nidus-sync/auth.go

package main

import (
	"context"
	"errors"
	"fmt"
	"log/slog"
	"net/http"
	"strconv"

	"github.com/Gleipnir-Technology/nidus-sync/enums"
	"github.com/Gleipnir-Technology/nidus-sync/models"
	"github.com/Gleipnir-Technology/nidus-sync/sql"
	"github.com/aarondl/opt/omit"
	"golang.org/x/crypto/bcrypt"
)

type NoCredentialsError struct{}

func (e NoCredentialsError) Error() string { return "No credentials were present in the request" }

type InvalidCredentials struct{}

func (e InvalidCredentials) Error() string { return "No username with that password exists" }

type InvalidUsername struct{}

func (e InvalidUsername) Error() string { return "That username doesn't exist" }

func addUserSession(r *http.Request, user *models.User) {
	id := strconv.Itoa(int(user.ID))
	sessionManager.Put(r.Context(), "user_id", id)
	sessionManager.Put(r.Context(), "username", user.Username)
	slog.Info("Created new user session",
		slog.String("username", user.Username),
		slog.String("user_id", id))
}

func getAuthenticatedUser(r *http.Request) (*models.User, error) {
	//user_id := sessionManager.GetInt(r.Context(), "user_id")
	user_id_str := sessionManager.GetString(r.Context(), "user_id")
	if user_id_str != "" {
		user_id, err := strconv.Atoi(user_id_str)
		if err != nil {
			return nil, fmt.Errorf("Failed to convert user_id to int: %v", err)
		}
		username := sessionManager.GetString(r.Context(), "username")
		slog.Info("Current session info",
			slog.Int("user_id", user_id),
			slog.String("username", username))
		if user_id > 0 && username != "" {
			return models.FindUser(r.Context(), PGInstance.BobDB, int32(user_id))
		}
	}
	// If we can't get the user from the session try to get from auth headers
	username, password, ok := r.BasicAuth()
	if !ok {
		return nil, &NoCredentialsError{}
	}
	user, err := validateUser(r.Context(), username, password)
	if err != nil {
		return nil, err
	}
	addUserSession(r, user)
	return user, nil
}

func hashPassword(password string) (string, error) {
	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
	return string(bytes), err
}

func signinUser(r *http.Request, username string, password string) (*models.User, error) {
	user, err := validateUser(r.Context(), username, password)
	if err != nil {
		return nil, err
	}
	if user == nil {
		return nil, errors.New("No matching user")
	}
	addUserSession(r, user)
	return user, nil
}

func signupUser(username string, name string, password string) (*models.User, error) {
	passwordHash, err := hashPassword(password)
	if err != nil {
		return nil, fmt.Errorf("Cannot signup user: %v", err)
	}
	setter := models.UserSetter{
		DisplayName:      omit.From(name),
		PasswordHash:     omit.From(passwordHash),
		PasswordHashType: omit.From(enums.HashtypeBcrypt14),
		Username:         omit.From(username),
	}
	u, err := models.Users.Insert(&setter).One(context.TODO(), PGInstance.BobDB)
	if err != nil {
		return nil, fmt.Errorf("Failed to create user: %v", err)
	}
	slog.Info("Created user",
		slog.Int("ID", int(u.ID)),
		slog.String("username", u.Username))

	return u, nil
}

func validatePassword(password, hash string) bool {
	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
	return err == nil
}

func validateUser(ctx context.Context, username string, password string) (*models.User, error) {
	passwordHash, err := hashPassword(password)
	if err != nil {
		return nil, fmt.Errorf("Failed to hash password: %v", err)
	}
	slog.Info("Validating user",
		slog.String("username", username),
		slog.String("password", password),
		slog.String("hash", passwordHash))
	result, err := sql.UserByUsername(username).All(ctx, PGInstance.BobDB)
	if err != nil {
		return nil, fmt.Errorf("Failed to query for user: %v", err)
	}
	switch len(result) {
	case 0:
		return nil, InvalidUsername{}
	case 1:
		row := result[0]
		if !validatePassword(password, row.PasswordHash) {
			return nil, InvalidCredentials{}
		}
		user := models.User{
			ID:                        row.ID,
			ArcgisAccessToken:         row.ArcgisAccessToken,
			ArcgisLicense:             row.ArcgisLicense,
			ArcgisRefreshToken:        row.ArcgisRefreshToken,
			ArcgisRefreshTokenExpires: row.ArcgisRefreshTokenExpires,
			ArcgisRole:                row.ArcgisRole,
			DisplayName:               row.DisplayName,
			Email:                     row.Email,
			OrganizationID:            row.OrganizationID,
			Username:                  row.Username,
		}
		return &user, nil
	default:
		return nil, errors.New("More than one matching row, this should be impossible.")

