blasphem/pkg/auth/flow.go

package auth

import (
	"fmt"
	"net/http"
	"strings"

	"github.com/jinzhu/copier"
	"github.com/labstack/echo/v4"

	"dynatron.me/x/blasphem/internal/common"
	"dynatron.me/x/blasphem/pkg/auth/provider"
	"dynatron.me/x/blasphem/pkg/flow"
)

type AuthFlowManager struct {
	*flow.FlowManager
}

type LoginFlow struct {
	flow.FlowHandler

	prov provider.AuthProvider
	ClientID common.ClientID
	FlowContext
}

type FlowContext struct {
	IPAddr         string
	CredentialOnly bool
	RedirectURI    string
}

type LoginFlowRequest struct {
	ClientID    common.ClientID `json:"client_id"`
	Handler     []*string       `json:"handler"`
	RedirectURI string          `json:"redirect_uri"`
	Type        *string         `json:"type"`

	ip string `json:"-"`
}

func (r *LoginFlowRequest) FlowContext() FlowContext {
	return FlowContext{
		IPAddr:         r.ip,
		RedirectURI:    r.RedirectURI,
		CredentialOnly: r.Type != nil && *r.Type == "link_user",
	}
}

func NewAuthFlowManager() *AuthFlowManager {
	return &AuthFlowManager{FlowManager: flow.NewFlowManager()}
}

func (afm *AuthFlowManager) NewLoginFlow(req *LoginFlowRequest, prov provider.AuthProvider) *LoginFlow {
	lf := &LoginFlow{
		FlowHandler: flow.NewFlowHandlerBase(prov.ProviderType()),
		ClientID:    req.ClientID,
		FlowContext: req.FlowContext(),
		prov: prov,
	}

	afm.Register(lf)

	return lf
}

func (a *authenticator) NewFlow(r *LoginFlowRequest) *flow.Result {
	var prov provider.AuthProvider

	for _, h := range r.Handler {
		if h == nil {
			break
		}

		prov = a.Provider(*h)
		if prov != nil {
			break
		}
	}

	if prov == nil {
		return nil
	}

	lf := a.flows.NewLoginFlow(r, prov)

	return lf.ShowForm(lf.WithSchema(prov), lf.WithStep(flow.StepInit))
}

func (f *LoginFlow) redirect(c echo.Context) {
	c.Request().Header.Set("Location", f.RedirectURI)
}

func (f *LoginFlow) progress(a *authenticator, c echo.Context) error {
	switch f.Step() {
	case flow.StepInit:
		rm := make(map[string]interface{})

		err := c.Bind(&rm)
		if err != nil {
			return c.String(http.StatusBadRequest, err.Error())
		}

		err = f.prov.FlowSchema().CheckRequired(rm)
		if err != nil {
			return c.JSON(http.StatusBadRequest, f.ShowForm(f.WithErrors([]string{err.Error()})))
		}

		user, clientID, err := a.Check(f, c.Request(), rm)
		switch err {
		case nil:
			creds := a.store.GetCredential(user)
			if creds == nil {
				return fmt.Errorf("flow progress: no such credential for %v", user.UserData())
			}

			finishedFlow := flow.Result{}
			a.flows.Remove(f)
			copier.Copy(&finishedFlow, f)
			finishedFlow.Type = flow.TypeCreateEntry
			finishedFlow.Title = common.AppNamePtr()
			finishedFlow.Version = common.IntPtr(1)
			finishedFlow.Result = a.NewAuthCode(ClientID(clientID), creds)

			f.redirect(c)

			return c.JSON(http.StatusCreated, &finishedFlow)
		case ErrInvalidHandler:
			return c.String(http.StatusNotFound, err.Error())
		case ErrInvalidAuth:
			fallthrough
		default:
			return c.JSON(http.StatusOK, f.ShowForm(f.WithErrors(map[string]interface{}{
				"base": "invalid_auth",
			})))
		}
	default:
		return c.JSON(http.StatusOK, f.ShowForm(f.WithErrors(map[string]interface{}{
			"base": "unknown_flow_step",
		})))

