imagini/internal/auth/auth.go

package auth

import (
	"errors"

    "github.com/google/uuid"
    "golang.org/x/crypto/bcrypt"
	log "github.com/sirupsen/logrus"
	"gorm.io/gorm"
	"reichard.io/imagini/internal/db"
	"reichard.io/imagini/internal/config"
	"reichard.io/imagini/internal/models"
	"reichard.io/imagini/internal/session"

	"encoding/json"
	"fmt"
	"time"

	"github.com/lestrrat-go/jwx/jwa"
	"github.com/lestrrat-go/jwx/jwt"
)

type AuthManager struct {
    DB      *db.DBManager
    Config  *config.Config
    Session *session.SessionManager
}

func NewMgr(db *db.DBManager, c *config.Config) *AuthManager {
    session := session.NewMgr()
    return &AuthManager{
        DB: db,
        Config: c,
        Session: session,
    }
}

func (auth *AuthManager) AuthenticateUser(creds models.APICredentials) bool {
    // By Username
    foundUser, err := auth.DB.User(models.User{Username: creds.User})
    if errors.Is(err, gorm.ErrRecordNotFound) {
        foundUser, err = auth.DB.User(models.User{Email: creds.User})
    }

    // Error Checking
    if errors.Is(err, gorm.ErrRecordNotFound) {
        log.Warn("[auth] User not found: ", creds.User)
        return false
    } else if err != nil {
        log.Error(err)
        return false
    }

    log.Info("[auth] Authenticating user: ", foundUser.Username)

    // Determine Type
    switch foundUser.AuthType {
    case "Local":
        return authenticateLocalUser(foundUser, creds.Password)
    case "LDAP":
        return authenticateLDAPUser(foundUser, creds.Password)
    default:
        return false
    }
}

func (auth *AuthManager) ValidateJWTToken(userJWT string) bool {
    byteUserJWT := []byte(userJWT)

    serverToken, err := jwt.ParseBytes(byteUserJWT, jwt.WithVerify(jwa.HS256, auth.Config.JWTSecret))
    if err != nil {
        fmt.Println("failed to parse payload: ", err)
    }

    uid, ok := serverToken.Get("uid");
    if !ok {
        fmt.Println("failed to acquire uid")
    }

    userID := fmt.Sprintf("%v", uid)
    userKey := auth.Session.Get(userID)

    userToken, err := jwt.ParseBytes(byteUserJWT, jwt.WithVerify(jwa.HS256, userKey))
    if err != nil {
        fmt.Println("failed to parse payload: ", err)
    }
    _ = userToken

    // TODO:
    //  - Get User ID from UNVALIDATED token
    //  - Lookup user key, concat with server key
    //  - Validate with concatted user & server key
    //      validatedToken, err := jwt.ParseBytes(byteUserJWT, jwt.WithVerify(jwa.HS256, concatKey))
    //      if err != nil {
    //          fmt.Printf("failed to parse payload: %s\n", err)
    //      }

    // userToken := auth.Session.Get(userID)
    // log.Info("[auth] DEBUG: ", userToken)

    return false
}

func (auth *AuthManager) RevokeRefreshToken() {

}

func (auth *AuthManager) ValidateRefreshToken(refreshToken, deviceID string) bool {
    // Acquire Device
    deviceUUID, err := uuid.Parse(deviceID)
    device := models.Device{Base: models.Base{UUID: deviceUUID}}
    foundDevice, err := auth.DB.Device(device)

    // Validate Expiration
    expTime, err := time.Parse(time.RFC3339, foundDevice.RefreshExp)
    if expTime.Before(time.Now()) {
        return false
    }

    // Validate Token
    bRefreshToken :=[]byte(refreshToken)
    err = bcrypt.CompareHashAndPassword([]byte(foundDevice.RefreshToken), bRefreshToken)
    if err == nil {
        log.Info("[auth] Refresh Token validation succeeded: ", foundDevice.UUID)
        return true
    }
    log.Warn("[auth] Refresh Token validation failed: ", foundDevice.UUID)
    return false
}

func (auth *AuthManager) UpdateRefreshToken(deviceID string) error {
    // TODO:
    //  - Remove Refresh token from Session AND DB
    //  - Call CreateRefreshToken
    return nil
}

func (auth *AuthManager) CreateRefreshToken(deviceID string) (string, error) {
    // TODO:
    //  - Create regular bcrypt password
    //  - Create Expiration (Depends on Device Type)
    //  - Store in DB: DeviceID, ValidUntil

