253 lines
6.5 KiB
Go
253 lines
6.5 KiB
Go
package auth
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
|
|
"dynatron.me/x/blasphem/internal/generate"
|
|
"dynatron.me/x/blasphem/pkg/auth/provider"
|
|
)
|
|
|
|
/*
|
|
{
|
|
"id": "18912b07b66e48558a44c058bf90f1d4",
|
|
"user_id": "1bd642b0ed9f410280f622d1d358102b",
|
|
"client_id": "https://oauth-redirect.googleusercontent.com/",
|
|
"client_name": null,
|
|
"client_icon": null,
|
|
"token_type": "normal",
|
|
"created_at": "2021-12-13T04:34:47.169033+00:00",
|
|
"access_token_expiration": 1800.0,
|
|
"token": "f93f87557ca616508c675f05b85921d07fdf764efc34c74a81daeebd71ab899a6e8cd5dec94d0ae36499ff281f2efcf715c763ad73eabadd2f586b827057043d",
|
|
"jwt_key": "f4507c01fe19b1d99c4b628cadc8208f7838dbdda0a9a051fd029cefdf6f619b0728d6b0a4d3d96ee68614b035054952faa14c48ae36bd212e28d602864f6d1c",
|
|
"last_used_at": "2021-12-13T04:34:47.169738+00:00",
|
|
"last_used_ip": "108.177.68.93",
|
|
"credential_id": "5daeb186d2a943328cbb984f135974cb",
|
|
"version": "2021.12.0"
|
|
},
|
|
*/
|
|
|
|
type (
|
|
TokenType string
|
|
TokenTimestamp time.Time
|
|
RefreshTokenID string
|
|
ExpSeconds float64
|
|
)
|
|
|
|
func (f ExpSeconds) MarshalJSON() ([]byte, error) {
|
|
if float64(f) == float64(int(f)) {
|
|
return []byte(strconv.FormatFloat(float64(f), 'f', 1, 32)), nil
|
|
}
|
|
return []byte(strconv.FormatFloat(float64(f), 'f', -1, 32)), nil
|
|
}
|
|
|
|
const PytTimeFormat = "2006-01-02T15:04:05.999999-07:00"
|
|
|
|
func (t *TokenTimestamp) MarshalJSON() ([]byte, error) {
|
|
rv := fmt.Sprintf("%q", time.Time(*t).Format(PytTimeFormat))
|
|
return []byte(rv), nil
|
|
}
|
|
|
|
func (t *TokenTimestamp) UnmarshalJSON(b []byte) error {
|
|
s := strings.Trim(string(b), `"`)
|
|
tm, err := time.Parse(PytTimeFormat, s)
|
|
*t = TokenTimestamp(tm)
|
|
|
|
return err
|
|
}
|
|
|
|
type RefreshToken struct {
|
|
ID RefreshTokenID `json:"id"`
|
|
UserID UserID `json:"user_id"`
|
|
ClientID *ClientID `json:"client_id"`
|
|
ClientName *string `json:"client_name"`
|
|
ClientIcon *string `json:"client_icon"`
|
|
TokenType TokenType `json:"token_type"`
|
|
CreatedAt *TokenTimestamp `json:"created_at"`
|
|
AccessTokenExpiration ExpSeconds `json:"access_token_expiration"`
|
|
Token string `json:"token"`
|
|
JWTKey string `json:"jwt_key"`
|
|
LastUsedAt *TokenTimestamp `json:"last_used_at"`
|
|
LastUsedIP *string `json:"last_used_ip"`
|
|
CredentialID *CredID `json:"credential_id"`
|
|
Version *string `json:"version"`
|
|
}
|
|
|
|
type AccessSessionStore struct {
|
|
s map[AccessTokenID]*AccessToken
|
|
lastCull time.Time
|
|
}
|
|
|
|
type AccessTokenID string
|
|
|
|
func (t *AccessTokenID) IsValid() bool {
|
|
// TODO: more validation than this
|
|
return *t != ""
|
|
}
|
|
|
|
type AccessToken struct { // TODO: jwt bro
|
|
ID AccessTokenID
|
|
Ctime time.Time
|
|
Expires time.Time
|
|
Addr string
|
|
|
|
user provider.ProviderUser `json:"-"`
|
|
}
|
|
|
|
func (ss *AccessSessionStore) init() {
|
|
ss.s = make(map[AccessTokenID]*AccessToken)
|
|
}
|
|
|
|
const cullInterval = 5 * time.Minute
|
|
|
|
func (ss *AccessSessionStore) cull() {
|
|
if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {
|
|
for k, v := range ss.s {
|
|
if now.After(v.Expires) {
|
|
delete(ss.s, k)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func (ss *AccessSessionStore) register(t *AccessToken) {