	}
}

func (a *authenticator) LoginFlowDeleteHandler(c echo.Context) error {
	a.Lock()
	defer a.Unlock()

	flowID := flow.FlowID(c.Param("flow_id"))

	if flowID == "" {
		return c.String(http.StatusBadRequest, "empty flow ID")
	}

	a.flows.Delete(flowID)

	return c.String(http.StatusOK, "deleted")
}

func setJSON(c echo.Context) {
	if c.Request().Method == http.MethodPost && strings.HasPrefix(c.Request().Header.Get(echo.HeaderContentType), "text/plain") {
		// hack around the content-type, Context.JSON refuses to work otherwise
		c.Request().Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
	}
}

func (a *authenticator) BeginLoginFlowHandler(c echo.Context) error {
	a.Lock()
	defer a.Unlock()

	setJSON(c)

	var flowReq LoginFlowRequest
	err := c.Bind(&flowReq)
	if err != nil {
		return c.String(http.StatusBadRequest, err.Error())
	}

	flowReq.ip = c.Request().RemoteAddr

	resp := a.NewFlow(&flowReq)

	if resp == nil {
		return c.String(http.StatusBadRequest, "no such handler")
	}

	return c.JSON(http.StatusOK, resp)
}

func (a *authenticator) LoginFlowHandler(c echo.Context) error {
	a.Lock()
	defer a.Unlock()

	setJSON(c)

	flowID := c.Param("flow_id")

	flow := a.flows.Get(flow.FlowID(flowID))
	if flow == nil {
		return c.String(http.StatusNotFound, "no such flow")
	}

	return flow.(*LoginFlow).progress(a, c)
}
WIP auth flow 2022-09-30 23:54:21 -04:00			`package auth`

			`import (`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`"fmt"`
WIP auth flow 2022-09-30 23:54:21 -04:00			`"net/http"`
			`"strings"`

Login flow success 2022-10-26 18:27:24 -04:00			`"github.com/jinzhu/copier"`
WIP auth flow 2022-09-30 23:54:21 -04:00			`"github.com/labstack/echo/v4"`
Login flow success 2022-10-26 18:27:24 -04:00
			`"dynatron.me/x/blasphem/internal/common"`
WIP: providers and user storage 2022-11-12 15:56:17 -05:00			`"dynatron.me/x/blasphem/pkg/auth/provider"`
Flow split begin 2022-11-20 08:49:24 -05:00			`"dynatron.me/x/blasphem/pkg/flow"`
WIP auth flow 2022-09-30 23:54:21 -04:00			`)`

Flow split begin 2022-11-20 08:49:24 -05:00			`type AuthFlowManager struct {`
			`*flow.FlowManager`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`

Flow split begin 2022-11-20 08:49:24 -05:00			`type LoginFlow struct {`
Some renaming 2022-11-20 13:42:10 -05:00			`flow.FlowHandler`
Some renaming 2022-11-20 12:51:26 -05:00
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`prov provider.AuthProvider`
Some renaming 2022-11-20 12:51:26 -05:00			`ClientID common.ClientID`
			`FlowContext`
			`}`

			`type FlowContext struct {`
			`IPAddr string`
			`CredentialOnly bool`
			`RedirectURI string`
			`}`

			`type LoginFlowRequest struct {`
			ClientID common.ClientID `json:"client_id"`
			Handler []*string `json:"handler"`
			RedirectURI string `json:"redirect_uri"`
			Type *string `json:"type"`

			ip string `json:"-"`
			`}`

			`func (r *LoginFlowRequest) FlowContext() FlowContext {`
			`return FlowContext{`
			`IPAddr: r.ip,`
			`RedirectURI: r.RedirectURI,`
			`CredentialOnly: r.Type != nil && *r.Type == "link_user",`
			`}`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`

Flow split begin 2022-11-20 08:49:24 -05:00			`func NewAuthFlowManager() *AuthFlowManager {`
			`return &AuthFlowManager{FlowManager: flow.NewFlowManager()}`
Improve routing 2022-10-25 21:18:50 -04:00			`}`