	}
}
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`package main`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
			`"log/slog"`
			`"net/http"`
			`"strconv"`

			`"github.com/Gleipnir-Technology/nidus-sync/enums"`
			`"github.com/Gleipnir-Technology/nidus-sync/models"`
			`"github.com/Gleipnir-Technology/nidus-sync/sql"`
Format all source files. 2025-11-06 22:31:51 +00:00			`"github.com/aarondl/opt/omit"`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`"golang.org/x/crypto/bcrypt"`
			`)`

			`type NoCredentialsError struct{}`
Format all source files. 2025-11-06 22:31:51 +00:00
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`func (e NoCredentialsError) Error() string { return "No credentials were present in the request" }`

			`type InvalidCredentials struct{}`
Format all source files. 2025-11-06 22:31:51 +00:00
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`func (e InvalidCredentials) Error() string { return "No username with that password exists" }`

			`type InvalidUsername struct{}`
Format all source files. 2025-11-06 22:31:51 +00:00
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`func (e InvalidUsername) Error() string { return "That username doesn't exist" }`

			`func addUserSession(r http.Request, user models.User) {`
			`id := strconv.Itoa(int(user.ID))`
			`sessionManager.Put(r.Context(), "user_id", id)`
			`sessionManager.Put(r.Context(), "username", user.Username)`
			`slog.Info("Created new user session",`
			`slog.String("username", user.Username),`
			`slog.String("user_id", id))`
			`}`

			`func getAuthenticatedUser(r http.Request) (models.User, error) {`
			`//user_id := sessionManager.GetInt(r.Context(), "user_id")`
			`user_id_str := sessionManager.GetString(r.Context(), "user_id")`
Retroactively fix some SQL schema problems I originally wasn't going to do passwords, but after struggling with webauthn I decided I'd just go for it. It simplifies the code a lot if I assert that I always have a password, displayname, etc. 2025-11-05 17:36:32 +00:00			`if user_id_str != "" {`
			`user_id, err := strconv.Atoi(user_id_str)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to convert user_id to int: %v", err)`
			`}`
			`username := sessionManager.GetString(r.Context(), "username")`
			`slog.Info("Current session info",`
			`slog.Int("user_id", user_id),`
			`slog.String("username", username))`
			`if user_id > 0 && username != "" {`
			`return models.FindUser(r.Context(), PGInstance.BobDB, int32(user_id))`
			`}`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
			`// If we can't get the user from the session try to get from auth headers`
			`username, password, ok := r.BasicAuth()`
			`if !ok {`
			`return nil, &NoCredentialsError{}`
			`}`
			`user, err := validateUser(r.Context(), username, password)`
			`if err != nil {`
			`return nil, err`
			`}`
			`addUserSession(r, user)`
			`return user, nil`
			`}`

			`func hashPassword(password string) (string, error) {`
			`bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)`
			`return string(bytes), err`
			`}`

			`func signinUser(r http.Request, username string, password string) (models.User, error) {`
			`user, err := validateUser(r.Context(), username, password)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if user == nil {`
			`return nil, errors.New("No matching user")`
			`}`
			`addUserSession(r, user)`
			`return user, nil`
			`}`

			`func signupUser(username string, name string, password string) (*models.User, error) {`
			`passwordHash, err := hashPassword(password)`
			`if err != nil {`
			`return nil, fmt.Errorf("Cannot signup user: %v", err)`
			`}`
			`setter := models.UserSetter{`
Format all source files. 2025-11-06 22:31:51 +00:00			`DisplayName: omit.From(name),`
			`PasswordHash: omit.From(passwordHash),`
Retroactively fix some SQL schema problems I originally wasn't going to do passwords, but after struggling with webauthn I decided I'd just go for it. It simplifies the code a lot if I assert that I always have a password, displayname, etc. 2025-11-05 17:36:32 +00:00			`PasswordHashType: omit.From(enums.HashtypeBcrypt14),`
Format all source files. 2025-11-06 22:31:51 +00:00			`Username: omit.From(username),`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
			`u, err := models.Users.Insert(&setter).One(context.TODO(), PGInstance.BobDB)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to create user: %v", err)`
			`}`
			`slog.Info("Created user",`
			`slog.Int("ID", int(u.ID)),`
			`slog.String("username", u.Username))`

			`return u, nil`
			`}`

			`func validatePassword(password, hash string) bool {`
			`err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))`
			`return err == nil`
			`}`

			`func validateUser(ctx context.Context, username string, password string) (*models.User, error) {`
			`passwordHash, err := hashPassword(password)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to hash password: %v", err)`
			`}`
			`slog.Info("Validating user",`
			`slog.String("username", username),`
			`slog.String("password", password),`
			`slog.String("hash", passwordHash))`
			`result, err := sql.UserByUsername(username).All(ctx, PGInstance.BobDB)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to query for user: %v", err)`
			`}`
			`switch len(result) {`
Format all source files. 2025-11-06 22:31:51 +00:00			`case 0:`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`return nil, InvalidUsername{}`
			`case 1:`
			`row := result[0]`
Retroactively fix some SQL schema problems I originally wasn't going to do passwords, but after struggling with webauthn I decided I'd just go for it. It simplifies the code a lot if I assert that I always have a password, displayname, etc. 2025-11-05 17:36:32 +00:00			`if !validatePassword(password, row.PasswordHash) {`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`return nil, InvalidCredentials{}`
			`}`
			`user := models.User{`
Format all source files. 2025-11-06 22:31:51 +00:00			`ID: row.ID,`
			`ArcgisAccessToken: row.ArcgisAccessToken,`
			`ArcgisLicense: row.ArcgisLicense,`
			`ArcgisRefreshToken: row.ArcgisRefreshToken,`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`ArcgisRefreshTokenExpires: row.ArcgisRefreshTokenExpires,`
Format all source files. 2025-11-06 22:31:51 +00:00			`ArcgisRole: row.ArcgisRole,`
			`DisplayName: row.DisplayName,`
			`Email: row.Email,`
			`OrganizationID: row.OrganizationID,`
			`Username: row.Username,`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
			`return &user, nil`
			`default:`
			`return nil, errors.New("More than one matching row, this should be impossible.")`

			`}`
			`}`