summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
Diffstat (limited to 'auth')
-rw-r--r--auth/auth.go76
-rw-r--r--auth/jwt.go73
-rw-r--r--auth/jwt_middleware.go65
-rw-r--r--auth/password_middleware.go73
4 files changed, 240 insertions, 47 deletions
diff --git a/auth/auth.go b/auth/auth.go
index 7d88787..7bf251f 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -19,68 +19,50 @@ package auth
import (
"github.com/gin-gonic/gin"
- "context"
- "go.mongodb.org/mongo-driver/bson"
"go.mongodb.org/mongo-driver/mongo"
"github.com/MikunoNaka/OpenBills-server/database"
"github.com/MikunoNaka/OpenBills-server/user"
"net/http"
"log"
- "golang.org/x/crypto/bcrypt"
)
var db *mongo.Collection = database.DB.Collection("Users")
-func checkPassword() gin.HandlerFunc {
- return func(ctx *gin.Context) {
- var u user.User
- ctx.BindJSON(&u)
-
- filter := bson.M{
- "$or": []bson.M{
- // u.UserName in this case can be either username or email
- {"Email": u.UserName},
- {"UserName": u.UserName},
- },
- }
+func Routes(route *gin.Engine) {
+ r := route.Group("/auth")
+ {
+ r.POST("/login", checkPassword(), func(ctx *gin.Context) {
+ user := ctx.MustGet("user").(user.User)
- // check if the user exists in DB
- var user user.User
- err := db.FindOne(context.TODO(), filter).Decode(&user)
- if err != nil {
- if err == mongo.ErrNoDocuments {
- ctx.JSON(http.StatusNotFound, gin.H{"error": "user does not exist"})
- } else {
- log.Printf("Error while reading user from DB to check password: %v", err.Error())
- ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+ accessToken, err := newAccessToken(user.Id.Hex())
+ if err != nil {
+ log.Printf("Error while generating new access token: %v", err)
+ ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
}
- ctx.Abort()
- }
- // compare hash and password
- err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))
- if err != nil {
- if err == bcrypt.ErrMismatchedHashAndPassword {
- ctx.JSON(http.StatusUnauthorized, gin.H{"error": "incorrect password"})
- } else {
- log.Printf("Error while checking password: %v", err.Error())
- ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+ refreshToken, expiresAt, err := newRefreshToken(user.Id.Hex())
+ if err != nil {
+ log.Printf("Error while generating new refresh token: %v", err)
+ ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
}
- ctx.Abort()
- }
- // everything's fine!
- ctx.Set("user", user)
- ctx.Next()
- }
-}
+ ctx.SetCookie("refreshToken", refreshToken, int(expiresAt), "", "", true, true)
+ ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken})
+ })
-func Routes(route *gin.Engine) {
- r := route.Group("/auth")
- {
- r.POST("/login", checkPassword(), func(ctx *gin.Context) {
- user := ctx.MustGet("user").(user.User)
- ctx.JSON(http.StatusOK, user)
+ r.POST("/refresh", verifyRefreshToken(), func (ctx *gin.Context) {
+ userId := ctx.MustGet("userId")
+ if userId != "" {
+ accessToken, err := newAccessToken(userId.(string))
+ if err != nil {
+ log.Printf("Error while generating new access token: %v", err)
+ ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"})
+ } else {
+ ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken})
+ }
+ } else {
+ ctx.JSON(http.StatusBadRequest, gin.H{"message": "invalid user info"})
+ }
})
}
}
diff --git a/auth/jwt.go b/auth/jwt.go
new file mode 100644
index 0000000..2d2ea8e
--- /dev/null
+++ b/auth/jwt.go
@@ -0,0 +1,73 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package auth
+
+import (
+ "github.com/golang-jwt/jwt/v4"
+ "github.com/MikunoNaka/OpenBills-server/util"
+ "time"
+)
+
+var accessSecret []byte
+var refreshSecret []byte
+func init() {
+ conf := util.GetConfig().Crypto
+ accessSecret = []byte(conf.AccessTokenSecret)
+ refreshSecret = []byte(conf.RefreshTokenSecret)
+}
+
+func newAccessToken(userId string) (string, error) {
+ claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims {
+ Issuer: userId,
+ ExpiresAt: time.Now().Add(time.Second * 15).Unix(),
+ })
+
+ token, err := claims.SignedString(accessSecret)
+ if err != nil {
+ return "", err
+ }
+
+ return token, nil
+}
+
+/*
+ * the refresh token has a long lifespan and is stored in
+ * the database in case it needs to be revoked.
