2024-07-29 00:21:07 -04:00
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"net/http"
|
|
|
|
"time"
|
|
|
|
|
2024-07-29 00:47:58 -04:00
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
|
2024-07-29 00:21:07 -04:00
|
|
|
"dynatron.me/x/stillbox/pkg/gordio/database"
|
|
|
|
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
|
|
"github.com/go-chi/jwtauth/v5"
|
|
|
|
"github.com/go-chi/render"
|
|
|
|
"github.com/rs/zerolog/log"
|
|
|
|
)
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
type jwtAuth interface {
|
|
|
|
// Authenticated returns whether the request is authenticated. It also returns the claims.
|
|
|
|
Authenticated(r *http.Request) (claims, bool)
|
|
|
|
|
|
|
|
// Login attempts to return a JWT for the provided user and password.
|
|
|
|
Login(ctx context.Context, username, password string) (token string, err error)
|
|
|
|
|
|
|
|
// InstallVerifyMiddleware installs the JWT verifier middleware to the provided chi Router.
|
|
|
|
InstallVerifyMiddleware(r chi.Router)
|
|
|
|
|
|
|
|
// InstallAuthMiddleware installs the JWT authenticator middleware to the provided chi Router.
|
|
|
|
InstallAuthMiddleware(r chi.Router)
|
|
|
|
|
|
|
|
// InstallRoutes installs the auth route to the provided chi Router.
|
|
|
|
InstallRoutes(r chi.Router)
|
|
|
|
}
|
|
|
|
|
2024-07-29 00:21:07 -04:00
|
|
|
type claims map[string]interface{}
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
func (a *authenticator) Authenticated(r *http.Request) (claims, bool) {
|
2024-07-29 00:21:07 -04:00
|
|
|
// TODO: check IP against ACL, or conf.Public, and against map of routes
|
|
|
|
tok, cl, err := jwtauth.FromContext(r.Context())
|
|
|
|
return cl, err != nil && tok != nil
|
|
|
|
}
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
func (a *authenticator) InstallVerifyMiddleware(r chi.Router) {
|
2024-07-29 00:21:07 -04:00
|
|
|
r.Use(jwtauth.Verifier(a.jwt))
|
|
|
|
}
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
func (a *authenticator) InstallAuthMiddleware(r chi.Router) {
|
2024-07-29 00:21:07 -04:00
|
|
|
r.Use(jwtauth.Authenticator(a.jwt))
|
|
|
|
}
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
func (a *authenticator) Login(ctx context.Context, username, password string) (token string, err error) {
|
2024-07-29 00:21:07 -04:00
|
|
|
q := database.New(database.FromCtx(ctx))
|
|
|
|
users, err := q.GetUsers(ctx)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Err(err).Msg("getUsers failed")
|
|
|
|
return "", ErrLoginFailed
|
|
|
|
}
|
|
|
|
|
|
|
|
var found *database.User
|
|
|
|
|
|
|
|
for _, u := range users {
|
|
|
|
if u.Username == username {
|
|
|
|
found = &u
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if found == nil {
|
|
|
|
_ = bcrypt.CompareHashAndPassword([]byte("lol@timing"), []byte(password))
|
|
|
|
return "", ErrLoginFailed
|
|
|
|
} else {
|
|
|
|
err = bcrypt.CompareHashAndPassword([]byte(found.Password), []byte(password))
|
|
|
|
if err != nil {
|
|
|
|
return "", ErrLoginFailed
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-07-29 00:47:58 -04:00
|
|
|
return a.newToken(found.ID), nil
|
2024-07-29 00:21:07 -04:00
|
|
|
}
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
func (a *authenticator) newToken(uid int32) string {
|
2024-07-29 00:21:07 -04:00
|
|
|
claims := claims{
|
|
|
|
"user_id": uid,
|
|
|
|
}
|
|
|
|
jwtauth.SetExpiryIn(claims, time.Hour*24*30) // one month
|
|
|
|
_, tokenString, err := a.jwt.Encode(claims)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
return tokenString
|
|
|
|
}
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
func (a *authenticator) InstallRoutes(r chi.Router) {
|
2024-07-29 00:21:07 -04:00
|
|
|
r.Post("/auth", a.routeAuth)
|
|
|
|
}
|
|
|
|
|
2024-07-29 00:58:32 -04:00
|
|
|
func (a *authenticator) routeAuth(w http.ResponseWriter, r *http.Request) {
|
2024-07-29 00:21:07 -04:00
|
|
|
err := r.ParseForm()
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
username, password := r.PostFormValue("username"), r.PostFormValue("password")
|
|
|
|
if username == "" || password == "" {
|
|
|
|
http.Error(w, "blank credentials", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
tok, err := a.Login(r.Context(), username, password)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
http.SetCookie(w, &http.Cookie{
|
|
|
|
Name: "jwt",
|
|
|
|
Value: tok,
|
|
|
|
HttpOnly: true,
|
|
|
|
Secure: true,
|
|
|
|
Domain: a.domain,
|
|
|
|
})
|
|
|
|
|
|
|
|
jr := struct {
|
|
|
|
JWT string `json:"jwt"`
|
|
|
|
}{
|
|
|
|
JWT: tok,
|
|
|
|
}
|
|
|
|
|
|
|
|
render.JSON(w, r, &jr)
|
|
|
|
}
|