package auth import ( "encoding/json" "net/http" "time" "github.com/labstack/echo/v4" "dynatron.me/x/blasphem/internal/common" "dynatron.me/x/blasphem/internal/generate" "dynatron.me/x/blasphem/pkg/auth/provider" "github.com/rs/zerolog/log" ) type ( TokenType string RefreshTokenID string ) type RefreshToken struct { ID RefreshTokenID `json:"id"` UserID UserID `json:"user_id"` ClientID *ClientID `json:"client_id"` ClientName *string `json:"client_name"` ClientIcon *string `json:"client_icon"` TokenType TokenType `json:"token_type"` CreatedAt *common.PyTimestamp `json:"created_at"` AccessTokenExpiration json.Number `json:"access_token_expiration"` Token string `json:"token"` JWTKey string `json:"jwt_key"` LastUsedAt *common.PyTimestamp `json:"last_used_at"` LastUsedIP *string `json:"last_used_ip"` CredentialID *CredID `json:"credential_id"` Version *string `json:"version"` } func (rt *RefreshToken) IsValid() bool { return rt.JWTKey != "" } type authCodeStore struct { s map[authCodeTuple]flowResult lastCull time.Time } type authCodeTuple struct { ClientID ClientID Code AuthCode } func (t *authCodeTuple) IsValid() bool { // TODO: more validation than this return t.Code != "" } type flowResult struct { Time time.Time Cred *Credentials // TODO: remove this comment below \/ //user provider.ProviderUser `json:"-"` } // OAuth 4.2.1 spec recommends 10 minutes const authCodeExpire = 10 * time.Minute func (f *flowResult) IsValid(now time.Time) bool { if now.After(f.Time.Add(authCodeExpire)) { return false } return true } func (ss *authCodeStore) init() { ss.s = make(map[authCodeTuple]flowResult) } const cullInterval = 5 * time.Minute func (ss *authCodeStore) cull() { if now := time.Now(); now.Sub(ss.lastCull) > cullInterval { for k, v := range ss.s { if !v.IsValid(now) { delete(ss.s, k) } } } } func (ss *authCodeStore) store(clientID ClientID, cred *Credentials) string { log.Info().Msgf("store cred is %+v", cred) ss.cull() code := generate.UUID() ss.s[authCodeTuple{clientID, AuthCode(code)}] = flowResult{Time: time.Now(), Cred: cred} return code } func (ss *authCodeStore) verify(tr *TokenRequest, r *http.Request) (*Credentials, bool) { key := authCodeTuple{tr.ClientID, tr.Code} if t, hasCode := ss.s[key]; hasCode { defer delete(ss.s, key) // TODO: JWT if t.IsValid(time.Now()) { return t.Cred, true } } return nil, false } type Credentials struct { ID CredID `json:"id"` UserID UserID `json:"user_id"` AuthProviderType string `json:"auth_provider_type"` AuthProviderID *string `json:"auth_provider_id"` DataRaw *json.RawMessage `json:"data,omitempty"` user provider.ProviderUser `json:"-"` } func (cred *Credentials) MarshalJSON() ([]byte, error) { type CredAlias Credentials // alias so ΓΈ method set and we don't recurse nCd := (*CredAlias)(cred) if cred.user != nil { providerData := cred.user.UserData() if providerData != nil { b, err := json.Marshal(providerData) if err != nil { return nil, err } dr := json.RawMessage(b) nCd.DataRaw = &dr } } return json.Marshal(nCd) } func (a *Authenticator) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credentials { cred, success := a.authCodes.verify(tr, r) if !success { return nil } return cred } const defaultExpiration = 15 * time.Minute func (a *Authenticator) NewAuthCode(clientID ClientID, cred *Credentials) string { return a.authCodes.store(clientID, cred) } type GrantType string const ( GTAuthorizationCode GrantType = "authorization_code" GTRefreshToken GrantType = "refresh_token" ) type ClientID common.ClientID func (c *ClientID) IsValid() bool { // TODO: || !indieauth.VerifyClientID(rq.ClientID)? return *c != "" } type AuthCode string func (ac *AuthCode) IsValid() bool { return *ac != "" } type TokenRequest struct { ClientID ClientID `form:"client_id"` Code AuthCode `form:"code"` GrantType GrantType `form:"grant_type"` } func (a *Authenticator) TokenHandler(c echo.Context) error { rq := new(TokenRequest) err := c.Bind(rq) if err != nil { return err } switch rq.GrantType { case GTAuthorizationCode: if !rq.ClientID.IsValid() { return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"}) } if !rq.Code.IsValid() { return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"}) } if cred := a.verifyAndGetCredential(rq, c.Request()); cred != nil { // TODO: success user, err := a.getOrCreateUser(cred) if err != nil { return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()}) } if err := user.allowedToAuth(); err != nil { return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()}) } return c.String(http.StatusOK, "token good I guess") } case GTRefreshToken: return c.String(http.StatusNotImplemented, "not implemented") } return c.String(http.StatusUnauthorized, "token bad I guess") }