From f119f7086fc1230a7b21553236a4af7c82bf70a3 Mon Sep 17 00:00:00 2001 From: Daniel Ponte Date: Tue, 20 Dec 2022 19:31:46 -0500 Subject: [PATCH] wip: auth still broken --- pkg/auth/session.go | 20 ++++++++++++++++++-- pkg/auth/store.go | 17 +++++++++++++++++ pkg/server/websocket.go | 2 +- pkg/wsapi/auth.go | 10 ++++++++-- 4 files changed, 44 insertions(+), 5 deletions(-) diff --git a/pkg/auth/session.go b/pkg/auth/session.go index d81e3af..b2e37e3 100644 --- a/pkg/auth/session.go +++ b/pkg/auth/session.go @@ -276,8 +276,24 @@ func (r *RefreshToken) AccessToken(req *http.Request) (string, error) { } func (a *authenticator) ValidateAccessToken(token AccessToken) *RefreshToken { - panic("not implemented") - return nil + claims := &jwt.StandardClaims{} + tok, err := jwt.ParseWithClaims(string(token), claims, func(jt *jwt.Token) (interface{}, error) { + iss := jt.Claims.(*jwt.StandardClaims).Issuer + rt := a.store.GetRefreshToken(RefreshTokenID(iss)) + if rt == nil { + return nil, fmt.Errorf("bad token") + } + + return rt.JWTKey, nil + }) + + if err != nil { + return nil + } + + + iss := tok.Claims.(*jwt.StandardClaims).Issuer + return a.store.GetRefreshToken(RefreshTokenID(iss)) } func (a *authenticator) verifyAndGetCredential(tr *TokenRequest) *Credentials { diff --git a/pkg/auth/store.go b/pkg/auth/store.go index 86d6eb2..9777e91 100644 --- a/pkg/auth/store.go +++ b/pkg/auth/store.go @@ -21,6 +21,7 @@ type AuthStore interface { GetCredential(provider.ProviderUser) *Credentials PutRefreshToken(*RefreshToken) (*RefreshToken, error) GetRefreshTokenByToken(token RefreshTokenToken) *RefreshToken + GetRefreshToken(RefreshTokenID) *RefreshToken } type authStore struct { @@ -94,6 +95,22 @@ func (as *authStore) GetRefreshTokenByToken(token RefreshTokenToken) *RefreshTok return found } +func (as *authStore) GetRefreshToken(tid RefreshTokenID) *RefreshToken { + var found *RefreshToken + + for _, u := range as.Users { + for _, rt := range u.RefreshTokens { + if subtle.ConstantTimeCompare([]byte(tid), []byte(rt.ID)) == 1 { + found = rt + found.User = u + } + } + + } + + return found +} + func (as *authStore) newCredential(p provider.ProviderUser) *Credentials { // XXX: probably broken prov := p.Provider() diff --git a/pkg/server/websocket.go b/pkg/server/websocket.go index dee373a..3bb05bf 100644 --- a/pkg/server/websocket.go +++ b/pkg/server/websocket.go @@ -21,7 +21,7 @@ func (s *Server) wsHandler(c echo.Context) error { defer conn.Close() - log.Debug().Str("remote", c.Request().RemoteAddr).Msg("WS") + _ = log.Debug return wsapi.NewSession(s, c, conn).Go() } diff --git a/pkg/wsapi/auth.go b/pkg/wsapi/auth.go index 9695a74..4254ecd 100644 --- a/pkg/wsapi/auth.go +++ b/pkg/wsapi/auth.go @@ -47,8 +47,14 @@ func (ap *authPhase) sendAuthOK() error { }{Type: "auth_ok", Version: ap.Blas().Version()}) } +func (ap *authPhase) sendAuthInvalid() error { + return ap.WriteJSON(struct { + Type string `json:"type"` + Message string `json:"message"` + }{Type: "auth_ok", Message: "invalid auth"}) +} + func (ap *authPhase) handleMsg(r io.Reader) error { - log.Debug().Interface("ap", ap).Msg("auth handlemsg") var authMsg authMsg err := json.NewDecoder(r).Decode(&authMsg) if err != nil { @@ -63,5 +69,5 @@ func (ap *authPhase) handleMsg(r io.Reader) error { log.Error().Str("remote", ap.ec.Request().RemoteAddr).Msg("websocket auth failed") - return auth.ErrInvalidAuth + return ap.sendAuthInvalid() }