summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
authorVidhu Kant Sharma <vidhukant@vidhukant.xyz>2023-01-29 20:11:09 +0530
committerVidhu Kant Sharma <vidhukant@vidhukant.xyz>2023-01-29 20:11:09 +0530
commitac7aa8c6e95023def1eba7615d8a42ad52271500 (patch)
treeb3477a9d3ae39244a759b19fe42e7d3bccbda38d /auth
parent0607478f1e4c86619a606af7876a6625e859ee1a (diff)
checking password before editing/deleting user
Diffstat (limited to 'auth')
-rw-r--r--auth/jwt.go95
-rw-r--r--auth/password_middleware.go73
-rw-r--r--auth/refresh_middleware.go47
-rw-r--r--auth/router.go (renamed from auth/auth.go)18
4 files changed, 7 insertions, 226 deletions
diff --git a/auth/jwt.go b/auth/jwt.go
deleted file mode 100644
index 66a4f12..0000000
--- a/auth/jwt.go
+++ /dev/null
@@ -1,95 +0,0 @@
-/* OpenBills-server - Server for libre billing software OpenBills-web
- * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
-
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
-
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <https://www.gnu.org/licenses/>.
- */
-
-package auth
-
-import (
- "github.com/MikunoNaka/OpenBills-server/user"
- "github.com/MikunoNaka/OpenBills-server/util"
- "github.com/golang-jwt/jwt/v4"
- "go.mongodb.org/mongo-driver/bson"
- "go.mongodb.org/mongo-driver/bson/primitive"
-
- "context"
- "errors"
- "time"
-)
-
-var (
- errUserNotFound error = errors.New("user does not exist")
-)
-
-var accessSecret []byte
-var refreshSecret []byte
-func init() {
- conf := util.GetConfig().Crypto
- accessSecret = []byte(conf.AccessTokenSecret)
- refreshSecret = []byte(conf.RefreshTokenSecret)
-}
-
-func newAccessToken(userId string) (string, error) {
- claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims {
- Issuer: userId,
- ExpiresAt: time.Now().Add(time.Second * 15).Unix(),
- })
-
- token, err := claims.SignedString(accessSecret)
- if err != nil {
- return "", err
- }
-
- return token, nil
-}
-
-/*
- * the refresh token has a long lifespan and is stored in
- * the database in case it needs to be revoked.
- *
- * this can be stored as an HTTP only cookie and will be used
- * when creating a new access token
- *
- * I'm using a different secret key for refresh tokens
- * for enhanced security
- */
-func newRefreshToken(userId string) (string, int64, error) {
- // convert id from string to ObjectID
- id, _ := primitive.ObjectIDFromHex(userId)
-
- // check if user exists
- var u user.User
- if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil {
- return "", 0, errUserNotFound
- }
-
- // generate refresh token
- expiresAt := time.Now().Add(time.Hour * 12).Unix()
- claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims {
- Issuer: userId,
- ExpiresAt: expiresAt,
- })
- token, err := claims.SignedString(refreshSecret)
- if err != nil {
- return "", expiresAt, err
- }
-
- // store refresh token in db with unique session name for ease in identification
- sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName
- u.Sessions = append(u.Sessions, user.Session{Name: sessionName, Token: token})
- db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}})
-
- return token, expiresAt, nil
-}
diff --git a/auth/password_middleware.go b/auth/password_middleware.go
deleted file mode 100644
index 3fda389..0000000
--- a/auth/password_middleware.go
+++ /dev/null
@@ -1,73 +0,0 @@
-/* OpenBills-server - Server for libre billing software OpenBills-web
- * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
-
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
-
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <https://www.gnu.org/licenses/>.
