auth

Paddy 2015-04-11 Parent:cf6c1f05eb21 Child:6f473576c6ae

auth/session_postgres.go

Start to support deleting profiles through the API. Create a removeLoginsByProfile method on the profileStore, to allow an easy way to bulk-delete logins associated with a Profile after the Profile has been deleted. Create postgres and memstore implementations of the removeLoginsByProfile method. Create a cleanUpAfterProfileDeletion helper method that will clean up the child objects of a Profile (its Sessions, Tokens, Clients, etc.). The intended usage is to call this in a goroutine after a Profile has been deleted, to try and get things back in order. Detect when the UpdateProfileHandler API is used to set the Deleted flag of a Profile to true, and clean up after the Profile when that's the case. Add a DeleteProfileHandler API endpoint that is a shortcut to setting the Deleted flag of a Profile to true and cleaning up after the Profile. The problem with our approach thus far is that some of it is reversible and some is not. If a Profile is maliciously/accidentally deleted, it's simple enough to use the API as a superuser to restore the Profile. But doing that will not (and cannot) restore the Logins associated with that Profile, for example. While it would be nice to add a Deleted flag to our Logins that we could simply toggle, that would wreak havoc with our database constraints and ensuring uniqueness of Login values. I still don't have a solution for this, outside the superuser manually restoring a Login for the Profile, after which the user can authenticate themselves and add more Logins as desired. But there has to be a better way. I suppose since the passphrase is being stored with the Profile and not the Login, we could offer an endpoint that would automate this, but... well, that would be tricky. It would require the user remembering their Profile ID, and let's be honest, nobody's going to remember a UUID. Maybe such an endpoint would help from a customer service standpoint: we identify their Profile manually, then send them to /profiles/ID/restorelogin or something, and that lets them add a Login back to the Profile. I'll figure it out later. For now, we know we at least have enough information to identify a user is who they say they are and resolve the situation manually.

