Merge branch 'dev' of ssh://meowgit.nekoea.red:22222/nihonium/nyanimedb into dev

auth/auth.gen.go

@@ -13,6 +13,23 @@ import (
 	strictgin "github.com/oapi-codegen/runtime/strictmiddleware/gin"
 )
 
+const (
+	BearerAuthScopes = "bearerAuth.Scopes"
+)
+
+// GetImpersonationTokenJSONBody defines parameters for GetImpersonationToken.
+type GetImpersonationTokenJSONBody struct {
+	ExternalId *int64 `json:"external_id,omitempty"`
+	UserId     *int64 `json:"user_id,omitempty"`
+	union      json.RawMessage
+}
+
+// GetImpersonationTokenJSONBody0 defines parameters for GetImpersonationToken.
+type GetImpersonationTokenJSONBody0 = interface{}
+
+// GetImpersonationTokenJSONBody1 defines parameters for GetImpersonationToken.
+type GetImpersonationTokenJSONBody1 = interface{}
+
 // PostSignInJSONBody defines parameters for PostSignIn.
 type PostSignInJSONBody struct {
 	Nickname string `json:"nickname"`
@@ -25,6 +42,9 @@ type PostSignUpJSONBody struct {
 	Pass     string `json:"pass"`
 }
 
+// GetImpersonationTokenJSONRequestBody defines body for GetImpersonationToken for application/json ContentType.
+type GetImpersonationTokenJSONRequestBody GetImpersonationTokenJSONBody
+
 // PostSignInJSONRequestBody defines body for PostSignIn for application/json ContentType.
 type PostSignInJSONRequestBody PostSignInJSONBody
 
@@ -33,6 +53,9 @@ type PostSignUpJSONRequestBody PostSignUpJSONBody
 
 // ServerInterface represents all server handlers.
 type ServerInterface interface {
+	// Get service impersontaion token
+	// (POST /get-impersonation-token)
+	GetImpersonationToken(c *gin.Context)
 	// Sign in a user and return JWT
 	// (POST /sign-in)
 	PostSignIn(c *gin.Context)
@@ -50,6 +73,21 @@ type ServerInterfaceWrapper struct {
 
 type MiddlewareFunc func(c *gin.Context)
 
+// GetImpersonationToken operation middleware
+func (siw *ServerInterfaceWrapper) GetImpersonationToken(c *gin.Context) {
+
+	c.Set(BearerAuthScopes, []string{})
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		middleware(c)
+		if c.IsAborted() {
+			return
+		}
+	}
+
+	siw.Handler.GetImpersonationToken(c)
+}
+
 // PostSignIn operation middleware
 func (siw *ServerInterfaceWrapper) PostSignIn(c *gin.Context) {
 
@@ -103,10 +141,41 @@ func RegisterHandlersWithOptions(router gin.IRouter, si ServerInterface, options
 		ErrorHandler:       errorHandler,
 	}
 
+	router.POST(options.BaseURL+"/get-impersonation-token", wrapper.GetImpersonationToken)
 	router.POST(options.BaseURL+"/sign-in", wrapper.PostSignIn)
 	router.POST(options.BaseURL+"/sign-up", wrapper.PostSignUp)
 }
 
+type UnauthorizedErrorResponse struct {
+}
+
+type GetImpersonationTokenRequestObject struct {
+	Body *GetImpersonationTokenJSONRequestBody
+}
+
+type GetImpersonationTokenResponseObject interface {
+	VisitGetImpersonationTokenResponse(w http.ResponseWriter) error
+}
+
+type GetImpersonationToken200JSONResponse struct {
+	// AccessToken JWT access token
+	AccessToken string `json:"access_token"`
+}
+
+func (response GetImpersonationToken200JSONResponse) VisitGetImpersonationTokenResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetImpersonationToken401Response = UnauthorizedErrorResponse
+
+func (response GetImpersonationToken401Response) VisitGetImpersonationTokenResponse(w http.ResponseWriter) error {
+	w.WriteHeader(401)
+	return nil
+}
+
 type PostSignInRequestObject struct {
 	Body *PostSignInJSONRequestBody
 }
@@ -127,15 +196,11 @@ func (response PostSignIn200JSONResponse) VisitPostSignInResponse(w http.Respons
 	return json.NewEncoder(w).Encode(response)
 }
 