- */
-
-package auth
-
-import (
- "github.com/gin-gonic/gin"
- "net/http"
- "log"
- "context"
- "golang.org/x/crypto/bcrypt"
- "github.com/MikunoNaka/OpenBills-server/user"
- "go.mongodb.org/mongo-driver/bson"
- "go.mongodb.org/mongo-driver/mongo"
-)
-
-func checkPassword() gin.HandlerFunc {
- return func(ctx *gin.Context) {
- var u user.User
- ctx.BindJSON(&u)
-
- filter := bson.M{
- "$or": []bson.M{
- // u.UserName in this case can be either username or email
- {"Email": u.UserName},
- {"UserName": u.UserName},
- },
- }
-
- // check if the user exists in DB
- var user user.User
- err := db.FindOne(context.TODO(), filter).Decode(&user)
- if err != nil {
- if err == mongo.ErrNoDocuments {
- ctx.JSON(http.StatusNotFound, gin.H{"error": "user does not exist"})
- } else {
- log.Printf("Error while reading user from DB to check password: %v", err.Error())
- ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
- }
- ctx.Abort()
- } else {
- // compare hash and password
- err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))
- if err != nil {
- if err == bcrypt.ErrMismatchedHashAndPassword {
- ctx.JSON(http.StatusUnauthorized, gin.H{"error": "incorrect password"})
- } else {
- log.Printf("Error while checking password: %v", err.Error())
- ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
- }
- ctx.Abort()
- }
- }
-
- // everything's fine!
- ctx.Set("user", user)
- ctx.Next()
- }
-}
diff --git a/auth/refresh_middleware.go b/auth/refresh_middleware.go
deleted file mode 100644
index 00f73bf..0000000
--- a/auth/refresh_middleware.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package auth
-
-import (
- "github.com/golang-jwt/jwt/v4"
- "go.mongodb.org/mongo-driver/bson/primitive"
- "go.mongodb.org/mongo-driver/bson"
- "github.com/MikunoNaka/OpenBills-server/user"
- "github.com/gin-gonic/gin"
- "context"
- "net/http"
-)
-
-func verifyRefreshToken() gin.HandlerFunc {
- return func(ctx *gin.Context) {
- refreshToken, err := ctx.Cookie("refreshToken")
- if err == nil {
- token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
- return []byte(refreshSecret), nil
- })
- if err != nil { // invalid token
- ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"})
- } else { // valid token
- // convert id from string to ObjectID
- id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer)
-
- // check if user exists
- var u user.User
- if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil {
- ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"})
- } else {
- // check if this refreshToken is in DB
- for _, i := range u.Sessions {
- if i.Token == refreshToken {
- ctx.Set("user", u)
- ctx.Next()
- } else {
- ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"})
- }
- }
- }
- }
- } else {
- // invalid Authorization header
- ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
- }
- }
-}
diff --git a/auth/auth.go b/auth/router.go
index 1048f82..9fa03b7 100644
--- a/auth/auth.go
+++ b/auth/router.go
@@ -18,29 +18,25 @@
package auth
import (
- "github.com/gin-gonic/gin"
- "go.mongodb.org/mongo-driver/mongo"
- "github.com/MikunoNaka/OpenBills-server/database"
"github.com/MikunoNaka/OpenBills-server/user"
- "net/http"
+ "github.com/gin-gonic/gin"
"log"
+ "net/http"
)
-var db *mongo.Collection = database.DB.Collection("Users")
-
func Routes(route *gin.Engine) {
r := route.Group("/auth")
{
- r.POST("/login", checkPassword(), func(ctx *gin.Context) {
+ r.POST("/login", user.checkPassword(), func(ctx *gin.Context) {
user := ctx.MustGet("user").(user.User)
- accessToken, err := newAccessToken(user.Id.Hex())
+ accessToken, err := user.newAccessToken(user.Id.Hex())
if err != nil {
log.Printf("Error while generating new access token: %v", err)
ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
}
- refreshToken, expiresAt, err := newRefreshToken(user.Id.Hex())
+ refreshToken, expiresAt, err := user.newRefreshToken(user.Id.Hex())
if err != nil {
log.Printf("Error while generating new refresh token: %v", err)
ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
@@ -50,9 +46,9 @@ func Routes(route *gin.Engine) {
ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken})
})
- r.POST("/refresh", verifyRefreshToken(), func (ctx *gin.Context) {
+ r.POST("/refresh", user.verifyRefreshToken(), func(ctx *gin.Context) {
u := ctx.MustGet("user").(user.User)
- accessToken, err := newAccessToken(u.Id.Hex())
+ accessToken, err := util.newAccessToken(u.Id.Hex())
if err != nil {
log.Printf("Error while generating new access token: %v", err)
ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"})