diff options
author | Vidhu Kant Sharma <vidhukant@vidhukant.xyz> | 2023-01-29 20:11:09 +0530 |
---|---|---|
committer | Vidhu Kant Sharma <vidhukant@vidhukant.xyz> | 2023-01-29 20:11:09 +0530 |
commit | ac7aa8c6e95023def1eba7615d8a42ad52271500 (patch) | |
tree | b3477a9d3ae39244a759b19fe42e7d3bccbda38d /auth | |
parent | 0607478f1e4c86619a606af7876a6625e859ee1a (diff) |
checking password before editing/deleting user
Diffstat (limited to 'auth')
-rw-r--r-- | auth/jwt.go | 95 | ||||
-rw-r--r-- | auth/password_middleware.go | 73 | ||||
-rw-r--r-- | auth/refresh_middleware.go | 47 | ||||
-rw-r--r-- | auth/router.go (renamed from auth/auth.go) | 18 |
4 files changed, 7 insertions, 226 deletions
diff --git a/auth/jwt.go b/auth/jwt.go deleted file mode 100644 index 66a4f12..0000000 --- a/auth/jwt.go +++ /dev/null @@ -1,95 +0,0 @@ -/* OpenBills-server - Server for libre billing software OpenBills-web - * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz> - - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - */ - -package auth - -import ( - "github.com/MikunoNaka/OpenBills-server/user" - "github.com/MikunoNaka/OpenBills-server/util" - "github.com/golang-jwt/jwt/v4" - "go.mongodb.org/mongo-driver/bson" - "go.mongodb.org/mongo-driver/bson/primitive" - - "context" - "errors" - "time" -) - -var ( - errUserNotFound error = errors.New("user does not exist") -) - -var accessSecret []byte -var refreshSecret []byte -func init() { - conf := util.GetConfig().Crypto - accessSecret = []byte(conf.AccessTokenSecret) - refreshSecret = []byte(conf.RefreshTokenSecret) -} - -func newAccessToken(userId string) (string, error) { - claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims { - Issuer: userId, - ExpiresAt: time.Now().Add(time.Second * 15).Unix(), - }) - - token, err := claims.SignedString(accessSecret) - if err != nil { - return "", err - } - - return token, nil -} - -/* - * the refresh token has a long lifespan and is stored in - * the database in case it needs to be revoked. - * - * this can be stored as an HTTP only cookie and will be used - * when creating a new access token - * - * I'm using a different secret key for refresh tokens - * for enhanced security - */ -func newRefreshToken(userId string) (string, int64, error) { - // convert id from string to ObjectID - id, _ := primitive.ObjectIDFromHex(userId) - - // check if user exists - var u user.User - if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { - return "", 0, errUserNotFound - } - - // generate refresh token - expiresAt := time.Now().Add(time.Hour * 12).Unix() - claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims { - Issuer: userId, - ExpiresAt: expiresAt, - }) - token, err := claims.SignedString(refreshSecret) - if err != nil { - return "", expiresAt, err - } - - // store refresh token in db with unique session name for ease in identification - sessionName := time.Now().Format("01-02-2006.15:04:05") + "-" + u.UserName - u.Sessions = append(u.Sessions, user.Session{Name: sessionName, Token: token}) - db.UpdateOne(context.TODO(), bson.M{"_id": id}, bson.D{{"$set", u}}) - - return token, expiresAt, nil -} diff --git a/auth/password_middleware.go b/auth/password_middleware.go deleted file mode 100644 index 3fda389..0000000 --- a/auth/password_middleware.go +++ /dev/null @@ -1,73 +0,0 @@ -/* OpenBills-server - Server for libre billing software OpenBills-web - * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz> - - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - */ - -package auth - -import ( - "github.com/gin-gonic/gin" - "net/http" - "log" - "context" - "golang.org/x/crypto/bcrypt" - "github.com/MikunoNaka/OpenBills-server/user" - "go.mongodb.org/mongo-driver/bson" - "go.mongodb.org/mongo-driver/mongo" -) - -func checkPassword() gin.HandlerFunc { - return func(ctx *gin.Context) { - var u user.User - ctx.BindJSON(&u) - - filter := bson.M{ - "$or": []bson.M{ - // u.UserName in this case can be either username or email - {"Email": u.UserName}, - {"UserName": u.UserName}, - }, - } - - // check if