Download raw file

View source Diff to previous Annotate

paddy@154	1 package auth
paddy@154	2
paddy@154	3 import (
paddy@154	4 "time"
paddy@154	5
paddy@154	6 "code.secondbit.org/uuid.hg"
paddy@154	7
paddy@154	8 "github.com/lib/pq"
paddy@154	9 "github.com/secondbit/pan"
paddy@154	10 )
paddy@154	11
paddy@154	12 func (s Session) GetSQLTableName() string {
paddy@154	13 return "sessions"
paddy@154	14 }
paddy@154	15
paddy@154	16 func (p postgres) createSessionSQL(session Session) pan.Query {
paddy@154	17 fields, values := pan.GetFields(session)
paddy@154	18 query := pan.New(pan.POSTGRES, "INSERT INTO "+pan.GetTableName(session))
paddy@154	19 query.Include("(" + pan.QueryList(fields) + ")")
paddy@154	20 query.Include("VALUES")
paddy@154	21 query.Include("("+pan.VariableList(len(values))+")", values...)
paddy@154	22 return query.FlushExpressions(" ")
paddy@154	23 }
paddy@154	24
paddy@154	25 func (p *postgres) createSession(session Session) error {
paddy@154	26 query := p.createSessionSQL(session)
paddy@154	27 _, err := p.db.Exec(query.String(), query.Args...)
paddy@154	28 if e, ok := err.(*pq.Error); ok && e.Constraint == "sessions_pkey" {
paddy@154	29 err = ErrSessionAlreadyExists
paddy@154	30 }
paddy@154	31 return err
paddy@154	32 }
paddy@154	33
paddy@154	34 func (p postgres) getSessionSQL(id string) pan.Query {
paddy@154	35 var session Session
paddy@154	36 fields, _ := pan.GetFields(session)
paddy@154	37 query := pan.New(pan.POSTGRES, "SELECT "+pan.QueryList(fields)+" FROM "+pan.GetTableName(session))
paddy@154	38 query.IncludeWhere()
paddy@154	39 query.Include(pan.GetUnquotedColumn(session, "ID")+" = ?", id)
paddy@154	40 return query.FlushExpressions(" ")
paddy@154	41 }
paddy@154	42
paddy@154	43 func (p *postgres) getSession(id string) (Session, error) {
paddy@154	44 query := p.getSessionSQL(id)
paddy@154	45 rows, err := p.db.Query(query.String(), query.Args...)
paddy@154	46 if err != nil {
paddy@154	47 return Session{}, err
paddy@154	48 }
paddy@154	49 var session Session
paddy@154	50 var found bool
paddy@154	51 for rows.Next() {
paddy@154	52 err := pan.Unmarshal(rows, &session)
paddy@154	53 if err != nil {
paddy@154	54 return session, err
paddy@154	55 }
paddy@154	56 found = true
paddy@154	57 }
paddy@154	58 if err = rows.Err(); err != nil {
paddy@154	59 return session, err
paddy@154	60 }
paddy@154	61 if !found {
paddy@154	62 return session, ErrSessionNotFound
paddy@154	63 }
paddy@154	64 return session, nil
paddy@154	65 }
paddy@154	66
paddy@159	67 func (p postgres) terminateSessionSQL(id string) pan.Query {
paddy@159	68 var session Session
paddy@159	69 query := pan.New(pan.POSTGRES, "UPDATE "+pan.GetTableName(session)+" SET")
paddy@159	70 query.Include(pan.GetUnquotedColumn(session, "Active")+" = ?", false)
paddy@159	71 query.IncludeWhere()
paddy@159	72 query.Include(pan.GetUnquotedColumn(session, "ID")+" = ?", id)
paddy@159	73 return query.FlushExpressions(" ")
paddy@159	74 }
paddy@159	75
paddy@159	76 func (p *postgres) terminateSession(id string) error {
paddy@159	77 query := p.terminateSessionSQL(id)
paddy@159	78 res, err := p.db.Exec(query.String(), query.Args...)
paddy@159	79 if err != nil {
paddy@159	80 return err
paddy@159	81 }
paddy@159	82 rows, err := res.RowsAffected()
paddy@159	83 if err != nil {
paddy@159	84 return err
paddy@159	85 }
paddy@159	86 if rows < 1 {
paddy@159	87 return ErrSessionNotFound
paddy@159	88 }
paddy@159	89 return nil
paddy@159	90 }
paddy@159	91
paddy@154	92 func (p postgres) removeSessionSQL(id string) pan.Query {
paddy@154	93 var session Session
paddy@154	94 query := pan.New(pan.POSTGRES, "DELETE FROM "+pan.GetTableName(session))
paddy@154	95 query.IncludeWhere()
paddy@154	96 query.Include(pan.GetUnquotedColumn(session, "ID")+" = ?", id)
paddy@154	97 return query.FlushExpressions(" ")
paddy@154	98 }
paddy@154	99
paddy@154	100 func (p *postgres) removeSession(id string) error {
paddy@154	101 query := p.removeSessionSQL(id)
paddy@154	102 res, err := p.db.Exec(query.String(), query.Args...)
paddy@154	103 if err != nil {
paddy@154	104 return err
paddy@154	105 }
paddy@154	106 rows, err := res.RowsAffected()
paddy@154	107 if err != nil {
paddy@154	108 return err
paddy@154	109 }
paddy@154	110 if rows < 1 {
paddy@154	111 return ErrSessionNotFound
paddy@154	112 }
paddy@154	113 return nil
paddy@154	114 }
paddy@154	115
paddy@154	116 func (p postgres) listSessionsSQL(profile uuid.ID, before time.Time, num int64) pan.Query {
paddy@154	117 var session Session
paddy@154	118 fields, _ := pan.GetFields(session)
paddy@154	119 query := pan.New(pan.POSTGRES, "SELECT "+pan.QueryList(fields)+" FROM "+pan.GetTableName(session))
paddy@154	120 query.IncludeWhere()
paddy@154	121 query.Include(pan.GetUnquotedColumn(session, "ProfileID")+" = ?", profile)
paddy@154	122 if !before.IsZero() {
paddy@154	123 query.Include(pan.GetUnquotedColumn(session, "Created")+" < ?", before)
paddy@154	124 }
paddy@154	125 query.FlushExpressions(" AND ")
paddy@154	126 if num > 0 {
paddy@154	127 query.IncludeLimit(num)
paddy@154	128 }
paddy@154	129 return query.FlushExpressions(" ")
paddy@154	130 }
paddy@154	131
paddy@154	132 func (p *postgres) listSessions(profile uuid.ID, before time.Time, num int64) ([]Session, error) {
paddy@154	133 query := p.listSessionsSQL(profile, before, num)
paddy@154	134 rows, err := p.db.Query(query.String(), query.Args...)
paddy@154	135 if err != nil {
paddy@154	136 return []Session{}, err
paddy@154	137 }
paddy@154	138 var sessions []Session
paddy@154	139 for rows.Next() {
paddy@154	140 var session Session
paddy@154	141 err := pan.Unmarshal(rows, &session)
paddy@154	142 if err != nil {
paddy@154	143 return sessions, err
paddy@154	144 }
paddy@154	145 sessions = append(sessions, session)
paddy@154	146 }
paddy@154	147 if err = rows.Err(); err != nil {
paddy@154	148 return sessions, err
paddy@154	149 }
paddy@154	150 return sessions, nil
paddy@154	151 }