auth
auth/token.go
Stub out sessions. Stop using the Login type when getting profile by Login, removing Logins, or recording Login use. The Login value has to be unique, anyways, and we don't actually know the Login type when getting a profile by Login. That's sort of the point. Create the concept of Sessions and a sessionStore type to manage our authentication sessions with the server. As per OWASP, we're basically just going to use a transparent, SHA256-generated random string as an ID, and store it client-side and server-side and just pass it back and forth. Add the ProfileID to the Grant type, because we need to remember who granted access. That's sort of important. Set a defaultGrantExpiration constant to an hour, so we have that one constant when creating new Grants. Create a helper that pulls the session ID out of an auth cookie, checks it against the sessionStore, and returns the Session if it's valid. Create a helper that pulls the username and password out of a basic auth header. Create a helper that authenticates a user's login and passphrase, checking them against the profileStore securely. Stub out how the cookie checking is going to work for getting grant approval. Fix the stored Grant RedirectURI to be the passed in redirect URI, not the RedirectURI that we ultimately redirect to. This is in accordance with the spec. Store the profile ID from our session in the created Grant. Stub out a GetTokenHandler that will allow users to exchange a Grant for a Token. Set a constant for the current passphrase scheme, which we will increment for each revision to the passphrase scheme, for backwards compatibility. Change the Profile iterations property to an int, not an int64, to match the code.secondbit.org/pass library (which is matching the PBKDF2 library).
| paddy@28 | 1 package auth |
| paddy@28 | 2 |
| paddy@28 | 3 import ( |
| paddy@28 | 4 "errors" |
| paddy@28 | 5 "time" |
| paddy@28 | 6 |
| paddy@45 | 7 "code.secondbit.org/uuid" |
| paddy@28 | 8 ) |
| paddy@28 | 9 |
| paddy@69 | 10 const ( |
| paddy@69 | 11 defaultTokenExpiration = 3600 // one hour |
| paddy@69 | 12 ) |
| paddy@69 | 13 |
| paddy@28 | 14 var ( |
| paddy@57 | 15 // ErrNoTokenStore is returned when a Context tries to act on a tokenStore without setting one first. |
| paddy@57 | 16 ErrNoTokenStore = errors.New("no tokenStore was specified for the Context") |
| paddy@57 | 17 // ErrTokenNotFound is returned when a Token is requested but not found in a tokenStore. |
| paddy@57 | 18 ErrTokenNotFound = errors.New("token not found in tokenStore") |
| paddy@57 | 19 // ErrTokenAlreadyExists is returned when a Token is added to a tokenStore, but another Token with |
| paddy@57 | 20 // the same AccessToken property already exists in the tokenStore. |
| paddy@57 | 21 ErrTokenAlreadyExists = errors.New("token already exists in tokenStore") |
| paddy@28 | 22 ) |
| paddy@28 | 23 |
| paddy@57 | 24 // Token represents an access and/or refresh token that the Client can use to access user data |
| paddy@57 | 25 // or obtain a new access token. |
| paddy@28 | 26 type Token struct { |
| paddy@28 | 27 AccessToken string |
| paddy@28 | 28 RefreshToken string |
| paddy@28 | 29 Created time.Time |
| paddy@28 | 30 ExpiresIn int32 |
| paddy@28 | 31 TokenType string |
| paddy@28 | 32 Scope string |
| paddy@28 | 33 ProfileID uuid.ID |
| paddy@28 | 34 } |
| paddy@28 | 35 |
| paddy@57 | 36 type tokenStore interface { |
| paddy@57 | 37 getToken(token string, refresh bool) (Token, error) |
| paddy@57 | 38 saveToken(token Token) error |
| paddy@57 | 39 removeToken(token string) error |