+ *
+ * this can be stored as an HTTP only cookie and will be used
+ * when creating a new access token
+ *
+ * I'm using a different secret key for refresh tokens
+ * for enhanced security
+ */
+func newRefreshToken(userId string) (string, int64, error) {
+ // TODO: store in DB
+ expiresAt := time.Now().Add(time.Hour * 12).Unix()
+
+ claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims {
+ Issuer: userId,
+ ExpiresAt: expiresAt,
+ })
+
+ token, err := claims.SignedString(refreshSecret)
+ if err != nil {
+ return "", expiresAt, err
+ }
+
+ return token, expiresAt, nil
+}
diff --git a/auth/jwt_middleware.go b/auth/jwt_middleware.go
new file mode 100644
index 0000000..22d1fd7
--- /dev/null
+++ b/auth/jwt_middleware.go
@@ -0,0 +1,65 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package auth
+
+import (
+ "net/http"
+ "github.com/golang-jwt/jwt/v4"
+ "github.com/gin-gonic/gin"
+)
+
+func Authorize() gin.HandlerFunc {
+ return func(ctx *gin.Context) {
+ tokenHeader := ctx.Request.Header["Authorization"]
+ if tokenHeader != nil {
+ token, err := jwt.ParseWithClaims(tokenHeader[0], &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+ return []byte(accessSecret), nil
+ })
+ if err != nil {
+ ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "access token expired"})
+ } else {
+ ctx.Set("userId", token.Claims.(*jwt.StandardClaims).Issuer)
+ ctx.Next()
+ }
+ } else {
+ // invalid Authorization header
+ ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
+ }
+
+ }
+}
+
+func verifyRefreshToken() gin.HandlerFunc {
+ return func(ctx *gin.Context) {
+ refreshToken, err := ctx.Cookie("refreshToken")
+ if err == nil {
+ token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+ return []byte(refreshSecret), nil
+ })
+ if err != nil {
+ ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"})
+ } else {
+ ctx.Set("userId", token.Claims.(*jwt.StandardClaims).Issuer)
+ ctx.Next()
+ }
+ } else {
+ // invalid Authorization header
+ ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
+ }
+ }
+}
diff --git a/auth/password_middleware.go b/auth/password_middleware.go
new file mode 100644
index 0000000..3fda389
--- /dev/null
+++ b/auth/password_middleware.go
@@ -0,0 +1,73 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022 Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package auth
+
+import (
+ "github.com/gin-gonic/gin"
+ "net/http"
+ "log"
+ "context"
+ "golang.org/x/crypto/bcrypt"
+ "github.com/MikunoNaka/OpenBills-server/user"
+ "go.mongodb.org/mongo-driver/bson"
+ "go.mongodb.org/mongo-driver/mongo"
+)
+
+func checkPassword() gin.HandlerFunc {
+ return func(ctx *gin.Context) {
+ var u user.User
+ ctx.BindJSON(&u)
+
+ filter := bson.M{
+ "$or": []bson.M{
+ // u.UserName in this case can be either username or email
+ {"Email": u.UserName},
+ {"UserName": u.UserName},
+ },
+ }
+
+ // check if the user exists in DB
+ var user user.User
+ err := db.FindOne(context.TODO(), filter).Decode(&user)
+ if err != nil {
+ if err == mongo.ErrNoDocuments {
+ ctx.JSON(http.StatusNotFound, gin.H{"error": "user does not exist"})
+ } else {
+ log.Printf("Error while reading user from DB to check password: %v", err.Error())
+ ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+ }
+ ctx.Abort()
+ } else {
+ // compare hash and password
+ err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))
+ if err != nil {
+ if err == bcrypt.ErrMismatchedHashAndPassword {
+ ctx.JSON(http.StatusUnauthorized, gin.H{"error": "incorrect password"})
+ } else {
+ log.Printf("Error while checking password: %v", err.Error())
+ ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+ }
+ ctx.Abort()
+ }
+ }
+
+ // everything's fine!
+ ctx.Set("user", user)
+ ctx.Next()
+ }
+}