nihonium/nyanimedb
1
0
Fork 1
Code Issues 11 Pull requests Releases Packages 3 Activity Actions
nyanimedb/modules/auth/handlers/handlers.go
nihonium 69eacd7240
All checks were successful
Build and Deploy Go App / build (push) Successful in 5m51s
Details
Build and Deploy Go App / deploy (push) Successful in 40s
Details
feat: logout
2025-12-06 07:01:38 +03:00

315 lines
9.6 KiB
Go
Raw Blame History

package handlers
import (
"context"
"crypto/rand"
"encoding/base64"
"fmt"
"net/http"
auth "nyanimedb/auth"
sqlc "nyanimedb/sql"
"strconv"
"time"
"github.com/alexedwards/argon2id"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
log "github.com/sirupsen/logrus"
)
type Server struct {
db *sqlc.Queries
JwtPrivateKey string
}
func NewServer(db *sqlc.Queries, JwtPrivatekey string) Server {
return Server{db: db, JwtPrivateKey: JwtPrivatekey}
}
func parseInt64(s string) (int32, error) {
i, err := strconv.ParseInt(s, 10, 64)
return int32(i), err
}
func HashPassword(password string) (string, error) {
params := &argon2id.Params{
Memory: 64 * 1024,
Iterations: 3,
Parallelism: 2,
SaltLength: 16,
KeyLength: 32,
}
return argon2id.CreateHash(password, params)
}
func CheckPassword(password, hash string) (bool, error) {
return argon2id.ComparePasswordAndHash(password, hash)
}
func (s *Server) generateImpersonationToken(userID string, impersonatedBy string) (string, error) {
now := time.Now()
claims := auth.TokenClaims{
ImpID: &impersonatedBy,
Type: "access",
RegisteredClaims: jwt.RegisteredClaims{
Subject: userID,
IssuedAt: jwt.NewNumericDate(now),
ExpiresAt: jwt.NewNumericDate(now.Add(15 * time.Minute)),
ID: generateJTI(),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString([]byte(s.JwtPrivateKey))
}
func (s *Server) generateTokens(userID string) (accessToken string, refreshToken string, csrfToken string, err error) {
now := time.Now()
// Access token (15 мин)
accessClaims := auth.TokenClaims{
Type: "access",
RegisteredClaims: jwt.RegisteredClaims{
Subject: userID,
IssuedAt: jwt.NewNumericDate(now),
ExpiresAt: jwt.NewNumericDate(now.Add(15 * time.Minute)),
ID: generateJTI(),
},
}
at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
accessToken, err = at.SignedString([]byte(s.JwtPrivateKey))
if err != nil {
return "", "", "", err
}
// Refresh token (7 дней)
refreshClaims := auth.TokenClaims{
Type: "refresh",
RegisteredClaims: jwt.RegisteredClaims{
Subject: userID,
IssuedAt: jwt.NewNumericDate(now),
ExpiresAt: jwt.NewNumericDate(now.Add(7 * 24 * time.Hour)),
ID: generateJTI(),
},
}
rt := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)
refreshToken, err = rt.SignedString([]byte(s.JwtPrivateKey))
if err != nil {
return "", "", "", err
}
// CSRF token
csrfBytes := make([]byte, 32)
_, err = rand.Read(csrfBytes)
if err != nil {
return "", "", "", err
}
csrfToken = base64.RawURLEncoding.EncodeToString(csrfBytes)
return accessToken, refreshToken, csrfToken, nil
}
func (s Server) PostSignUp(ctx context.Context, req auth.PostSignUpRequestObject) (auth.PostSignUpResponseObject, error) {
passhash, err := HashPassword(req.Body.Pass)
if err != nil {
log.Errorf("failed to hash password: %v", err)
// TODO: return 500
}
user_id, err := s.db.CreateNewUser(context.Background(), sqlc.CreateNewUserParams{
Passhash: passhash,
Nickname: req.Body.Nickname,
})
if err != nil {
log.Errorf("failed to create user %s: %v", req.Body.Nickname, err)
// TODO: check err and retyrn 400/500
}
return auth.PostSignUp200JSONResponse{
UserId: user_id,
}, nil
}
func (s Server) PostSignIn(ctx context.Context, req auth.PostSignInRequestObject) (auth.PostSignInResponseObject, error) {
ginCtx, ok := ctx.Value(gin.ContextKey).(*gin.Context)
if !ok {
log.Print("failed to get gin context")
// TODO: change to 500
return auth.PostSignIn200JSONResponse{}, fmt.Errorf("failed to get gin.Context from context.Context")
}
user, err := s.db.GetUserByNickname(context.Background(), req.Body.Nickname)
if err != nil {
log.Errorf("failed to get user by nickname %s: %v", req.Body.Nickname, err)
// TODO: return 400/500
}
ok, err = CheckPassword(req.Body.Pass, user.Passhash)
if err != nil {
log.Errorf("failed to check password for user %s: %v", req.Body.Nickname, err)
// TODO: return 500
}
if !ok {
return auth.PostSignIn401Response{}, nil
}
accessToken, refreshToken, csrfToken, err := s.generateTokens(fmt.Sprintf("%d", user.ID))
if err != nil {
log.Errorf("failed to generate tokens for user %s: %v", req.Body.Nickname, err)
// TODO: return 500
}
// TODO: check cookie settings carefully
ginCtx.SetSameSite(http.SameSiteStrictMode)
ginCtx.SetCookie("access_token", accessToken, 900, "/api", "", false, true)
ginCtx.SetCookie("refresh_token", refreshToken, 1209600, "/auth", "", false, true)
ginCtx.SetCookie("xsrf_token", csrfToken, 1209600, "/", "", false, false)
result := auth.PostSignIn200JSONResponse{
UserId: user.ID,
UserName: user.Nickname,
