wip: auth still broken

2022-12-20 19:31:46 -05:00 · 2022-12-20 19:31:46 -05:00 · f119f7086f
commit f119f7086f
parent 95d72d2912
4 changed files with 44 additions and 5 deletions
--- a/pkg/auth/session.go
+++ b/pkg/auth/session.go
@ -276,10 +276,26 @@ func (r *RefreshToken) AccessToken(req *http.Request) (string, error) {
 }

 func (a *authenticator) ValidateAccessToken(token AccessToken) *RefreshToken {
-	panic("not implemented")
+	claims := &jwt.StandardClaims{}
+	tok, err := jwt.ParseWithClaims(string(token), claims, func(jt *jwt.Token) (interface{}, error) {
+		iss := jt.Claims.(*jwt.StandardClaims).Issuer
+		rt := a.store.GetRefreshToken(RefreshTokenID(iss))
+		if rt == nil {
+			return nil, fmt.Errorf("bad token")
+		}
+
+		return rt.JWTKey, nil
+	})
+
+	if err != nil {
 		return nil
 	}

+	
+	iss := tok.Claims.(*jwt.StandardClaims).Issuer
+	return a.store.GetRefreshToken(RefreshTokenID(iss))
+}
+
 func (a *authenticator) verifyAndGetCredential(tr *TokenRequest) *Credentials {
 	cred, success := a.authCodes.get(tr)
 	if !success {
--- a/pkg/auth/store.go
+++ b/pkg/auth/store.go
@ -21,6 +21,7 @@ type AuthStore interface {
 	GetCredential(provider.ProviderUser) *Credentials
 	PutRefreshToken(*RefreshToken) (*RefreshToken, error)
 	GetRefreshTokenByToken(token RefreshTokenToken) *RefreshToken
+	GetRefreshToken(RefreshTokenID) *RefreshToken
 }

 type authStore struct {
@ -94,6 +95,22 @@ func (as *authStore) GetRefreshTokenByToken(token RefreshTokenToken) *RefreshTok
 	return found
 }

+func (as *authStore) GetRefreshToken(tid RefreshTokenID) *RefreshToken {
+	var found *RefreshToken
+
+	for _, u := range as.Users {
+		for _, rt := range u.RefreshTokens {
+			if subtle.ConstantTimeCompare([]byte(tid), []byte(rt.ID)) == 1 {
+				found = rt
+				found.User = u
+			}
+		}
+
+	}
+
+	return found
+}
+
 func (as *authStore) newCredential(p provider.ProviderUser) *Credentials {
 	// XXX: probably broken
 	prov := p.Provider()
--- a/pkg/server/websocket.go
+++ b/pkg/server/websocket.go
@ -21,7 +21,7 @@ func (s *Server) wsHandler(c echo.Context) error {

 	defer conn.Close()

-	log.Debug().Str("remote", c.Request().RemoteAddr).Msg("WS")
+	_ = log.Debug

 	return wsapi.NewSession(s, c, conn).Go()
 }
--- a/pkg/wsapi/auth.go
+++ b/pkg/wsapi/auth.go
@ -47,8 +47,14 @@ func (ap *authPhase) sendAuthOK() error {
 	}{Type: "auth_ok", Version: ap.Blas().Version()})
 }

+func (ap *authPhase) sendAuthInvalid() error {
+	return ap.WriteJSON(struct {
+		Type    string `json:"type"`
+		Message string `json:"message"`
+	}{Type: "auth_ok", Message: "invalid auth"})
+}
+
 func (ap *authPhase) handleMsg(r io.Reader) error {
-	log.Debug().Interface("ap", ap).Msg("auth handlemsg")
 	var authMsg authMsg
 	err := json.NewDecoder(r).Decode(&authMsg)
 	if err != nil {
@ -63,5 +69,5 @@ func (ap *authPhase) handleMsg(r io.Reader) error {

 	log.Error().Str("remote", ap.ec.Request().RemoteAddr).Msg("websocket auth failed")

-	return auth.ErrInvalidAuth
+	return ap.sendAuthInvalid()
 }