2 * time.Hour`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`func (a Authenticator) NewToken(r http.Request, user ProviderUser, f *Flow) TokenID {`
Sessions 2022-10-26 19:13:50 -04:00			`id := TokenID(genUUID())`

			`t := &Token{`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`ID: id,`
			`Ctime: time.Now(),`
			`Expires: time.Now().Add(defaultExpiration),`
			`Addr: r.RemoteAddr,`
WIP: binding issues 2022-11-11 18:02:52 -05:00
			`user: user,`
Sessions 2022-10-26 19:13:50 -04:00			`}`

Unexport 2022-10-27 09:51:11 -04:00			`a.sessions.register(t)`
Sessions 2022-10-26 19:13:50 -04:00
			`return id`
			`}`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00
WIP: binding issues 2022-11-11 18:02:52 -05:00			`type GrantType string`

			`const (`
			`GTAuthorizationCode GrantType = "authorization_code"`
			`GTRefreshToken GrantType = "refresh_token"`
			`)`

			`type ClientID string`

			`func (c *ClientID) IsValid() bool {`
			`// TODO: \|\| !indieauth.VerifyClientID(rq.ClientID)?`
			`return *c != ""`
			`}`

Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`type TokenRequest struct {`
WIP: binding issues 2022-11-11 18:02:52 -05:00			ClientID ClientID `query:"client_id"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			Code TokenID `query:"code"`
WIP: binding issues 2022-11-11 18:02:52 -05:00			GrantType GrantType `query:"grant_type"`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`

			`func (a *Authenticator) TokenHandler(c echo.Context) error {`
WIP: binding issues 2022-11-11 18:02:52 -05:00			`rq := new(TokenRequest)`
			`err := c.Bind(rq)`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`if err != nil {`
			`return err`
			`}`

WIP: binding issues 2022-11-11 18:02:52 -05:00			`if *rq == (TokenRequest{}) {`
			`panic("it didn't bind")`
			`}`

			`switch rq.GrantType {`
			`case GTAuthorizationCode:`
			`if !rq.ClientID.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})`
			`}`

			`if !rq.Code.IsValid() {`
			`return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})`
			`}`

			`if cred := a.sessions.verifyAndGetCredential(rq, c.Request()); cred != nil {`
			`// TODO: success`
			`user, err := a.getOrCreateUser(cred)`
			`if err != nil {`
			`return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: "bad user"})`
			`}`

			`if err := user.allowedToAuth(); err != nil {`
			`return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})`
			`}`
			`return c.String(http.StatusOK, "token good I guess")`
			`}`
			`case GTRefreshToken:`
			`return c.String(http.StatusNotImplemented, "not implemented")`
Sess validate, needs replaced 2022-10-26 19:43:51 -04:00			`}`

			`return c.String(http.StatusUnauthorized, "token bad I guess")`
			`}`