auth

Paddy 2015-05-17 Parent:581c60f8dd23 Child:8ecb60d29b0d

auth/profile.go

Add login verification to Config. Keep track of how we're going to verify logins using the Config struct.

paddy@27	1 package auth
paddy@27	2
paddy@27	3 import (
paddy@99	4 "encoding/json"
paddy@38	5 "errors"
paddy@149	6 "log"
paddy@99	7 "net/http"
paddy@99	8 "regexp"
paddy@99	9 "strings"
paddy@27	10 "time"
paddy@27	11
paddy@107	12 "code.secondbit.org/uuid.hg"
paddy@105	13 "github.com/gorilla/mux"
paddy@27	14 )
paddy@27	15
paddy@48	16 const (
paddy@57	17 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive.
paddy@48	18 MinPassphraseLength = 6
paddy@57	19 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive.
paddy@48	20 MaxPassphraseLength = 64
paddy@69	21 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme
paddy@69	22 CurPassphraseScheme = 1
paddy@99	23 // MaxNameLength is the maximum length, in bytes, of a name, exclusive.
paddy@99	24 MaxNameLength = 64
paddy@99	25 // MaxEmailLength is the maximum length, in bytes, of an email address, exclusive.
paddy@99	26 MaxEmailLength = 64
paddy@48	27 )
paddy@48	28
paddy@38	29 var (
paddy@57	30 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first.
paddy@57	31 ErrNoProfileStore = errors.New("no profileStore was specified for the Context")
paddy@57	32 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with
paddy@57	33 // the same ID already exists in the profileStore.
paddy@57	34 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore")
paddy@57	35 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore.
paddy@57	36 ErrProfileNotFound = errors.New("profile not found in profileStore")
paddy@57	37 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same
paddy@57	38 // Type and Value already exists in the profileStore.
paddy@57	39 ErrLoginAlreadyExists = errors.New("login already exists in profileStore")
paddy@57	40 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore.
paddy@57	41 ErrLoginNotFound = errors.New("login not found in profileStore")
paddy@48	42
paddy@57	43 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a
paddy@57	44 // Passphrase, and requires one.
paddy@57	45 ErrMissingPassphrase = errors.New("missing passphrase")
paddy@57	46 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain
paddy@57	47 // a PassphraseReset, and requires one.
paddy@57	48 ErrMissingPassphraseReset = errors.New("missing passphrase reset")
paddy@57	49 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not
paddy@57	50 // contain a PassphraseResetCreated, and requires one.
paddy@48	51 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp")
paddy@57	52 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase,
paddy@57	53 // but the Passphrase is shorter than MinPassphraseLength.
paddy@57	54 ErrPassphraseTooShort = errors.New("passphrase too short")
paddy@57	55 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase,
paddy@57	56 // but the Passphrase is longer than MaxPassphraseLength.
paddy@57	57 ErrPassphraseTooLong = errors.New("passphrase too long")
paddy@99	58
paddy@99	59 // ErrProfileCompromised is returned when a user tries to log in with a profile that is suspected
paddy@99	60 // of being compromised.
paddy@99	61 ErrProfileCompromised = errors.New("profile compromised")
paddy@99	62 // ErrProfileLocked is returned when a user tries to log in with a profile that is locked for a certain
paddy@99	63 // duration, to prevent brute force attacks.
paddy@99	64 ErrProfileLocked = errors.New("profile locked")
paddy@38	65 )
paddy@38	66
paddy@57	67 // Profile represents a single user of the service,
paddy@158	68 // including their authentication information.
paddy@27	69 type Profile struct {
paddy@105	70 ID uuid.ID `json:"id,omitempty"`
paddy@105	71 Name string `json:"name,omitempty"`
paddy@105	72 Passphrase string `json:"-"`
paddy@105	73 Iterations int `json:"-"`
paddy@105	74 Salt string `json:"-"`
paddy@105	75 PassphraseScheme int `json:"-"`
paddy@105	76 Compromised bool `json:"-"`
paddy@105	77 LockedUntil time.Time `json:"-"`
paddy@105	78 PassphraseReset string `json:"-"`
paddy@105	79 PassphraseResetCreated time.Time `json:"-"`
paddy@105	80 Created time.Time `json:"created,omitempty"`
paddy@105	81 LastSeen time.Time `json:"last_seen,omitempty"`
paddy@38	82 }
paddy@38	83
paddy@57	84 // ApplyChange applies the properties of the passed ProfileChange
paddy@57	85 // to the Profile it is called on.
