package auth import ( "encoding/json" "net/http" "time" "github.com/labstack/echo/v4" "dynatron.me/x/blasphem/pkg/auth/provider" ) type SessionStore struct { s map[TokenID]*Token lastCull time.Time } type TokenID string func (t *TokenID) IsValid() bool { // TODO: more validation than this return *t != "" } type Token struct { // TODO: jwt bro ID TokenID Ctime time.Time Expires time.Time Addr string user provider.ProviderUser `json:"-"` } func (ss *SessionStore) init() { ss.s = make(map[TokenID]*Token) } const cullInterval = 5 * time.Minute func (ss *SessionStore) cull() { if now := time.Now(); now.Sub(ss.lastCull) > cullInterval { for k, v := range ss.s { if now.After(v.Expires) { delete(ss.s, k) } } } } func (ss *SessionStore) register(t *Token) { ss.cull() ss.s[t.ID] = t } func (ss *SessionStore) verify(tr *TokenRequest, r *http.Request) (provider.ProviderUser, bool) { if t, hasToken := ss.s[tr.Code]; hasToken { // TODO: JWT if t.Expires.After(time.Now()) { return t.user, true } else { delete(ss.s, t.ID) } } return nil, false } type Credential struct { ID CredID `json:"id"` UserID UserID `json:"user_id"` AuthProviderType string `json:"auth_provider_type"` AuthProviderID *string `json:"auth_provider_id"` DataRaw json.RawMessage `json:"data,omitempty"` user provider.ProviderUser } func (cred *Credential) MarshalJSON() ([]byte, error) { rm := map[string]interface{}{ "id": cred.ID, "user_id": cred.UserID, "auth_provider_type": cred.user.ProviderType(), "auth_provider_id": cred.user.ProviderID(), } providerData := cred.user.ProviderUserData() if providerData != nil { rm["data"] = providerData } return json.Marshal(rm) } func (ss *SessionStore) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credential { user, success := ss.verify(tr, r) if !success { return nil } return &Credential{user: user} } const defaultExpiration = 2 * time.Hour func (a *Authenticator) NewToken(r *http.Request, user provider.ProviderUser, f *Flow) TokenID { id := TokenID(genUUID()) now := time.Now() t := &Token{ ID: id, Ctime: now, Expires: now.Add(defaultExpiration), Addr: r.RemoteAddr, user: user, } a.sessions.register(t) return id } type GrantType string const ( GTAuthorizationCode GrantType = "authorization_code" GTRefreshToken GrantType = "refresh_token" ) type ClientID string func (c *ClientID) IsValid() bool { // TODO: || !indieauth.VerifyClientID(rq.ClientID)? return *c != "" } type TokenRequest struct { ClientID ClientID `form:"client_id"` Code TokenID `form:"code"` GrantType GrantType `form:"grant_type"` } func (a *Authenticator) TokenHandler(c echo.Context) error { rq := new(TokenRequest) err := c.Bind(rq) if err != nil { return err } switch rq.GrantType { case GTAuthorizationCode: if !rq.ClientID.IsValid() { return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"}) } if !rq.Code.IsValid() { return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"}) } if cred := a.sessions.verifyAndGetCredential(rq, c.Request()); cred != nil { // TODO: success user, err := a.getOrCreateUser(cred) if err != nil { return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()}) } if err := user.allowedToAuth(); err != nil { return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()}) } return c.String(http.StatusOK, "token good I guess") } case GTRefreshToken: return c.String(http.StatusNotImplemented, "not implemented") } return c.String(http.StatusUnauthorized, "token bad I guess") }