-type PostSignIn401JSONResponse struct {
+type PostSignIn401Response = UnauthorizedErrorResponse
-	Error *string `json:"error,omitempty"`
-}
 
-func (response PostSignIn401JSONResponse) VisitPostSignInResponse(w http.ResponseWriter) error {
+func (response PostSignIn401Response) VisitPostSignInResponse(w http.ResponseWriter) error {
-	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(401)
-
+	return nil
-	return json.NewEncoder(w).Encode(response)
 }
 
 type PostSignUpRequestObject struct {
@@ -159,6 +224,9 @@ func (response PostSignUp200JSONResponse) VisitPostSignUpResponse(w http.Respons
 
 // StrictServerInterface represents all server handlers.
 type StrictServerInterface interface {
+	// Get service impersontaion token
+	// (POST /get-impersonation-token)
+	GetImpersonationToken(ctx context.Context, request GetImpersonationTokenRequestObject) (GetImpersonationTokenResponseObject, error)
 	// Sign in a user and return JWT
 	// (POST /sign-in)
 	PostSignIn(ctx context.Context, request PostSignInRequestObject) (PostSignInResponseObject, error)
@@ -179,6 +247,39 @@ type strictHandler struct {
 	middlewares []StrictMiddlewareFunc
 }
 
+// GetImpersonationToken operation middleware
+func (sh *strictHandler) GetImpersonationToken(ctx *gin.Context) {
+	var request GetImpersonationTokenRequestObject
+
+	var body GetImpersonationTokenJSONRequestBody
+	if err := ctx.ShouldBindJSON(&body); err != nil {
+		ctx.Status(http.StatusBadRequest)
+		ctx.Error(err)
+		return
+	}
+	request.Body = &body
+
+	handler := func(ctx *gin.Context, request interface{}) (interface{}, error) {
+		return sh.ssi.GetImpersonationToken(ctx, request.(GetImpersonationTokenRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "GetImpersonationToken")
+	}
+
+	response, err := handler(ctx, request)
+
+	if err != nil {
+		ctx.Error(err)
+		ctx.Status(http.StatusInternalServerError)
+	} else if validResponse, ok := response.(GetImpersonationTokenResponseObject); ok {
+		if err := validResponse.VisitGetImpersonationTokenResponse(ctx.Writer); err != nil {
+			ctx.Error(err)
+		}
+	} else if response != nil {
+		ctx.Error(fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
 // PostSignIn operation middleware
 func (sh *strictHandler) PostSignIn(ctx *gin.Context) {
 	var request PostSignInRequestObject

