228 lines
7 KiB
Go
228 lines
7 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/Gleipnir-Technology/nidus-sync/platform"
|
|
"github.com/rs/zerolog/log"
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
type InactiveUser struct{}
|
|
|
|
func (e InactiveUser) Error() string { return "That user is not active" }
|
|
|
|
type InvalidCredentials struct{}
|
|
|
|
func (e InvalidCredentials) Error() string { return "No username with that password exists" }
|
|
|
|
type InvalidUsername struct{}
|
|
|
|
func (e InvalidUsername) Error() string { return "That username doesn't exist" }
|
|
|
|
type NoCredentialsError struct{}
|
|
|
|
func (e NoCredentialsError) Error() string { return "No credentials were present in the request" }
|
|
|
|
type AuthenticatedHandler func(http.ResponseWriter, *http.Request, platform.User)
|
|
type EnsureAuth struct {
|
|
handler AuthenticatedHandler
|
|
}
|
|
|
|
func AddUserSession(ctx context.Context, user *platform.User) {
|
|
id_str := strconv.Itoa(int(user.ID))
|
|
sessionManager.Put(ctx, "user_id", id_str)
|
|
sessionManager.Put(ctx, "username", user.Username)
|
|
log.Debug().Str("id", id_str).Str("username", user.Username).Msg("added user session")
|
|
}
|
|
func ImpersonateEnd(ctx context.Context) {
|
|
sessionManager.Put(ctx, "impersonated_user_id", "")
|
|
}
|
|
func ImpersonateUser(ctx context.Context, target_user_id int) {
|
|
target_user_id_str := strconv.Itoa(int(target_user_id))
|
|
sessionManager.Put(ctx, "impersonated_user_id", target_user_id_str)
|
|
}
|
|
func ImpersonatedUser(ctx context.Context) *int32 {
|
|
i_str := sessionManager.GetString(ctx, "impersonated_user_id")
|
|
if i_str == "" {
|
|
return nil
|
|
}
|
|
i, err := strconv.Atoi(i_str)
|
|
if err != nil {
|
|
log.Error().Err(err).Str("impersonated_user_id", i_str).Msg("failed to parse impersonated_user_id")
|
|
return nil
|
|
}
|
|
result := int32(i)
|
|
return &result
|
|
}
|
|
func ImpersonatorID(ctx context.Context) *int32 {
|
|
user_id_str := sessionManager.GetString(ctx, "user_id")
|
|
user_id, err := strconv.Atoi(user_id_str)
|
|
if err != nil {
|
|
log.Error().Err(err).Str("user_id", user_id_str).Msg("failed to parse user_id")
|
|
return nil
|
|
}
|
|
result := int32(user_id)
|
|
return &result
|
|
|
|
}
|
|
func GetAuthenticatedUser(r *http.Request) (*platform.User, error) {
|
|
ctx := r.Context()
|
|
user_id_str := sessionManager.GetString(ctx, "user_id")
|
|
impersonated_user_id_str := sessionManager.GetString(ctx, "impersonated_user_id")
|
|
if impersonated_user_id_str != "" {
|
|
user_id_str = impersonated_user_id_str
|
|
}
|
|
if user_id_str != "" {
|
|
user_id, err := strconv.Atoi(user_id_str)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Failed to convert user_id to int: %w", err)
|
|
}
|
|
username := sessionManager.GetString(ctx, "username")
|
|
if user_id > 0 && username != "" {
|
|
user, err := platform.UserByID(ctx, int32(user_id))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("user by ID: %w", err)
|
|
}
|
|
if !user.IsActive {
|
|
return nil, fmt.Errorf("user is inactive")
|
|
}
|
|
return user, nil
|
|
}
|
|
}
|
|
// If we can't get the user from the session try to get from auth headers
|
|
username, password, ok := r.BasicAuth()
|
|
if !ok {
|
|
return nil, &NoCredentialsError{}
|
|
}
|
|
user, err := validateUser(ctx, username, password)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
AddUserSession(ctx, user)
|
|
return user, nil
|
|
}
|
|
|
|
func NewEnsureAuth(handlerToWrap AuthenticatedHandler) *EnsureAuth {
|
|
return &EnsureAuth{handlerToWrap}
|
|
}
|
|
|
|
func (ea *EnsureAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
// If this is an API request respond with a more machine-readable error state
|
|
accept := r.Header.Get("Accept")
|
|
/*
|
|
offers := []string{"application/json", "text/html"}
|
|
|
|
content_type := NegotiateContent(accept, offers)