    generatedToken := uuid.New().String()
    hashedRefreshToken, err := bcrypt.GenerateFromPassword([]byte(generatedToken), bcrypt.DefaultCost)
    if err != nil {
        log.Error(err)
        return "", err
    }
    _ = string(hashedRefreshToken)

    return "", nil
}

func (auth *AuthManager) CreateJWTAccessToken(user, role, deviceID string) (string, error) {
    // Create New Token
    tm := time.Now()
    t := jwt.New()
    t.Set(`did`, deviceID)                              // Device ID
    t.Set(`role`, role)                                 // User Role (Admin / User)
    t.Set(jwt.SubjectKey, user)                         // User ID
    t.Set(jwt.AudienceKey, `imagini`)                   // App ID
    t.Set(jwt.IssuedAtKey, tm)                          // Issued At
    t.Set(jwt.ExpirationKey, tm.Add(time.Minute * 30))  // 30 Minute Access Key

    // Validate Token Creation
    _, err := json.MarshalIndent(t, "", "  ")
    if err != nil {
        fmt.Printf("failed to generate JSON: %s\n", err)
        return "", err
    }

    // Use Server Key
    byteKey := []byte(auth.Config.JWTSecret)

    // Sign Token
    signed, err := jwt.Sign(t, jwa.HS256, byteKey)
    if err != nil {
        log.Printf("failed to sign token: %s", err)
        return "", err
    }

    // Return Token
    return string(signed), nil
}
DB & Route Organization 2021-01-10 00:44:02 +00:00			`package auth`

			`import (`
(WIP) Refresh & Access 2021-01-18 04:56:56 +00:00			`"errors"`

			`"github.com/google/uuid"`
			`"golang.org/x/crypto/bcrypt"`
			`log "github.com/sirupsen/logrus"`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`"gorm.io/gorm"`
(WIP) Refresh & Access 2021-01-18 04:56:56 +00:00			`"reichard.io/imagini/internal/db"`
			`"reichard.io/imagini/internal/config"`
			`"reichard.io/imagini/internal/models"`
			`"reichard.io/imagini/internal/session"`

			`"encoding/json"`
			`"fmt"`
			`"time"`

			`"github.com/lestrrat-go/jwx/jwa"`
			`"github.com/lestrrat-go/jwx/jwt"`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`)`

Finally Framework 2021-01-16 22:00:17 +00:00			`type AuthManager struct {`
(WIP) Refresh & Access 2021-01-18 04:56:56 +00:00			`DB *db.DBManager`
			`Config *config.Config`
			`Session *session.SessionManager`
Finally Framework 2021-01-16 22:00:17 +00:00			`}`

(WIP) Refresh & Access 2021-01-18 04:56:56 +00:00			`func NewMgr(db db.DBManager, c config.Config) *AuthManager {`
			`session := session.NewMgr()`
Finally Framework 2021-01-16 22:00:17 +00:00			`return &AuthManager{`
			`DB: db,`
(WIP) Refresh & Access 2021-01-18 04:56:56 +00:00			`Config: c,`
			`Session: session,`
Finally Framework 2021-01-16 22:00:17 +00:00			`}`
			`}`

			`func (auth *AuthManager) AuthenticateUser(creds models.APICredentials) bool {`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`// By Username`
Finally Framework 2021-01-16 22:00:17 +00:00			`foundUser, err := auth.DB.User(models.User{Username: creds.User})`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`if errors.Is(err, gorm.ErrRecordNotFound) {`
Finally Framework 2021-01-16 22:00:17 +00:00			`foundUser, err = auth.DB.User(models.User{Email: creds.User})`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`}`

			`// Error Checking`
			`if errors.Is(err, gorm.ErrRecordNotFound) {`
WIP 2021-01-12 04:48:32 +00:00			`log.Warn("[auth] User not found: ", creds.User)`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`return false`
			`} else if err != nil {`
			`log.Error(err)`
			`return false`
			`}`

			`log.Info("[auth] Authenticating user: ", foundUser.Username)`

			`// Determine Type`
			`switch foundUser.AuthType {`
			`case "Local":`
WIP 2021-01-12 04:48:32 +00:00			`return authenticateLocalUser(foundUser, creds.Password)`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`case "LDAP":`
WIP 2021-01-12 04:48:32 +00:00			`return authenticateLDAPUser(foundUser, creds.Password)`
DB & Route Organization 2021-01-10 00:44:02 +00:00			`default:`
			`return false`
			`}`
			`}`
(WIP) Refresh & Access 2021-01-18 04:56:56 +00:00
			`func (auth *AuthManager) ValidateJWTToken(userJWT string) bool {`
			`byteUserJWT := []byte(userJWT)`

