package auth import ( "encoding/json" "fmt" "net/http" "strconv" "strings" "time" "github.com/labstack/echo/v4" "dynatron.me/x/blasphem/internal/generate" "dynatron.me/x/blasphem/pkg/auth/provider" ) /* { "id": "18912b07b66e48558a44c058bf90f1d4", "user_id": "1bd642b0ed9f410280f622d1d358102b", "client_id": "https://oauth-redirect.googleusercontent.com/", "client_name": null, "client_icon": null, "token_type": "normal", "created_at": "2021-12-13T04:34:47.169033+00:00", "access_token_expiration": 1800.0, "token": "f93f87557ca616508c675f05b85921d07fdf764efc34c74a81daeebd71ab899a6e8cd5dec94d0ae36499ff281f2efcf715c763ad73eabadd2f586b827057043d", "jwt_key": "f4507c01fe19b1d99c4b628cadc8208f7838dbdda0a9a051fd029cefdf6f619b0728d6b0a4d3d96ee68614b035054952faa14c48ae36bd212e28d602864f6d1c", "last_used_at": "2021-12-13T04:34:47.169738+00:00", "last_used_ip": "108.177.68.93", "credential_id": "5daeb186d2a943328cbb984f135974cb", "version": "2021.12.0" }, */ type ( TokenType string TokenTimestamp time.Time RefreshTokenID string ExpSeconds float64 ) func (f ExpSeconds) MarshalJSON() ([]byte, error) { if float64(f) == float64(int(f)) { return []byte(strconv.FormatFloat(float64(f), 'f', 1, 32)), nil } return []byte(strconv.FormatFloat(float64(f), 'f', -1, 32)), nil } const PytTimeFormat = "2006-01-02T15:04:05.999999-07:00" func (t *TokenTimestamp) MarshalJSON() ([]byte, error) { rv := fmt.Sprintf("%q", time.Time(*t).Format(PytTimeFormat)) return []byte(rv), nil } func (t *TokenTimestamp) UnmarshalJSON(b []byte) error { s := strings.Trim(string(b), `"`) tm, err := time.Parse(PytTimeFormat, s) *t = TokenTimestamp(tm) return err } type RefreshToken struct { ID RefreshTokenID `json:"id"` UserID UserID `json:"user_id"` ClientID *ClientID `json:"client_id"` ClientName *string `json:"client_name"` ClientIcon *string `json:"client_icon"` TokenType TokenType `json:"token_type"` CreatedAt *TokenTimestamp `json:"created_at"` AccessTokenExpiration ExpSeconds `json:"access_token_expiration"` Token string `json:"token"` JWTKey string `json:"jwt_key"` LastUsedAt *TokenTimestamp `json:"last_used_at"` LastUsedIP *string `json:"last_used_ip"` CredentialID *CredID `json:"credential_id"` Version *string `json:"version"` } type AccessSessionStore struct { s map[AccessTokenID]*AccessToken lastCull time.Time } type AccessTokenID string func (t *AccessTokenID) IsValid() bool { // TODO: more validation than this return *t != "" } type AccessToken struct { // TODO: jwt bro ID AccessTokenID Ctime time.Time Expires time.Time Addr string user provider.ProviderUser `json:"-"` } func (ss *AccessSessionStore) init() { ss.s = make(map[AccessTokenID]*AccessToken) } const cullInterval = 5 * time.Minute func (ss *AccessSessionStore) cull() { if now := time.Now(); now.Sub(ss.lastCull) > cullInterval { for k, v := range ss.s { if now.After(v.Expires) { delete(ss.s, k) } } } } func (ss *AccessSessionStore) register(t *AccessToken) { ss.cull() ss.s[t.ID] = t } func (ss *AccessSessionStore) verify(tr *TokenRequest, r *http.Request) (provider.ProviderUser, bool) { if t, hasToken := ss.s[tr.Code]; hasToken { // TODO: JWT if t.Expires.After(time.Now()) { return t.user, true } else { delete(ss.s, t.ID) } } return nil, false } type Credential struct { ID CredID `json:"id"` UserID UserID `json:"user_id"` AuthProviderType string `json:"auth_provider_type"` AuthProviderID *string `json:"auth_provider_id"` DataRaw *json.RawMessage `json:"data,omitempty"` user provider.ProviderUser `json:"-"` } func (cred *Credential) MarshalJSON() ([]byte, error) { type CredAlias Credential // alias so ΓΈ method set and we don't recurse nCd := (*CredAlias)(cred) if cred.user != nil { providerData := cred.user.UserData() if providerData != nil { b, err := json.Marshal(providerData) if err != nil { return nil, err } dr := json.RawMessage(b) nCd.DataRaw = &dr } } return json.Marshal(nCd) } func (a *Authenticator) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credential { user, success := a.sessions.verify(tr, r) if !success { return nil } cred := &Credential{ user: user, } return cred } const defaultExpiration = 15 * time.Minute func (a *Authenticator) NewAccessToken(r *http.Request, user provider.ProviderUser, f *Flow) AccessTokenID { id := AccessTokenID(generate.UUID()) now := time.Now() t := &AccessToken{ ID: id, Ctime: now, Expires: now.Add(defaultExpiration), Addr: r.RemoteAddr, user: user, } a.sessions.register(t) return id } type GrantType string const ( GTAuthorizationCode GrantType = "authorization_code" GTRefreshToken GrantType = "refresh_token" ) type ClientID string func (c *ClientID) IsValid() bool { // TODO: || !indieauth.VerifyClientID(rq.ClientID)? return *c != "" } type TokenRequest struct { ClientID ClientID `form:"client_id"` Code AccessTokenID `form:"code"` GrantType GrantType `form:"grant_type"` } func (a *Authenticator) TokenHandler(c echo.Context) error { rq := new(TokenRequest) err := c.Bind(rq) if err != nil { return err } switch rq.GrantType { case GTAuthorizationCode: if !rq.ClientID.IsValid() { return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"}) } if !rq.Code.IsValid() { return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"}) } if cred := a.verifyAndGetCredential(rq, c.Request()); cred != nil { // TODO: success user, err := a.getOrCreateUser(cred) if err != nil { return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()}) } if err := user.allowedToAuth(); err != nil { return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()}) } return c.String(http.StatusOK, "token good I guess") } case GTRefreshToken: return c.String(http.StatusNotImplemented, "not implemented") } return c.String(http.StatusUnauthorized, "token bad I guess") }