From a6737e7f233c43c8222faabca991d8c666837c05 Mon Sep 17 00:00:00 2001
From: Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
Date: Sun, 4 Dec 2022 18:04:57 +0530
Subject: added (untested) auth mechanism

---
 auth/auth.go                | 76 +++++++++++++++++----------------------------
 auth/jwt.go                 | 73 +++++++++++++++++++++++++++++++++++++++++++
 auth/jwt_middleware.go      | 65 ++++++++++++++++++++++++++++++++++++++
 auth/password_middleware.go | 73 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 240 insertions(+), 47 deletions(-)
 create mode 100644 auth/jwt.go
 create mode 100644 auth/jwt_middleware.go
 create mode 100644 auth/password_middleware.go

(limited to 'auth')

diff --git a/auth/auth.go b/auth/auth.go
index 7d88787..7bf251f 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -19,68 +19,50 @@ package auth
 
 import (
 	"github.com/gin-gonic/gin"
-	"context"
-	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/mongo"
 	"github.com/MikunoNaka/OpenBills-server/database"
 	"github.com/MikunoNaka/OpenBills-server/user"
 	"net/http"
 	"log"
-    "golang.org/x/crypto/bcrypt"
 )
 
 var db *mongo.Collection = database.DB.Collection("Users")
 
-func checkPassword() gin.HandlerFunc {
-	return func(ctx *gin.Context) {
-		var u user.User
-	    ctx.BindJSON(&u)
-
-		filter := bson.M{
-			"$or": []bson.M{
-			    // u.UserName in this case can be either username or email
-				{"Email": u.UserName},
-				{"UserName": u.UserName},
-			},
-		}
+func Routes(route *gin.Engine) {
+	r := route.Group("/auth")
+	{
+		r.POST("/login", checkPassword(), func(ctx *gin.Context) {
+			user := ctx.MustGet("user").(user.User)
 
-		// check if the user exists in DB
-		var user user.User
-		err := db.FindOne(context.TODO(), filter).Decode(&user)
-		if err != nil {
-			if err == mongo.ErrNoDocuments {
-				ctx.JSON(http.StatusNotFound, gin.H{"error": "user does not exist"})
-			} else {
-				log.Printf("Error while reading user from DB to check password: %v", err.Error())
-				ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+			accessToken, err := newAccessToken(user.Id.Hex())
+			if err != nil {
+				log.Printf("Error while generating new access token: %v", err)
+				ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
 			}
-			ctx.Abort()
-		}
 
-		// compare hash and password
-		err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))
-		if err != nil {
-			if err == bcrypt.ErrMismatchedHashAndPassword {
-			    ctx.JSON(http.StatusUnauthorized, gin.H{"error": "incorrect password"})
-			} else {
-				log.Printf("Error while checking password: %v", err.Error())
-				ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+			refreshToken, expiresAt, err := newRefreshToken(user.Id.Hex())
+			if err != nil {
+				log.Printf("Error while generating new refresh token: %v", err)
+				ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot login)"})
 			}
-			ctx.Abort()
-		}
 
-		// everything's fine!
-		ctx.Set("user", user)
-		ctx.Next()
-	}
-}
+			ctx.SetCookie("refreshToken", refreshToken, int(expiresAt), "", "", true, true)
+			ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken})
+		})
 