|
|
ss.cull()
|
|
ss.s[t.ID] = t
|
|
}
|
|
|
|
func (ss *AccessSessionStore) verify(tr *TokenRequest, r *http.Request) (provider.ProviderUser, bool) {
|
|
if t, hasToken := ss.s[tr.Code]; hasToken {
|
|
// TODO: JWT
|
|
if t.Expires.After(time.Now()) {
|
|
return t.user, true
|
|
} else {
|
|
delete(ss.s, t.ID)
|
|
}
|
|
}
|
|
|
|
return nil, false
|
|
}
|
|
|
|
type Credential struct {
|
|
ID CredID `json:"id"`
|
|
UserID UserID `json:"user_id"`
|
|
AuthProviderType string `json:"auth_provider_type"`
|
|
AuthProviderID *string `json:"auth_provider_id"`
|
|
DataRaw *json.RawMessage `json:"data,omitempty"`
|
|
user provider.ProviderUser `json:"-"`
|
|
}
|
|
|
|
func (cred *Credential) MarshalJSON() ([]byte, error) {
|
|
type CredAlias Credential // alias so ø method set and we don't recurse
|
|
nCd := (*CredAlias)(cred)
|
|
|
|
if cred.user != nil {
|
|
providerData := cred.user.UserData()
|
|
if providerData != nil {
|
|
b, err := json.Marshal(providerData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
dr := json.RawMessage(b)
|
|
nCd.DataRaw = &dr
|
|
}
|
|
}
|
|
|
|
return json.Marshal(nCd)
|
|
}
|
|
|
|
func (a *Authenticator) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credential {
|
|
user, success := a.sessions.verify(tr, r)
|
|
if !success {
|
|
return nil
|
|
}
|
|
|
|
cred := &Credential{
|
|
user: user,
|
|
}
|
|
|
|
return cred
|
|
}
|
|
|
|
const defaultExpiration = 15 * time.Minute
|
|
|
|
func (a *Authenticator) NewAccessToken(r *http.Request, user provider.ProviderUser, f *Flow) AccessTokenID {
|
|
id := AccessTokenID(generate.UUID())
|
|
now := time.Now()
|
|
|
|
t := &AccessToken{
|
|
ID: id,
|
|
Ctime: now,
|
|
Expires: now.Add(defaultExpiration),
|
|
Addr: r.RemoteAddr,
|
|
|
|
user: user,
|
|
}
|
|
|
|
a.sessions.register(t)
|
|
|
|
return id
|
|
}
|
|
|
|
type GrantType string
|
|
|
|
const (
|
|
GTAuthorizationCode GrantType = "authorization_code"
|
|
GTRefreshToken GrantType = "refresh_token"
|
|
)
|
|
|
|
type ClientID string
|
|
|
|
func (c *ClientID) IsValid() bool {
|
|
// TODO: || !indieauth.VerifyClientID(rq.ClientID)?
|
|
return *c != ""
|
|
}
|
|
|
|
type TokenRequest struct {
|
|
ClientID ClientID `form:"client_id"`
|
|
Code AccessTokenID `form:"code"`
|
|
GrantType GrantType `form:"grant_type"`
|
|
}
|
|
|
|
func (a *Authenticator) TokenHandler(c echo.Context) error {
|
|
rq := new(TokenRequest)
|
|
err := c.Bind(rq)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
switch rq.GrantType {
|
|
case GTAuthorizationCode:
|
|
if !rq.ClientID.IsValid() {
|
|
return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})
|
|
}
|
|
|
|
if !rq.Code.IsValid() {
|
|
return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})
|
|
}
|
|
|
|
if cred := a.verifyAndGetCredential(rq, c.Request()); cred != nil {
|
|
// TODO: success
|
|
user, err := a.getOrCreateUser(cred)
|
|
if err != nil {
|
|
return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
|
|
}
|
|
|
|
if err := user.allowedToAuth(); err != nil {
|
|
return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
|
|
}
|
|
return c.String(http.StatusOK, "token good I guess")
|
|
}
|
|
case GTRefreshToken:
|
|
return c.String(http.StatusNotImplemented, "not implemented")
|
|
}
|
|
|
|
return c.String(http.StatusUnauthorized, "token bad I guess")
|
|
}
|