auth/openapi-auth.yaml

@@ -10,6 +10,7 @@ paths:
   /sign-up:
     post:
       summary: Sign up a new user
+      operationId: postSignUp
       tags: [Auth]
       requestBody:
         required: true
@@ -41,6 +42,7 @@ paths:
   /sign-in:
     post:
       summary: Sign in a user and return JWT
+      operationId: postSignIn
       tags: [Auth]
       requestBody:
         required: true
@@ -73,88 +75,52 @@ paths:
                   user_name:
                     type: string
         "401":
-          description: Access denied due to invalid credentials
+          $ref: '#/components/responses/UnauthorizedError'
+
+  /get-impersonation-token:
+    post:
+      summary: Get service impersontaion token
+      operationId: getImpersonationToken
+      tags: [Auth]
+      security:
+        - bearerAuth: []
+      requestBody:
+        required: true
         content:
           application/json:
             schema:
               type: object
               properties:
-                  error:
+                user_id:
+                  type: integer
+                  format: int64
+                external_id:
+                  type: integer
+                  format: int64
+              oneOf:
+                - required: ["user_id"]
+                - required: ["external_id"]
+      responses:
+        "200":
+          description: Generated impersonation access token
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - access_token
+                properties:
+                  access_token:
                     type: string
-                    example: "Access denied"
+                    description: JWT access token
-  # /auth/verify-token:
+        "401":
-  #   post:
+          $ref: '#/components/responses/UnauthorizedError'
-  #     summary: Verify JWT validity
+
-  #     tags: [Auth]
+components:
-  #     requestBody:
+  securitySchemes:
-  #       required: true
+    bearerAuth:
-  #       content:
+      type: http
-  #         application/json:
+      scheme: bearer
-  #           schema:
+  responses:
-  #             type: object
+    UnauthorizedError:
-  #             required: [token]
+      description: Access token is missing or invalid
-  #             properties:
-  #               token:
-  #                 type: string
-  #                 description: JWT token to validate
-  #     responses:
-  #       "200":
-  #         description: Token validation result
-  #         content:
-  #           application/json:
-  #             schema:
-  #               type: object
-  #               properties:
-  #                 valid:
-  #                   type: boolean
-  #                   description: True if token is valid
-  #                 user_id:
-  #                   type: string
-  #                   nullable: true
-  #                   description: User ID extracted from token if valid
-  #                 error:
-  #                   type: string
-  #                   nullable: true
-  #                   description: Error message if token is invalid
-  # /auth/refresh-token:
-  #   post:
-  #     summary: Refresh JWT using a refresh token
-  #     tags: [Auth]
-  #     requestBody:
-  #       required: true
-  #       content:
-  #         application/json:
-  #           schema:
-  #             type: object
-  #             required: [refresh_token]
-  #             properties:
-  #               refresh_token:
-  #                 type: string
-  #                 description: JWT refresh token obtained from sign-in
-  #     responses:
-  #       "200":
-  #         description: New access (and optionally refresh) token
-  #         content:
-  #           application/json:
-  #             schema:
-  #               type: object
-  #               properties:
-  #                 valid:
-  #                   type: boolean
-  #                   description: True if refresh token was valid
-  #                 user_id:
-  #                   type: string
-  #                   nullable: true
-  #                   description: User ID extracted from refresh token
-  #                 access_token:
-  #                   type: string
-  #                   description: New access token
-  #                   nullable: true
-  #                 refresh_token:
-  #                   type: string
-  #                   description: New refresh token (optional)
-  #                   nullable: true
-  #                 error:
-  #                   type: string
-  #                   nullable: true
-  #                   description: Error message if refresh token is invalid

modules/auth/handlers/handlers.go

@@ -47,10 +47,28 @@ func CheckPassword(password, hash string) (bool, error) {
 	return argon2id.ComparePasswordAndHash(password, hash)
 }
 
+func (s Server) generateImpersonationToken(userID string, impersonated_by string) (accessToken string, err error) {
+	accessClaims := jwt.MapClaims{
+		"user_id": userID,
+		"exp":     time.Now().Add(15 * time.Minute).Unix(),
+		"imp_id":  impersonated_by,
+	}
+
+	at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
+
+	accessToken, err = at.SignedString([]byte(s.JwtPrivateKey))
+	if err != nil {
+		return "", err
+	}
+
+	return accessToken, nil
+}
+
 func (s Server) generateTokens(userID string) (accessToken string, refreshToken string, csrfToken string, err error) {
 	accessClaims := jwt.MapClaims{
 		"user_id": userID,
 		"exp":     time.Now().Add(15 * time.Minute).Unix(),
+		//TODO: add created_at
 	}
 	at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
 	accessToken, err = at.SignedString([]byte(s.JwtPrivateKey))
@@ -119,10 +137,7 @@ func (s Server) PostSignIn(ctx context.Context, req auth.PostSignInRequestObject
 		// TODO: return 500
 	}
 	if !ok {
-		err_msg := "invalid credentials"
+		return auth.PostSignIn401Response{}, nil
-		return auth.PostSignIn401JSONResponse{
-			Error: &err_msg,
-		}, nil
 	}
 
 	accessToken, refreshToken, csrfToken, err := s.generateTokens(req.Body.Nickname)
@@ -144,47 +159,64 @@ func (s Server) PostSignIn(ctx context.Context, req auth.PostSignInRequestObject
 	return result, nil
 }
 
-// func (s Server) PostAuthVerifyToken(ctx context.Context, req auth.PostAuthVerifyTokenRequestObject) (auth.PostAuthVerifyTokenResponseObject, error) {
+func (s Server) GetImpersonationToken(ctx context.Context, req auth.GetImpersonationTokenRequestObject) (auth.GetImpersonationTokenResponseObject, error) {
-// 	valid := false
+	ginCtx, ok := ctx.Value(gin.ContextKey).(*gin.Context)
-// 	var userID *string
+	if !ok {
-// 	var errStr *string
+		log.Print("failed to get gin context")
+		// TODO: change to 500
+		return auth.GetImpersonationToken200JSONResponse{}, fmt.Errorf("failed to get gin.Context from context.Context")
+	}
 