paddy@38	86 func (p *Profile) ApplyChange(change ProfileChange) {
paddy@38	87 if change.Name != nil {
paddy@38	88 p.Name = *change.Name
paddy@38	89 }
paddy@38	90 if change.Passphrase != nil {
paddy@38	91 p.Passphrase = *change.Passphrase
paddy@38	92 }
paddy@38	93 if change.Iterations != nil {
paddy@38	94 p.Iterations = *change.Iterations
paddy@38	95 }
paddy@38	96 if change.Salt != nil {
paddy@38	97 p.Salt = *change.Salt
paddy@38	98 }
paddy@38	99 if change.PassphraseScheme != nil {
paddy@38	100 p.PassphraseScheme = *change.PassphraseScheme
paddy@38	101 }
paddy@38	102 if change.Compromised != nil {
paddy@38	103 p.Compromised = *change.Compromised
paddy@38	104 }
paddy@38	105 if change.LockedUntil != nil {
paddy@38	106 p.LockedUntil = *change.LockedUntil
paddy@38	107 }
paddy@38	108 if change.PassphraseReset != nil {
paddy@38	109 p.PassphraseReset = *change.PassphraseReset
paddy@38	110 }
paddy@38	111 if change.PassphraseResetCreated != nil {
paddy@38	112 p.PassphraseResetCreated = *change.PassphraseResetCreated
paddy@38	113 }
paddy@38	114 if change.LastSeen != nil {
paddy@38	115 p.LastSeen = *change.LastSeen
paddy@38	116 }
paddy@38	117 }
paddy@38	118
paddy@57	119 // ApplyBulkChange applies the properties of the passed BulkProfileChange
paddy@57	120 // to the Profile it is called on.
paddy@44	121 func (p *Profile) ApplyBulkChange(change BulkProfileChange) {
paddy@44	122 if change.Compromised != nil {
paddy@44	123 p.Compromised = *change.Compromised
paddy@44	124 }
paddy@44	125 }
paddy@44	126
paddy@57	127 // ProfileChange represents a single atomic change to a Profile's mutable data.
paddy@38	128 type ProfileChange struct {
paddy@38	129 Name *string
paddy@38	130 Passphrase *string
paddy@69	131 Iterations *int
paddy@38	132 Salt *string
paddy@38	133 PassphraseScheme *int
paddy@38	134 Compromised *bool
paddy@38	135 LockedUntil *time.Time
paddy@38	136 PassphraseReset *string
paddy@38	137 PassphraseResetCreated *time.Time
paddy@38	138 LastSeen *time.Time
paddy@38	139 }
paddy@38	140
paddy@149	141 func (c ProfileChange) Empty() bool {
paddy@161	142 return (c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil)
paddy@149	143 }
paddy@149	144
paddy@57	145 // Validate checks the ProfileChange it is called on
paddy@57	146 // and asserts its internal validity, or lack thereof.
paddy@57	147 // A descriptive error will be returned in the case of
paddy@57	148 // an invalid change.
paddy@38	149 func (c ProfileChange) Validate() error {
paddy@149	150 if c.Empty() {
paddy@48	151 return ErrEmptyChange
paddy@48	152 }
paddy@48	153 if c.PassphraseScheme != nil && c.Passphrase == nil {
paddy@48	154 return ErrMissingPassphrase
paddy@48	155 }
paddy@48	156 if c.PassphraseReset != nil && c.PassphraseResetCreated == nil {
paddy@48	157 return ErrMissingPassphraseResetCreated
paddy@48	158 }
paddy@48	159 if c.PassphraseReset == nil && c.PassphraseResetCreated != nil {
paddy@48	160 return ErrMissingPassphraseReset
paddy@48	161 }
paddy@48	162 if c.Salt != nil && c.Passphrase == nil {
paddy@48	163 return ErrMissingPassphrase
paddy@48	164 }
paddy@48	165 if c.Iterations != nil && c.Passphrase == nil {
paddy@48	166 return ErrMissingPassphrase
paddy@48	167 }
paddy@38	168 return nil
paddy@27	169 }
paddy@27	170
paddy@57	171 // BulkProfileChange represents a single atomic change to many Profiles' mutable data.
paddy@57	172 // It is a subset of a ProfileChange, as it doesn't make sense to mutate some of the
paddy@57	173 // ProfileChange values across many Profiles all at once.
paddy@44	174 type BulkProfileChange struct {
paddy@44	175 Compromised *bool
paddy@44	176 }
paddy@44	177
paddy@149	178 func (b BulkProfileChange) Empty() bool {
paddy@149	179 return b.Compromised == nil
paddy@149	180 }
paddy@149	181
paddy@57	182 // Validate checks the BulkProfileChange it is called on
paddy@57	183 // and asserts its internal validity, or lack thereof.
paddy@57	184 // A descriptive error will be returned in the case of an
paddy@57	185 // invalid change.
paddy@44	186 func (b BulkProfileChange) Validate() error {
paddy@149	187 if b.Empty() {
paddy@48	188 return ErrEmptyChange
paddy@48	189 }
paddy@44	190 return nil
paddy@44	191 }
paddy@44	192
paddy@57	193 // Login represents a single human-friendly identifier for
paddy@57	194 // a given Profile that can be used to log into that Profile.
