wip: auth still broken

This commit is contained in:
Daniel Ponte 2022-12-20 19:31:46 -05:00
parent 95d72d2912
commit f119f7086f
4 changed files with 44 additions and 5 deletions

View file

@ -276,10 +276,26 @@ func (r *RefreshToken) AccessToken(req *http.Request) (string, error) {
} }
func (a *authenticator) ValidateAccessToken(token AccessToken) *RefreshToken { func (a *authenticator) ValidateAccessToken(token AccessToken) *RefreshToken {
panic("not implemented") claims := &jwt.StandardClaims{}
tok, err := jwt.ParseWithClaims(string(token), claims, func(jt *jwt.Token) (interface{}, error) {
iss := jt.Claims.(*jwt.StandardClaims).Issuer
rt := a.store.GetRefreshToken(RefreshTokenID(iss))
if rt == nil {
return nil, fmt.Errorf("bad token")
}
return rt.JWTKey, nil
})
if err != nil {
return nil return nil
} }
iss := tok.Claims.(*jwt.StandardClaims).Issuer
return a.store.GetRefreshToken(RefreshTokenID(iss))
}
func (a *authenticator) verifyAndGetCredential(tr *TokenRequest) *Credentials { func (a *authenticator) verifyAndGetCredential(tr *TokenRequest) *Credentials {
cred, success := a.authCodes.get(tr) cred, success := a.authCodes.get(tr)
if !success { if !success {

View file

@ -21,6 +21,7 @@ type AuthStore interface {
GetCredential(provider.ProviderUser) *Credentials GetCredential(provider.ProviderUser) *Credentials
PutRefreshToken(*RefreshToken) (*RefreshToken, error) PutRefreshToken(*RefreshToken) (*RefreshToken, error)
GetRefreshTokenByToken(token RefreshTokenToken) *RefreshToken GetRefreshTokenByToken(token RefreshTokenToken) *RefreshToken
GetRefreshToken(RefreshTokenID) *RefreshToken
} }
type authStore struct { type authStore struct {
@ -94,6 +95,22 @@ func (as *authStore) GetRefreshTokenByToken(token RefreshTokenToken) *RefreshTok
return found return found
} }
func (as *authStore) GetRefreshToken(tid RefreshTokenID) *RefreshToken {
var found *RefreshToken
for _, u := range as.Users {
for _, rt := range u.RefreshTokens {
if subtle.ConstantTimeCompare([]byte(tid), []byte(rt.ID)) == 1 {
found = rt
found.User = u
}
}
}
return found
}
func (as *authStore) newCredential(p provider.ProviderUser) *Credentials { func (as *authStore) newCredential(p provider.ProviderUser) *Credentials {
// XXX: probably broken // XXX: probably broken
prov := p.Provider() prov := p.Provider()

View file

@ -21,7 +21,7 @@ func (s *Server) wsHandler(c echo.Context) error {
defer conn.Close() defer conn.Close()
log.Debug().Str("remote", c.Request().RemoteAddr).Msg("WS") _ = log.Debug
return wsapi.NewSession(s, c, conn).Go() return wsapi.NewSession(s, c, conn).Go()
} }

View file

@ -47,8 +47,14 @@ func (ap *authPhase) sendAuthOK() error {
}{Type: "auth_ok", Version: ap.Blas().Version()}) }{Type: "auth_ok", Version: ap.Blas().Version()})
} }
func (ap *authPhase) sendAuthInvalid() error {
return ap.WriteJSON(struct {
Type string `json:"type"`
Message string `json:"message"`
}{Type: "auth_ok", Message: "invalid auth"})
}
func (ap *authPhase) handleMsg(r io.Reader) error { func (ap *authPhase) handleMsg(r io.Reader) error {
log.Debug().Interface("ap", ap).Msg("auth handlemsg")
var authMsg authMsg var authMsg authMsg
err := json.NewDecoder(r).Decode(&authMsg) err := json.NewDecoder(r).Decode(&authMsg)
if err != nil { if err != nil {
@ -63,5 +69,5 @@ func (ap *authPhase) handleMsg(r io.Reader) error {
log.Error().Str("remote", ap.ec.Request().RemoteAddr).Msg("websocket auth failed") log.Error().Str("remote", ap.ec.Request().RemoteAddr).Msg("websocket auth failed")
return auth.ErrInvalidAuth return ap.sendAuthInvalid()
} }