-// 	token, err := jwt.Parse(req.Body.Token, func(t *jwt.Token) (interface{}, error) {
+	token, err := ExtractBearerToken(ginCtx.Request.Header.Get("Authorization"))
-// 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+	if err != nil {
-// 			return nil, fmt.Errorf("unexpected signing method")
+		// TODO: return 500
-// 		}
+		log.Errorf("failed to extract bearer token: %v", err)
-// 		return accessSecret, nil
+		return auth.GetImpersonationToken401Response{}, err
-// 	})
+	}
+	log.Printf("got auth token: %s", token)
 
-// 	if err != nil {
+	ext_service, err := s.db.GetExternalServiceByToken(context.Background(), &token)
-// 		e := err.Error()
+	if err != nil {
-// 		errStr = &e
+		log.Errorf("failed to get external service by token: %v", err)
-// 		return auth.PostAuthVerifyToken200JSONResponse{
+		return auth.GetImpersonationToken401Response{}, err
-// 			Valid:  &valid,
+		// TODO: check err and retyrn 400/500
-// 			UserId: userID,
+	}
-// 			Error:  errStr,
-// 		}, nil
-// 	}
 
-// 	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
+	var user_id string = ""
-// 		if uid, ok := claims["user_id"].(string); ok {
-// 			valid = true
-// 			userID = &uid
-// 		} else {
-// 			e := "user_id not found in token"
-// 			errStr = &e
-// 		}
-// 	} else {
-// 		e := "invalid token claims"
-// 		errStr = &e
-// 	}
 
-// 	return auth.PostAuthVerifyToken200JSONResponse{
+	if req.Body.ExternalId != nil {
-// 		Valid:  &valid,
+		user, err := s.db.GetUserByExternalServiceId(context.Background(), sqlc.GetUserByExternalServiceIdParams{
-// 		UserId: userID,
+			ExternalID: fmt.Sprintf("%d", *req.Body.ExternalId),
-// 		Error:  errStr,
+			ServiceID:  ext_service.ID,
-// 	}, nil
+		})
-// }
+		if err != nil {
+			log.Errorf("failed to get user by external user id: %v", err)
+			return auth.GetImpersonationToken401Response{}, err
+			// TODO: check err and retyrn 400/500
+		}
+
+		user_id = fmt.Sprintf("%d", user.ID)
+	}
+
+	if req.Body.UserId != nil {
+		if user_id != "" && user_id != fmt.Sprintf("%d", *req.Body.UserId) {
+			log.Error("user_id and external_d are incorrect")
+			// TODO: 405
+			return auth.GetImpersonationToken401Response{}, nil
+		} else {
+			user_id = fmt.Sprintf("%d", *req.Body.UserId)
+		}
+	}
+
+	accessToken, err := s.generateImpersonationToken(user_id, fmt.Sprintf("%d", ext_service.ID))
+	if err != nil {
+		log.Errorf("failed to generate impersonation token: %v", err)
+		return auth.GetImpersonationToken401Response{}, err
+		// TODO: check err and retyrn 400/500
+	}
+
+	return auth.GetImpersonationToken200JSONResponse{AccessToken: accessToken}, nil
+}
 
 // func (s Server) PostAuthRefreshToken(ctx context.Context, req auth.PostAuthRefreshTokenRequestObject) (auth.PostAuthRefreshTokenResponseObject, error) {
 // 	valid := false
@@ -236,3 +268,11 @@ func (s Server) PostSignIn(ctx context.Context, req auth.PostSignInRequestObject
 // 		Error:  errStr,
 // 	}, nil
 // }
+
+func ExtractBearerToken(header string) (string, error) {
+	const prefix = "Bearer "
+	if len(header) <= len(prefix) || header[:len(prefix)] != prefix {
+		return "", fmt.Errorf("invalid bearer token format")
+	}
+	return header[len(prefix):], nil
+}

modules/auth/queries.sql

@@ -9,3 +9,13 @@ INTO users (passhash, nickname)
 VALUES (sqlc.arg(passhash), sqlc.arg(nickname))
 RETURNING id;
 