			`serverToken, err := jwt.ParseBytes(byteUserJWT, jwt.WithVerify(jwa.HS256, auth.Config.JWTSecret))`
			`if err != nil {`
			`fmt.Println("failed to parse payload: ", err)`
			`}`

			`uid, ok := serverToken.Get("uid");`
			`if !ok {`
			`fmt.Println("failed to acquire uid")`
			`}`

			`userID := fmt.Sprintf("%v", uid)`
			`userKey := auth.Session.Get(userID)`

			`userToken, err := jwt.ParseBytes(byteUserJWT, jwt.WithVerify(jwa.HS256, userKey))`
			`if err != nil {`
			`fmt.Println("failed to parse payload: ", err)`
			`}`
			`_ = userToken`

			`// TODO:`
			`// - Get User ID from UNVALIDATED token`
			`// - Lookup user key, concat with server key`
			`// - Validate with concatted user & server key`
			`// validatedToken, err := jwt.ParseBytes(byteUserJWT, jwt.WithVerify(jwa.HS256, concatKey))`
			`// if err != nil {`
			`// fmt.Printf("failed to parse payload: %s\n", err)`
			`// }`

			`// userToken := auth.Session.Get(userID)`
			`// log.Info("[auth] DEBUG: ", userToken)`

			`return false`
			`}`

			`func (auth *AuthManager) RevokeRefreshToken() {`

			`}`

			`func (auth *AuthManager) ValidateRefreshToken(refreshToken, deviceID string) bool {`
			`// Acquire Device`
			`deviceUUID, err := uuid.Parse(deviceID)`
			`device := models.Device{Base: models.Base{UUID: deviceUUID}}`
			`foundDevice, err := auth.DB.Device(device)`

			`// Validate Expiration`
			`expTime, err := time.Parse(time.RFC3339, foundDevice.RefreshExp)`
			`if expTime.Before(time.Now()) {`
			`return false`
			`}`

			`// Validate Token`
			`bRefreshToken :=[]byte(refreshToken)`
			`err = bcrypt.CompareHashAndPassword([]byte(foundDevice.RefreshToken), bRefreshToken)`
			`if err == nil {`
			`log.Info("[auth] Refresh Token validation succeeded: ", foundDevice.UUID)`
			`return true`
			`}`
			`log.Warn("[auth] Refresh Token validation failed: ", foundDevice.UUID)`
			`return false`
			`}`

			`func (auth *AuthManager) UpdateRefreshToken(deviceID string) error {`
			`// TODO:`
			`// - Remove Refresh token from Session AND DB`
			`// - Call CreateRefreshToken`
			`return nil`
			`}`

			`func (auth *AuthManager) CreateRefreshToken(deviceID string) (string, error) {`
			`// TODO:`
			`// - Create regular bcrypt password`
			`// - Create Expiration (Depends on Device Type)`
			`// - Store in DB: DeviceID, ValidUntil`

			`generatedToken := uuid.New().String()`
			`hashedRefreshToken, err := bcrypt.GenerateFromPassword([]byte(generatedToken), bcrypt.DefaultCost)`
			`if err != nil {`
			`log.Error(err)`
			`return "", err`
			`}`
			`_ = string(hashedRefreshToken)`

			`return "", nil`
			`}`

			`func (auth *AuthManager) CreateJWTAccessToken(user, role, deviceID string) (string, error) {`
			`// Create New Token`
			`tm := time.Now()`
			`t := jwt.New()`
			t.Set(`did`, deviceID) // Device ID
			t.Set(`role`, role) // User Role (Admin / User)
			`t.Set(jwt.SubjectKey, user) // User ID`
			t.Set(jwt.AudienceKey, `imagini`) // App ID
			`t.Set(jwt.IssuedAtKey, tm) // Issued At`
			`t.Set(jwt.ExpirationKey, tm.Add(time.Minute * 30)) // 30 Minute Access Key`

			`// Validate Token Creation`
			`_, err := json.MarshalIndent(t, "", " ")`
			`if err != nil {`
			`fmt.Printf("failed to generate JSON: %s\n", err)`
			`return "", err`
			`}`

			`// Use Server Key`
			`byteKey := []byte(auth.Config.JWTSecret)`

			`// Sign Token`
			`signed, err := jwt.Sign(t, jwa.HS256, byteKey)`
			`if err != nil {`
			`log.Printf("failed to sign token: %s", err)`
			`return "", err`
			`}`

			`// Return Token`
			`return string(signed), nil`
			`}`