}
return result, nil
}
func (s Server) GetImpersonationToken(ctx context.Context, req auth.GetImpersonationTokenRequestObject) (auth.GetImpersonationTokenResponseObject, error) {
ginCtx, ok := ctx.Value(gin.ContextKey).(*gin.Context)
if !ok {
log.Print("failed to get gin context")
// TODO: change to 500
return auth.GetImpersonationToken200JSONResponse{}, fmt.Errorf("failed to get gin.Context from context.Context")
}
token, err := ExtractBearerToken(ginCtx.Request.Header.Get("Authorization"))
if err != nil {
// TODO: return 500
log.Errorf("failed to extract bearer token: %v", err)
return auth.GetImpersonationToken401Response{}, err
}
log.Printf("got auth token: %s", token)
ext_service, err := s.db.GetExternalServiceByToken(context.Background(), &token)
if err != nil {
log.Errorf("failed to get external service by token: %v", err)
return auth.GetImpersonationToken401Response{}, err
// TODO: check err and retyrn 400/500
}
var user_id string = ""
if req.Body.ExternalId != nil {
user, err := s.db.GetUserByExternalServiceId(context.Background(), sqlc.GetUserByExternalServiceIdParams{
ExternalID: fmt.Sprintf("%d", *req.Body.ExternalId),
ServiceID: ext_service.ID,
})
if err != nil {
log.Errorf("failed to get user by external user id: %v", err)
return auth.GetImpersonationToken401Response{}, err
// TODO: check err and retyrn 400/500
}
user_id = fmt.Sprintf("%d", user.ID)
}
if req.Body.UserId != nil {
// TODO: check user existence
if user_id != "" && user_id != fmt.Sprintf("%d", *req.Body.UserId) {
log.Error("user_id and external_d are incorrect")
// TODO: 405
return auth.GetImpersonationToken401Response{}, nil
} else {
user_id = fmt.Sprintf("%d", *req.Body.UserId)
}
}
accessToken, err := s.generateImpersonationToken(user_id, fmt.Sprintf("%d", ext_service.ID))
if err != nil {
log.Errorf("failed to generate impersonation token: %v", err)
return auth.GetImpersonationToken401Response{}, err
// TODO: check err and retyrn 400/500
}
return auth.GetImpersonationToken200JSONResponse{AccessToken: accessToken}, nil
}
func (s Server) RefreshTokens(ctx context.Context, req auth.RefreshTokensRequestObject) (auth.RefreshTokensResponseObject, error) {
ginCtx, ok := ctx.Value(gin.ContextKey).(*gin.Context)
if !ok {
log.Print("failed to get gin context")
return auth.RefreshTokens500Response{}, fmt.Errorf("failed to get gin.Context from context.Context")
}
rtCookie, err := ginCtx.Request.Cookie("refresh_token")
if err != nil {
log.Print("failed to get refresh_token cookie")
return auth.RefreshTokens400Response{}, fmt.Errorf("failed to get refresh_token cookie")
}
refreshToken := rtCookie.Value
token, err := jwt.ParseWithClaims(refreshToken, &auth.TokenClaims{}, func(t *jwt.Token) (interface{}, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method")
}
return []byte(s.JwtPrivateKey), nil
})
if err != nil || !token.Valid {
log.Print("invalid refresh token")
return auth.RefreshTokens401Response{}, nil
}
claims, ok := token.Claims.(*auth.TokenClaims)
if !ok || claims.Subject == "" {
log.Print("invalid refresh token claims")
return auth.RefreshTokens401Response{}, nil
}
if claims.Type != "refresh" {
log.Errorf("token is not a refresh token")
return auth.RefreshTokens401Response{}, nil
}
accessToken, refreshToken, csrfToken, err := s.generateTokens(claims.Subject)
if err != nil {
log.Errorf("failed to generate tokens for user %s: %v", claims.Subject, err)
return auth.RefreshTokens500Response{}, nil
}
// TODO: check cookie settings carefully
ginCtx.SetSameSite(http.SameSiteStrictMode)
ginCtx.SetCookie("access_token", accessToken, 900, "/api", "", false, true)
ginCtx.SetCookie("refresh_token", refreshToken, 1209600, "/auth", "", false, true)
ginCtx.SetCookie("xsrf_token", csrfToken, 1209600, "/", "", false, false)
return auth.RefreshTokens200Response{}, nil
}
func (s Server) Logout(ctx context.Context, req auth.LogoutRequestObject) (auth.LogoutResponseObject, error) {
// TODO: get current tokens and add them to block list
ginCtx, ok := ctx.Value(gin.ContextKey).(*gin.Context)
if !ok {
log.Print("failed to get gin context")
return auth.Logout500Response{}, fmt.Errorf("failed to get gin.Context from context.Context")
}
// Delete cookies by setting MaxAge negative
ginCtx.SetCookie("access_token", "", -1, "/api", "", true, true)
ginCtx.SetCookie("refresh_token", "", -1, "/auth", "", true, true)
ginCtx.SetCookie("xsrf_token", "", -1, "/", "", false, false)
return auth.Logout200Response{}, nil
}
func ExtractBearerToken(header string) (string, error) {
const prefix = "Bearer "
if len(header) <= len(prefix) || header[:len(prefix)] != prefix {
return "", fmt.Errorf("invalid bearer token format")
}
return header[len(prefix):], nil
}
func generateJTI() string {
b := make([]byte, 16)
_, _ = rand.Read(b)
return base64.RawURLEncoding.EncodeToString(b)
}
Reference in a new issue View git blame Copy permalink