Some renaming 2022-11-20 12:51:26 -05:00			`func (afm AuthFlowManager) NewLoginFlow(req LoginFlowRequest, prov provider.AuthProvider) *LoginFlow {`
Flow split begin 2022-11-20 08:49:24 -05:00			`lf := &LoginFlow{`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`FlowHandler: flow.NewFlowHandlerBase(prov.ProviderType()),`
Some renaming 2022-11-20 13:42:10 -05:00			`ClientID: req.ClientID,`
			`FlowContext: req.FlowContext(),`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`prov: prov,`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`

Flow split begin 2022-11-20 08:49:24 -05:00			`afm.Register(lf)`
WIP auth flow 2022-09-30 23:54:21 -04:00
Flow split begin 2022-11-20 08:49:24 -05:00			`return lf`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`

WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a authenticator) NewFlow(r LoginFlowRequest) *flow.Result {`
Flow split begin 2022-11-20 08:49:24 -05:00			`var prov provider.AuthProvider`
WIP: Login "works" 2022-10-25 00:16:29 -04:00
			`for _, h := range r.Handler {`
			`if h == nil {`
			`break`
			`}`

Some renaming 2022-11-20 12:51:26 -05:00			`prov = a.Provider(*h)`
Flow split begin 2022-11-20 08:49:24 -05:00			`if prov != nil {`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`break`
			`}`
			`}`

Flow split begin 2022-11-20 08:49:24 -05:00			`if prov == nil {`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`return nil`
			`}`

Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`lf := a.flows.NewLoginFlow(r, prov)`
WIP auth flow 2022-09-30 23:54:21 -04:00
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`return lf.ShowForm(lf.WithSchema(prov), lf.WithStep(flow.StepInit))`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`

Flow split begin 2022-11-20 08:49:24 -05:00			`func (f *LoginFlow) redirect(c echo.Context) {`
			`c.Request().Header.Set("Location", f.RedirectURI)`
Login flow success 2022-10-26 18:27:24 -04:00			`}`

WIP: websocket 2022-12-19 19:24:01 -05:00			`func (f LoginFlow) progress(a authenticator, c echo.Context) error {`
Flow split begin 2022-11-20 08:49:24 -05:00			`switch f.Step() {`
			`case flow.StepInit:`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`rm := make(map[string]interface{})`
WIP auth flow 2022-09-30 23:54:21 -04:00
			`err := c.Bind(&rm)`
			`if err != nil {`
			`return c.String(http.StatusBadRequest, err.Error())`
			`}`

Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`err = f.prov.FlowSchema().CheckRequired(rm)`
Flow split begin 2022-11-20 08:49:24 -05:00			`if err != nil {`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`return c.JSON(http.StatusBadRequest, f.ShowForm(f.WithErrors([]string{err.Error()})))`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`
Flow split begin 2022-11-20 08:49:24 -05:00
pre-model 2022-12-18 09:55:08 -05:00			`user, clientID, err := a.Check(f, c.Request(), rm)`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`switch err {`
			`case nil:`
JWT working 2022-12-19 02:42:01 -05:00			`creds := a.store.GetCredential(user)`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`if creds == nil {`
			`return fmt.Errorf("flow progress: no such credential for %v", user.UserData())`
			`}`

Some renaming 2022-11-20 12:51:26 -05:00			`finishedFlow := flow.Result{}`
Unexport 2022-10-27 09:51:11 -04:00			`a.flows.Remove(f)`
Login flow success 2022-10-26 18:27:24 -04:00			`copier.Copy(&finishedFlow, f)`
Flow split begin 2022-11-20 08:49:24 -05:00			`finishedFlow.Type = flow.TypeCreateEntry`
			`finishedFlow.Title = common.AppNamePtr()`
			`finishedFlow.Version = common.IntPtr(1)`
pre-model 2022-12-18 09:55:08 -05:00			`finishedFlow.Result = a.NewAuthCode(ClientID(clientID), creds)`
Login flow success 2022-10-26 18:27:24 -04:00
			`f.redirect(c)`

			`return c.JSON(http.StatusCreated, &finishedFlow)`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`case ErrInvalidHandler:`
			`return c.String(http.StatusNotFound, err.Error())`
			`case ErrInvalidAuth:`
			`fallthrough`
			`default:`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`return c.JSON(http.StatusOK, f.ShowForm(f.WithErrors(map[string]interface{}{`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`"base": "invalid_auth",`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`})))`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`}`
WIP auth flow 2022-09-30 23:54:21 -04:00			`default:`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`return c.JSON(http.StatusOK, f.ShowForm(f.WithErrors(map[string]interface{}{`
Some renaming 2022-11-20 12:51:26 -05:00			`"base": "unknown_flow_step",`
Improve flows in preparation for MFA 2022-12-27 15:09:20 -05:00			`})))`
Some renaming 2022-11-20 12:51:26 -05:00
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`
			`}`

WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a *authenticator) LoginFlowDeleteHandler(c echo.Context) error {`
refresh token 2022-12-19 13:09:01 -05:00			`a.Lock()`
			`defer a.Unlock()`

Flow split begin 2022-11-20 08:49:24 -05:00			`flowID := flow.FlowID(c.Param("flow_id"))`
WIP 2022-10-02 08:52:48 -04:00
			`if flowID == "" {`
			`return c.String(http.StatusBadRequest, "empty flow ID")`
			`}`

Flow split begin 2022-11-20 08:49:24 -05:00			`a.flows.Delete(flowID)`
WIP 2022-10-02 08:52:48 -04:00
			`return c.String(http.StatusOK, "deleted")`
			`}`

Improve routing 2022-10-25 21:18:50 -04:00			`func setJSON(c echo.Context) {`
WIP auth flow 2022-09-30 23:54:21 -04:00			`if c.Request().Method == http.MethodPost && strings.HasPrefix(c.Request().Header.Get(echo.HeaderContentType), "text/plain") {`
			`// hack around the content-type, Context.JSON refuses to work otherwise`
WIP: Login "works" 2022-10-25 00:16:29 -04:00			`c.Request().Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`
Improve routing 2022-10-25 21:18:50 -04:00			`}`
WIP auth flow 2022-09-30 23:54:21 -04:00
WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a *authenticator) BeginLoginFlowHandler(c echo.Context) error {`
refresh token 2022-12-19 13:09:01 -05:00			`a.Lock()`
			`defer a.Unlock()`

Improve routing 2022-10-25 21:18:50 -04:00			`setJSON(c)`
WIP auth flow 2022-09-30 23:54:21 -04:00
Some renaming 2022-11-20 12:51:26 -05:00			`var flowReq LoginFlowRequest`
Improve routing 2022-10-25 21:18:50 -04:00			`err := c.Bind(&flowReq)`
			`if err != nil {`
			`return c.String(http.StatusBadRequest, err.Error())`
			`}`
WIP auth flow 2022-09-30 23:54:21 -04:00
Some renaming 2022-11-20 12:51:26 -05:00			`flowReq.ip = c.Request().RemoteAddr`

Improve routing 2022-10-25 21:18:50 -04:00			`resp := a.NewFlow(&flowReq)`
WIP auth flow 2022-09-30 23:54:21 -04:00
Improve routing 2022-10-25 21:18:50 -04:00			`if resp == nil {`
			`return c.String(http.StatusBadRequest, "no such handler")`
			`}`
WIP: Login "works" 2022-10-25 00:16:29 -04:00
Improve routing 2022-10-25 21:18:50 -04:00			`return c.JSON(http.StatusOK, resp)`
			`}`

WIP: websocket 2022-12-19 19:24:01 -05:00			`func (a *authenticator) LoginFlowHandler(c echo.Context) error {`
refresh token 2022-12-19 13:09:01 -05:00			`a.Lock()`
			`defer a.Unlock()`

Improve routing 2022-10-25 21:18:50 -04:00			`setJSON(c)`

			`flowID := c.Param("flow_id")`
WIP auth flow 2022-09-30 23:54:21 -04:00
Flow split begin 2022-11-20 08:49:24 -05:00			`flow := a.flows.Get(flow.FlowID(flowID))`
Improve routing 2022-10-25 21:18:50 -04:00			`if flow == nil {`
			`return c.String(http.StatusNotFound, "no such flow")`
WIP auth flow 2022-09-30 23:54:21 -04:00			`}`
Improve routing 2022-10-25 21:18:50 -04:00
Flow split begin 2022-11-20 08:49:24 -05:00			`return flow.(*LoginFlow).progress(a, c)`
Improve routing 2022-10-25 21:18:50 -04:00			`}`