| paddy@57 | 40 getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error) |
| paddy@28 | 41 } |
| paddy@28 | 42 |
| paddy@57 | 43 func (m *memstore) getToken(token string, refresh bool) (Token, error) { |
| paddy@28 | 44 if refresh { |
| paddy@28 | 45 t, err := m.lookupTokenByRefresh(token) |
| paddy@28 | 46 if err != nil { |
| paddy@28 | 47 return Token{}, err |
| paddy@28 | 48 } |
| paddy@28 | 49 token = t |
| paddy@28 | 50 } |
| paddy@28 | 51 m.tokenLock.RLock() |
| paddy@28 | 52 defer m.tokenLock.RUnlock() |
| paddy@28 | 53 result, ok := m.tokens[token] |
| paddy@28 | 54 if !ok { |
| paddy@28 | 55 return Token{}, ErrTokenNotFound |
| paddy@28 | 56 } |
| paddy@28 | 57 return result, nil |
| paddy@28 | 58 } |
| paddy@28 | 59 |
| paddy@57 | 60 func (m *memstore) saveToken(token Token) error { |
| paddy@28 | 61 m.tokenLock.Lock() |
| paddy@28 | 62 defer m.tokenLock.Unlock() |
| paddy@28 | 63 _, ok := m.tokens[token.AccessToken] |
| paddy@28 | 64 if ok { |
| paddy@28 | 65 return ErrTokenAlreadyExists |
| paddy@28 | 66 } |
| paddy@28 | 67 m.tokens[token.AccessToken] = token |
| paddy@28 | 68 if token.RefreshToken != "" { |
| paddy@28 | 69 m.refreshTokenLookup[token.RefreshToken] = token.AccessToken |
| paddy@28 | 70 } |
| paddy@28 | 71 if _, ok = m.profileTokenLookup[token.ProfileID.String()]; ok { |
| paddy@28 | 72 m.profileTokenLookup[token.ProfileID.String()] = append(m.profileTokenLookup[token.ProfileID.String()], token.AccessToken) |
| paddy@28 | 73 } else { |
| paddy@28 | 74 m.profileTokenLookup[token.ProfileID.String()] = []string{token.AccessToken} |
| paddy@28 | 75 } |
| paddy@28 | 76 return nil |
| paddy@28 | 77 } |
| paddy@28 | 78 |
| paddy@57 | 79 func (m *memstore) removeToken(token string) error { |
| paddy@28 | 80 m.tokenLock.Lock() |
| paddy@28 | 81 defer m.tokenLock.Unlock() |
| paddy@28 | 82 t, ok := m.tokens[token] |
| paddy@28 | 83 if !ok { |
| paddy@28 | 84 return ErrTokenNotFound |
| paddy@28 | 85 } |
| paddy@28 | 86 delete(m.tokens, token) |
| paddy@28 | 87 if t.RefreshToken != "" { |
| paddy@28 | 88 delete(m.refreshTokenLookup, t.RefreshToken) |
| paddy@28 | 89 } |
| paddy@28 | 90 pos := -1 |
| paddy@28 | 91 for p, item := range m.profileTokenLookup[t.ProfileID.String()] { |
| paddy@28 | 92 if item == token { |
| paddy@28 | 93 pos = p |
| paddy@28 | 94 break |
| paddy@28 | 95 } |
| paddy@28 | 96 } |
| paddy@28 | 97 if pos >= 0 { |
| paddy@28 | 98 m.profileTokenLookup[t.ProfileID.String()] = append(m.profileTokenLookup[t.ProfileID.String()][:pos], m.profileTokenLookup[t.ProfileID.String()][pos+1:]...) |
| paddy@28 | 99 } |
| paddy@28 | 100 return nil |
| paddy@28 | 101 } |
| paddy@28 | 102 |
| paddy@57 | 103 func (m *memstore) getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error) { |
| paddy@28 | 104 ids, err := m.lookupTokensByProfileID(profileID.String()) |
| paddy@28 | 105 if err != nil { |
| paddy@28 | 106 return []Token{}, err |
| paddy@28 | 107 } |
| paddy@28 | 108 if len(ids) > num+offset { |
| paddy@28 | 109 ids = ids[offset : num+offset] |
| paddy@28 | 110 } else if len(ids) > offset { |
| paddy@28 | 111 ids = ids[offset:] |
| paddy@28 | 112 } else { |
| paddy@28 | 113 return []Token{}, nil |
| paddy@28 | 114 } |
| paddy@28 | 115 tokens := []Token{} |
| paddy@28 | 116 for _, id := range ids { |
| paddy@57 | 117 token, err := m.getToken(id, false) |
| paddy@28 | 118 if err != nil { |
| paddy@28 | 119 return []Token{}, err |
| paddy@28 | 120 } |
| paddy@28 | 121 tokens = append(tokens, token) |
| paddy@28 | 122 } |
| paddy@28 | 123 return tokens, nil |
| paddy@28 | 124 } |