nihonium/nyanimedb
1
0
Fork 1
Code Issues 11 Pull requests Releases Packages 3 Activity Actions

Merge branch 'dev' of ssh://meowgit.nekoea.red:22222/nihonium/nyanimedb into dev
All checks were successful
Build and Deploy Go App / build (push) Successful in 5m55s
Details
Build and Deploy Go App / deploy (push) Successful in 41s
Details

Browse source
This commit is contained in:
Iron_Felix 2025-12-06 05:18:33 +03:00
commit e67c9a77ce
7 changed files with 293 additions and 134 deletions
Download patch file Download diff file Expand all files Collapse all files

122
modules/auth/handlers/handlers.go
View file

@ -47,10 +47,28 @@ func CheckPassword(password, hash string) (bool, error) {
return argon2id.ComparePasswordAndHash(password, hash)
}
func (s Server) generateImpersonationToken(userID string, impersonated_by string) (accessToken string, err error) {
accessClaims := jwt.MapClaims{
"user_id": userID,
"exp": time.Now().Add(15 * time.Minute).Unix(),
"imp_id": impersonated_by,
}
at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
accessToken, err = at.SignedString([]byte(s.JwtPrivateKey))
if err != nil {
return "", err
}
return accessToken, nil
}
func (s Server) generateTokens(userID string) (accessToken string, refreshToken string, csrfToken string, err error) {
accessClaims := jwt.MapClaims{
"user_id": userID,
"exp": time.Now().Add(15 * time.Minute).Unix(),
//TODO: add created_at
}
at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
accessToken, err = at.SignedString([]byte(s.JwtPrivateKey))
@ -119,10 +137,7 @@ func (s Server) PostSignIn(ctx context.Context, req auth.PostSignInRequestObject
// TODO: return 500
}
if !ok {
err_msg := "invalid credentials"
return auth.PostSignIn401JSONResponse{
Error: &err_msg,
}, nil
return auth.PostSignIn401Response{}, nil
}
accessToken, refreshToken, csrfToken, err := s.generateTokens(req.Body.Nickname)
@ -144,47 +159,64 @@ func (s Server) PostSignIn(ctx context.Context, req auth.PostSignInRequestObject
return result, nil
}
// func (s Server) PostAuthVerifyToken(ctx context.Context, req auth.PostAuthVerifyTokenRequestObject) (auth.PostAuthVerifyTokenResponseObject, error) {
// valid := false
// var userID *string
// var errStr *string
func (s Server) GetImpersonationToken(ctx context.Context, req auth.GetImpersonationTokenRequestObject) (auth.GetImpersonationTokenResponseObject, error) {
ginCtx, ok := ctx.Value(gin.ContextKey).(*gin.Context)
if !ok {
log.Print("failed to get gin context")
// TODO: change to 500
return auth.GetImpersonationToken200JSONResponse{}, fmt.Errorf("failed to get gin.Context from context.Context")
}
// token, err := jwt.Parse(req.Body.Token, func(t *jwt.Token) (interface{}, error) {
// if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
// return nil, fmt.Errorf("unexpected signing method")
// }
// return accessSecret, nil
// })
token, err := ExtractBearerToken(ginCtx.Request.Header.Get("Authorization"))
if err != nil {
// TODO: return 500
log.Errorf("failed to extract bearer token: %v", err)
return auth.GetImpersonationToken401Response{}, err
}
log.Printf("got auth token: %s", token)
// if err != nil {
// e := err.Error()
// errStr = &e
// return auth.PostAuthVerifyToken200JSONResponse{
// Valid: &valid,
// UserId: userID,
// Error: errStr,
// }, nil
// }
ext_service, err := s.db.GetExternalServiceByToken(context.Background(), &token)
if err != nil {
log.Errorf("failed to get external service by token: %v", err)
return auth.GetImpersonationToken401Response{}, err
// TODO: check err and retyrn 400/500
}
// if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
// if uid, ok := claims["user_id"].(string); ok {
// valid = true
// userID = &uid
// } else {
// e := "user_id not found in token"
// errStr = &e
// }
// } else {
// e := "invalid token claims"
// errStr = &e
// }
var user_id string = ""
// return auth.PostAuthVerifyToken200JSONResponse{
// Valid: &valid,
// UserId: userID,
// Error: errStr,
// }, nil
// }
if req.Body.ExternalId != nil {
user, err := s.db.GetUserByExternalServiceId(context.Background(), sqlc.GetUserByExternalServiceIdParams{
ExternalID: fmt.Sprintf("%d", *req.Body.ExternalId),
ServiceID: ext_service.ID,
})
if err != nil {
log.Errorf("failed to get user by external user id: %v", err)
return auth.GetImpersonationToken401Response{}, err
// TODO: check err and retyrn 400/500
}
user_id = fmt.Sprintf("%d", user.ID)
}
if req.Body.UserId != nil {
if user_id != "" && user_id != fmt.Sprintf("%d", *req.Body.UserId) {
log.Error("user_id and external_d are incorrect")
// TODO: 405
return auth.GetImpersonationToken401Response{}, nil
} else {
user_id = fmt.Sprintf("%d", *req.Body.UserId)
}
}
accessToken, err := s.generateImpersonationToken(user_id, fmt.Sprintf("%d", ext_service.ID))
if err != nil {
log.Errorf("failed to generate impersonation token: %v", err)
return auth.GetImpersonationToken401Response{}, err
// TODO: check err and retyrn 400/500
}
return auth.GetImpersonationToken200JSONResponse{AccessToken: accessToken}, nil
}
// func (s Server) PostAuthRefreshToken(ctx context.Context, req auth.PostAuthRefreshTokenRequestObject) (auth.PostAuthRefreshTokenResponseObject, error) {
// valid := false
@ -236,3 +268,11 @@ func (s Server) PostSignIn(ctx context.Context, req auth.PostSignInRequestObject
// Error: errStr,
// }, nil
// }
func ExtractBearerToken(header string) (string, error) {
const prefix = "Bearer "
if len(header) <= len(prefix) || header[:len(prefix)] != prefix {
return "", fmt.Errorf("invalid bearer token format")
}
return header[len(prefix):], nil
}

10
modules/auth/queries.sql
View file

@ -9,3 +9,13 @@ INTO users (passhash, nickname)
VALUES (sqlc.arg(passhash), sqlc.arg(nickname))
RETURNING id;
-- name: GetExternalServiceByToken :one
SELECT *
FROM external_services
WHERE auth_token = sqlc.arg('auth_token');
-- name: GetUserByExternalServiceId :one
SELECT u.*
FROM users u
LEFT JOIN external_ids ei ON eu.user_id = u.id
WHERE ei.external_id = sqlc.arg('external_id') AND ei.service_id = sqlc.arg('service_id');