wip 1

2026-03-15 19:19:48 -04:00
parent 0704b5d650
commit c84bc2522e
12 changed files with 1384 additions and 17 deletions
--- a/api/v1/auth.go
+++ b/api/v1/auth.go
@@ -0,0 +1,179 @@
+package v1
+
+import (
+	"context"
+	"crypto/md5"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	argon2 "github.com/alexedwards/argon2id"
+	"github.com/gorilla/sessions"
+	log "github.com/sirupsen/logrus"
+)
+
+// authData represents session authentication data
+type authData struct {
+	UserName string
+	IsAdmin  bool
+	AuthHash string
+}
+
+// withAuth wraps a handler with session authentication
+func (s *Server) withAuth(handler http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		auth, ok := s.getSession(r)
+		if !ok {
+			writeJSONError(w, http.StatusUnauthorized, "Unauthorized")
+			return
+		}
+		ctx := context.WithValue(r.Context(), "auth", auth)
+		handler(w, r.WithContext(ctx))
+	}
+}
+
+// getSession retrieves auth data from the session cookie
+func (s *Server) getSession(r *http.Request) (auth authData, ok bool) {
+	// Get session from cookie store
+	store := sessions.NewCookieStore([]byte(s.cfg.CookieAuthKey))
+	if s.cfg.CookieEncKey != "" {
+		if len(s.cfg.CookieEncKey) == 16 || len(s.cfg.CookieEncKey) == 32 {
+			store = sessions.NewCookieStore([]byte(s.cfg.CookieAuthKey), []byte(s.cfg.CookieEncKey))
+		} else {
+			log.Error("invalid cookie encryption key (must be 16 or 32 bytes)")
+			return authData{}, false
+		}
+	}
+
+	session, err := store.Get(r, "token")
+	if err != nil {
+		return authData{}, false
+	}
+
+	// Get session values
+	authorizedUser := session.Values["authorizedUser"]
+	isAdmin := session.Values["isAdmin"]
+	expiresAt := session.Values["expiresAt"]
+	authHash := session.Values["authHash"]
+
+	if authorizedUser == nil || isAdmin == nil || expiresAt == nil || authHash == nil {
+		return authData{}, false
+	}
+
+	auth = authData{
+		UserName: authorizedUser.(string),
+		IsAdmin:  isAdmin.(bool),
+		AuthHash: authHash.(string),
+	}
+
+	// Validate auth hash
+	ctx := r.Context()
+	correctAuthHash, err := s.getUserAuthHash(ctx, auth.UserName)
+	if err != nil || correctAuthHash != auth.AuthHash {
+		return authData{}, false
+	}
+
+	return auth, true
+}
+
+// getUserAuthHash retrieves the user's auth hash from DB or cache
+func (s *Server) getUserAuthHash(ctx context.Context, username string) (string, error) {
+	user, err := s.db.Queries.GetUser(ctx, username)
+	if err != nil {
+		return "", err
+	}
+	return *user.AuthHash, nil
+}
+
+// apiLogin handles POST /api/v1/auth/login
+func (s *Server) apiLogin(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		writeJSONError(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	var req LoginRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeJSONError(w, http.StatusBadRequest, "Invalid JSON")
+		return
+	}
+
+	if req.Username == "" || req.Password == "" {
+		writeJSONError(w, http.StatusBadRequest, "Invalid credentials")
+		return
+	}
+
+	// MD5 - KOSync compatibility
+	password := fmt.Sprintf("%x", md5.Sum([]byte(req.Password)))
+
+	// Verify credentials
+	user, err := s.db.Queries.GetUser(r.Context(), req.Username)
+	if err != nil {
+		writeJSONError(w, http.StatusUnauthorized, "Invalid credentials")
+		return
+	}
+
+	if match, err := argon2.ComparePasswordAndHash(password, *user.Pass); err != nil || !match {
+		writeJSONError(w, http.StatusUnauthorized, "Invalid credentials")
+		return
+	}
+
+	// Create session
+	store := sessions.NewCookieStore([]byte(s.cfg.CookieAuthKey))
+	if s.cfg.CookieEncKey != "" {
+		if len(s.cfg.CookieEncKey) == 16 || len(s.cfg.CookieEncKey) == 32 {
+			store = sessions.NewCookieStore([]byte(s.cfg.CookieAuthKey), []byte(s.cfg.CookieEncKey))
+		}
+	}
+
+	session, _ := store.Get(r, "token")
+	session.Values["authorizedUser"] = user.ID
+	session.Values["isAdmin"] = user.Admin
+	session.Values["expiresAt"] = time.Now().Unix() + (60 * 60 * 24 * 7)
+	session.Values["authHash"] = *user.AuthHash
+
+	if err := session.Save(r, w); err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "Failed to create session")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, LoginResponse{
+		Username: user.ID,
+		IsAdmin:  user.Admin,
+	})
+}
+
+// apiLogout handles POST /api/v1/auth/logout
+func (s *Server) apiLogout(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		writeJSONError(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	store := sessions.NewCookieStore([]byte(s.cfg.CookieAuthKey))
+	session, _ := store.Get(r, "token")
+	session.Values = make(map[any]any)
+
+	if err := session.Save(r, w); err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "Failed to logout")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "logged out"})
+}
+
+// apiGetMe handles GET /api/v1/auth/me
+func (s *Server) apiGetMe(w http.ResponseWriter, r *http.Request) {
+	auth, ok := r.Context().Value("auth").(authData)
+	if !ok {
+		writeJSONError(w, http.StatusUnauthorized, "Unauthorized")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, UserData{
+		Username: auth.UserName,
+		IsAdmin:  auth.IsAdmin,
+	})
+}
+