the user exists in DB - var user user.User - err := db.FindOne(context.TODO(), filter).Decode(&user) - if err != nil { - if err == mongo.ErrNoDocuments { - ctx.JSON(http.StatusNotFound, gin.H{"error": "user does not exist"}) - } else { - log.Printf("Error while reading user from DB to check password: %v", err.Error()) - ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"}) - } - ctx.Abort() - } else { - // compare hash and password - err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password)) - if err != nil { - if err == bcrypt.ErrMismatchedHashAndPassword { - ctx.JSON(http.StatusUnauthorized, gin.H{"error": "incorrect password"}) - } else { - log.Printf("Error while checking password: %v", err.Error()) - ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"}) - } - ctx.Abort() - } - } - - // everything's fine! - ctx.Set("user", user) - ctx.Next() - } -} diff --git a/auth/refresh_middleware.go b/auth/refresh_middleware.go deleted file mode 100644 index 00f73bf..0000000 --- a/auth/refresh_middleware.go +++ /dev/null @@ -1,47 +0,0 @@ -package auth - -import ( - "github.com/golang-jwt/jwt/v4" - "go.mongodb.org/mongo-driver/bson/primitive" - "go.mongodb.org/mongo-driver/bson" - "github.com/MikunoNaka/OpenBills-server/user" - "github.com/gin-gonic/gin" - "context" - "net/http" -) - -func verifyRefreshToken() gin.HandlerFunc { - return func(ctx *gin.Context) { - refreshToken, err := ctx.Cookie("refreshToken") - if err == nil { - token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) { - return []byte(refreshSecret), nil - }) - if err != nil { // invalid token - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"}) - } else { // valid token - // convert id from string to ObjectID - id, _ := primitive.ObjectIDFromHex(token.Claims.(*jwt.StandardClaims).Issuer) - - // check if user exists - var u user.User - if err := db.FindOne(context.TODO(), bson.M{"_id": id}).Decode(&u); err != nil { - ctx.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "user not found"}) - } else { - // check if this refreshToken is in DB - for _, i := range u.Sessions { - if i.Token == refreshToken { - ctx.Set("user", u) - ctx.Next() - } else { - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"}) - } - } - } - } - } else { - // invalid Authorization header - ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"}) - } - } -} diff --git a/auth/auth.go b/auth/router.go index 1048f82..9fa03b7 100644 --- a/auth/auth.go +++ b/auth/router.go @@ -18,29 +18,25 @@ package auth import ( - "github.com/gin-gonic/gin" - "go.mongodb.org/mongo-driver/mongo" - "github.com/MikunoNaka/OpenBills-server/database" "github.com/MikunoNaka/OpenBills-server/user" - "net/http" + "github.com/gin-gonic/gin" "log" + "net/http" ) -var db *mongo.Collection = database.DB.Collection("Users") - func Routes(route *gin.Engine) { r := route.Group("/auth") { - r.POST("/login", checkPassword(), func(ctx *gin.Context) { + r.POST("/login", user.checkPassword(), func(ctx *gin.Context) { user := ctx.MustGet("user").(user.User) - accessToken, err := newAccessToken(user.Id.Hex()) + accessToken, err := user.newAccessToken(user.Id.Hex()) if err != nil { log.Printf("Error while generating new access token: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"}) } - refreshToken, expiresAt, err := newRefreshToken(user.Id.Hex()) + refreshToken, expiresAt, err := user.newRefreshToken(user.Id.Hex()) if err != nil { log.Printf("Error while generating new refresh token: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"}) @@ -50,9 +46,9 @@ func Routes(route *gin.Engine) { ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken}) }) - r.POST("/refresh", verifyRefreshToken(), func (ctx *gin.Context) { + r.POST("/refresh", user.verifyRefreshToken(), func(ctx *gin.Context) { u := ctx.MustGet("user").(user.User) - accessToken, err := newAccessToken(u.Id.Hex()) + accessToken, err := util.newAccessToken(u.Id.Hex()) if err != nil { log.Printf("Error while generating new access token: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"}) |