-func Routes(route *gin.Engine) {
-	r := route.Group("/auth")
-	{
-		r.POST("/login", checkPassword(), func(ctx *gin.Context) {
-			user := ctx.MustGet("user").(user.User)
-			ctx.JSON(http.StatusOK, user)
+		r.POST("/refresh", verifyRefreshToken(), func (ctx *gin.Context) {
+			userId := ctx.MustGet("userId")
+			if userId != "" {
+			    accessToken, err := newAccessToken(userId.(string))
+			    if err != nil {
+			    	log.Printf("Error while generating new access token: %v", err)
+			    	ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": "Internal Server Error (cannot refresh session)"})
+			    } else {
+					ctx.JSON(http.StatusOK, gin.H{"accessToken": accessToken})
+				}
+			} else {
+				ctx.JSON(http.StatusBadRequest, gin.H{"message": "invalid user info"})
+			}
 		})
 	}
 }
diff --git a/auth/jwt.go b/auth/jwt.go
new file mode 100644
index 0000000..2d2ea8e
--- /dev/null
+++ b/auth/jwt.go
@@ -0,0 +1,73 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022  Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package auth
+
+import (
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/MikunoNaka/OpenBills-server/util"
+	"time"
+)
+
+var accessSecret []byte
+var refreshSecret []byte
+func init() {
+	conf := util.GetConfig().Crypto
+	accessSecret = []byte(conf.AccessTokenSecret)
+	refreshSecret = []byte(conf.RefreshTokenSecret)
+}
+
+func newAccessToken(userId string) (string, error) {
+	claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims {
+	    Issuer: userId,
+		ExpiresAt: time.Now().Add(time.Second * 15).Unix(),
+	})
+
+	token, err := claims.SignedString(accessSecret)
+	if err != nil {
+		return "", err
+	}
+
+	return token, nil
+}
+
+/*
+ * the refresh token has a long lifespan and is stored in
+ * the database in case it needs to be revoked.
+ *
+ * this can be stored as an HTTP only cookie and will be used
+ * when creating a new access token
+ *
+ * I'm using a different secret key for refresh tokens
+ * for enhanced security
+ */
+func newRefreshToken(userId string) (string, int64, error) {
+	// TODO: store in DB
+	expiresAt := time.Now().Add(time.Hour * 12).Unix()
+
+	claims := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims {
+	    Issuer: userId,
+		ExpiresAt: expiresAt,
+	})
+
+	token, err := claims.SignedString(refreshSecret)
+	if err != nil {
+		return "", expiresAt, err
+	}
+
+	return token, expiresAt, nil
+}
diff --git a/auth/jwt_middleware.go b/auth/jwt_middleware.go
new file mode 100644
index 0000000..22d1fd7
--- /dev/null
+++ b/auth/jwt_middleware.go
@@ -0,0 +1,65 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022  Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package auth
+
+import (
+	"net/http"
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/gin-gonic/gin"
+)
+
+func Authorize() gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		tokenHeader := ctx.Request.Header["Authorization"]
+		if tokenHeader != nil {
+			token, err := jwt.ParseWithClaims(tokenHeader[0], &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+				return []byte(accessSecret), nil
+			})
+			if err != nil {
+				ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "access token expired"})
+			} else {
+			    ctx.Set("userId", token.Claims.(*jwt.StandardClaims).Issuer)
+			    ctx.Next()
+			}
+		} else {
+		    // invalid Authorization header
+	        ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
+		}
+
+	}
+}
+
+func verifyRefreshToken() gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		refreshToken, err := ctx.Cookie("refreshToken")
+		if err == nil {
+			token, err := jwt.ParseWithClaims(refreshToken, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+				return []byte(refreshSecret), nil
+			})
+			if err != nil {
+				ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "refresh token expired"})
+			} else {
+			    ctx.Set("userId", token.Claims.(*jwt.StandardClaims).Issuer)
+			    ctx.Next()
+			}
+		} else {
+		    // invalid Authorization header
+	        ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
+		}
+	}
+}
diff --git a/auth/password_middleware.go b/auth/password_middleware.go
new file mode 100644
index 0000000..3fda389
--- /dev/null
+++ b/auth/password_middleware.go
@@ -0,0 +1,73 @@
+/* OpenBills-server - Server for libre billing software OpenBills-web
+ * Copyright (C) 2022  Vidhu Kant Sharma <vidhukant@vidhukant.xyz>
+
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"net/http"
+	"log"
+	"context"
+	"golang.org/x/crypto/bcrypt"
+	"github.com/MikunoNaka/OpenBills-server/user"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+)
+
+func checkPassword() gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		var u user.User
+	    ctx.BindJSON(&u)
+
+		filter := bson.M{
+			"$or": []bson.M{
+			    // u.UserName in this case can be either username or email
+				{"Email": u.UserName},
+				{"UserName": u.UserName},
+			},
+		}
+
+		// check if the user exists in DB
+		var user user.User
+		err := db.FindOne(context.TODO(), filter).Decode(&user)
+		if err != nil {
+			if err == mongo.ErrNoDocuments {
+				ctx.JSON(http.StatusNotFound, gin.H{"error": "user does not exist"})
+			} else {
+				log.Printf("Error while reading user from DB to check password: %v", err.Error())
+				ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+			}
+			ctx.Abort()
+		} else {
+		  // compare hash and password
+		  err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))
+		  if err != nil {
+		  	if err == bcrypt.ErrMismatchedHashAndPassword {
+		  	    ctx.JSON(http.StatusUnauthorized, gin.H{"error": "incorrect password"})
+		  	} else {
+		  		log.Printf("Error while checking password: %v", err.Error())
+		  		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+		  	}
+		  	ctx.Abort()
+		  }
+		}
+
+		// everything's fine!
+		ctx.Set("user", user)
+		ctx.Next()
+	}
+}
-- 
cgit v1.2.3