+-- name: GetExternalServiceByToken :one
+SELECT *
+FROM external_services
+WHERE auth_token = sqlc.arg('auth_token');
+
+-- name: GetUserByExternalServiceId :one
+SELECT u.*
+FROM users u
+LEFT JOIN external_ids ei ON eu.user_id = u.id
+WHERE ei.external_id = sqlc.arg('external_id') AND ei.service_id = sqlc.arg('service_id');

sql/migrations/000001_init.up.sql

@@ -33,8 +33,6 @@ CREATE TABLE users (
     last_login          timestamptz
 );
 
-
-
 CREATE TABLE studios (
     id                  bigint              GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     studio_name         text                NOT NULL UNIQUE,
@@ -108,12 +106,13 @@ CREATE TABLE signals (
 
 CREATE TABLE external_services (
     id                  bigint              GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-    name                text                UNIQUE NOT NULL
+    name                text                UNIQUE NOT NULL,
+    auth_token          text
 );
 
 CREATE TABLE external_ids (
     user_id             bigint              NOT NULL REFERENCES users (id),
-    service_id          bigint              REFERENCES external_services (id),
+    service_id          bigint              NOT NULL REFERENCES external_services (id),
     external_id         text                NOT NULL
 );
 

sql/models.go

@@ -188,13 +188,14 @@ func (ns NullUsertitleStatusT) Value() (driver.Value, error) {
 
 type ExternalID struct {
 	UserID     int64  `json:"user_id"`
-	ServiceID  *int64 `json:"service_id"`
+	ServiceID  int64  `json:"service_id"`
 	ExternalID string `json:"external_id"`
 }
 
 type ExternalService struct {
 	ID        int64   `json:"id"`
 	Name      string  `json:"name"`
+	AuthToken *string `json:"auth_token"`
 }
 
 type Image struct {

sql/queries.sql.go

@@ -76,6 +76,19 @@ func (q *Queries) DeleteUserTitle(ctx context.Context, arg DeleteUserTitleParams
 	return i, err
 }
 
+const getExternalServiceByToken = `-- name: GetExternalServiceByToken :one
+SELECT id, name, auth_token
+FROM external_services
+WHERE auth_token = $1
+`
+
+func (q *Queries) GetExternalServiceByToken(ctx context.Context, authToken *string) (ExternalService, error) {
+	row := q.db.QueryRow(ctx, getExternalServiceByToken, authToken)
+	var i ExternalService
+	err := row.Scan(&i.ID, &i.Name, &i.AuthToken)
+	return i, err
+}
+
 const getImageByID = `-- name: GetImageByID :one
 SELECT id, storage_type, image_path
 FROM images
@@ -240,6 +253,35 @@ func (q *Queries) GetTitleTags(ctx context.Context, titleID int64) ([]json.RawMe
 	return items, nil
 }
 
+const getUserByExternalServiceId = `-- name: GetUserByExternalServiceId :one
+SELECT u.id, u.avatar_id, u.passhash, u.mail, u.nickname, u.disp_name, u.user_desc, u.creation_date, u.last_login
+FROM users u
+LEFT JOIN external_ids ei ON eu.user_id = u.id
+WHERE ei.external_id = $1 AND ei.service_id = $2
+`
+
+type GetUserByExternalServiceIdParams struct {
+	ExternalID string `json:"external_id"`
+	ServiceID  int64  `json:"service_id"`
+}
+
+func (q *Queries) GetUserByExternalServiceId(ctx context.Context, arg GetUserByExternalServiceIdParams) (User, error) {
+	row := q.db.QueryRow(ctx, getUserByExternalServiceId, arg.ExternalID, arg.ServiceID)
+	var i User
+	err := row.Scan(
+		&i.ID,
+		&i.AvatarID,
+		&i.Passhash,
+		&i.Mail,
+		&i.Nickname,
+		&i.DispName,
+		&i.UserDesc,
+		&i.CreationDate,
+		&i.LastLogin,
+	)
+	return i, err
+}
+
 const getUserByID = `-- name: GetUserByID :one
 SELECT 
     t.id                as id,