|
|
*/
|
|
user, err := GetAuthenticatedUser(r)
|
|
if err != nil || user == nil {
|
|
var msg []byte
|
|
// Don't send authentication headers for browsers because it forces the authentication popup
|
|
requested_with := r.Header.Get("X-Requested-With")
|
|
//log.Debug().Str("x-requested-with", requested_with).Send()
|
|
if !(strings.HasPrefix(requested_with, "nidus-web") || accept == "text/event-stream") {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="Nidus Sync"`)
|
|
// Separate return codes for different authentication failures
|
|
if _, ok := err.(*NoCredentialsError); ok {
|
|
log.Info().Msg("No credentials present and no session")
|
|
w.Header().Set("WWW-Authenticate-Error", "no-credentials")
|
|
msg = []byte("Please provide credentials.\n")
|
|
} else if _, ok := err.(*platform.NoUserError); ok {
|
|
w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
|
|
msg = []byte("Invalid credentials provided.\n")
|
|
} else if _, ok := err.(*InvalidCredentials); ok {
|
|
w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
|
|
msg = []byte("Invalid credentials provided.\n")
|
|
}
|
|
}
|
|
|
|
w.WriteHeader(401)
|
|
w.Write(msg)
|
|
return
|
|
}
|
|
ea.handler(w, r, *user)
|
|
}
|
|
func SigninUser(r *http.Request, username string, password string) (*platform.User, error) {
|
|
user, err := validateUser(r.Context(), username, password)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if user == nil {
|
|
return nil, errors.New("No matching user")
|
|
}
|
|
AddUserSession(r.Context(), user)
|
|
return user, nil
|
|
}
|
|
|
|
func SignoutUser(r *http.Request, user platform.User) {
|
|
sessionManager.Put(r.Context(), "user_id", "")
|
|
sessionManager.Put(r.Context(), "username", "")
|
|
sessionManager.Destroy(r.Context())
|
|
log.Info().Str("username", user.Username).Int("user_id", (user.ID)).Msg("Ended user session")
|
|
}
|
|
|
|
func SignupUser(ctx context.Context, username string, name string, password string) (*platform.User, error) {
|
|
password_hash, err := HashPassword(password)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Cannot signup user, failed to create hashed password: %w", err)
|
|
}
|
|
u, err := platform.CreateUser(ctx, username, name, password_hash)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("create user: %s", err)
|
|
}
|
|
return u, nil
|
|
}
|
|
|
|
func HashPassword(password string) (string, error) {
|
|
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
|
|
return string(bytes), err
|
|
}
|
|
|
|
func redact(s string) string {
|
|
if len(s) <= 4 {
|
|
return s
|
|
}
|
|
|
|
first_two := s[:2]
|
|
last_two := s[len(s)-2:]
|
|
middle_length := len(s) - 4
|
|
|
|
return first_two + strings.Repeat("*", middle_length) + last_two
|
|
}
|
|
|
|
func validatePassword(password, hash string) bool {
|
|
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
|
|
if err != nil {
|
|
log.Debug().Err(err).Str("password", password).Str("hash", hash).Msg("!validate password")
|
|
}
|
|
return err == nil
|
|
}
|
|
|
|
func validateUser(ctx context.Context, username string, password string) (*platform.User, error) {
|
|
passwordHash, err := HashPassword(password)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Failed to hash password: %w", err)
|
|
}
|
|
user, err := platform.UserByUsername(ctx, username)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Failed to query for user: %w", err)
|
|
}
|
|
if user == nil {
|
|
log.Info().Str("username", username).Str("password", redact(password)).Msg("Invalid username")
|
|
return nil, InvalidUsername{}
|
|
}
|
|
if !user.IsActive {
|
|
return nil, InactiveUser{}
|
|
}
|
|
if !validatePassword(password, user.PasswordHash) {
|
|
log.Info().Str("username", username).Str("password", redact(password)).Str("hash", passwordHash).Msg("Invalid password for user")
|
|
return nil, InvalidCredentials{}
|
|
}
|
|
return user, nil
|
|
}
|