paddy@57	195 // Each Profile may only have one Login for each Type.
paddy@27	196 type Login struct {
paddy@105	197 Type string `json:"type,omitempty"`
paddy@105	198 Value string `json:"value,omitempty"`
paddy@105	199 ProfileID uuid.ID `json:"profile_id,omitempty"`
paddy@105	200 Created time.Time `json:"created,omitempty"`
paddy@105	201 LastUsed time.Time `json:"last_used,omitempty"`
paddy@27	202 }
paddy@27	203
paddy@99	204 type newProfileRequest struct {
paddy@99	205 Email string `json:"email"`
paddy@99	206 Passphrase string `json:"passphrase"`
paddy@99	207 Name string `json:"name"`
paddy@99	208 }
paddy@99	209
paddy@99	210 func validateNewProfileRequest(req *newProfileRequest) []requestError {
paddy@99	211 errors := []requestError{}
paddy@99	212 req.Name = strings.TrimSpace(req.Name)
paddy@99	213 req.Email = strings.TrimSpace(req.Email)
paddy@99	214 if len(req.Passphrase) < MinPassphraseLength {
paddy@99	215 errors = append(errors, requestError{
paddy@99	216 Slug: requestErrInsufficient,
paddy@99	217 Field: "/passphrase",
paddy@99	218 })
paddy@99	219 }
paddy@99	220 if len(req.Passphrase) > MaxPassphraseLength {
paddy@99	221 errors = append(errors, requestError{
paddy@99	222 Slug: requestErrOverflow,
paddy@99	223 Field: "/passphrase",
paddy@99	224 })
paddy@99	225 }
paddy@99	226 if len(req.Name) > MaxNameLength {
paddy@99	227 errors = append(errors, requestError{
paddy@99	228 Slug: requestErrOverflow,
paddy@99	229 Field: "/name",
paddy@99	230 })
paddy@99	231 }
paddy@99	232 if req.Email == "" {
paddy@99	233 errors = append(errors, requestError{
paddy@99	234 Slug: requestErrMissing,
paddy@99	235 Field: "/email",
paddy@99	236 })
paddy@99	237 }
paddy@99	238 if len(req.Email) > MaxEmailLength {
paddy@99	239 errors = append(errors, requestError{
paddy@99	240 Slug: requestErrOverflow,
paddy@99	241 Field: "/email",
paddy@99	242 })
paddy@99	243 }
paddy@99	244 re := regexp.MustCompile(".+@.+\\..+")
paddy@99	245 if !re.Match([]byte(req.Email)) {
paddy@99	246 errors = append(errors, requestError{
paddy@105	247 Slug: requestErrInvalidFormat,
paddy@99	248 Field: "/email",
paddy@99	249 })
paddy@99	250 }
paddy@99	251 return errors
paddy@99	252 }
paddy@99	253
paddy@57	254 type profileStore interface {
paddy@57	255 getProfileByID(id uuid.ID) (Profile, error)
paddy@69	256 getProfileByLogin(value string) (Profile, error)
paddy@57	257 saveProfile(profile Profile) error
paddy@57	258 updateProfile(id uuid.ID, change ProfileChange) error
paddy@57	259 updateProfiles(ids []uuid.ID, change BulkProfileChange) error
paddy@161	260 deleteProfile(id uuid.ID) error
paddy@44	261
paddy@57	262 addLogin(login Login) error
paddy@69	263 removeLogin(value string, profile uuid.ID) error
paddy@160	264 removeLoginsByProfile(profile uuid.ID) error
paddy@69	265 recordLoginUse(value string, when time.Time) error
paddy@57	266 listLogins(profile uuid.ID, num, offset int) ([]Login, error)
paddy@38	267 }
paddy@27	268
paddy@57	269 func (m *memstore) getProfileByID(id uuid.ID) (Profile, error) {
paddy@38	270 m.profileLock.RLock()
paddy@38	271 defer m.profileLock.RUnlock()
paddy@38	272 p, ok := m.profiles[id.String()]
paddy@38	273 if !ok {
paddy@38	274 return Profile{}, ErrProfileNotFound
paddy@38	275 }
paddy@38	276 return p, nil
paddy@27	277 }
paddy@38	278
paddy@69	279 func (m *memstore) getProfileByLogin(value string) (Profile, error) {
paddy@44	280 m.loginLock.RLock()
paddy@44	281 defer m.loginLock.RUnlock()
paddy@69	282 login, ok := m.logins[value]
paddy@44	283 if !ok {
paddy@44	284 return Profile{}, ErrLoginNotFound
paddy@44	285 }
paddy@44	286 m.profileLock.RLock()
paddy@44	287 defer m.profileLock.RUnlock()
paddy@44	288 profile, ok := m.profiles[login.ProfileID.String()]
paddy@44	289 if !ok {
paddy@44	290 return Profile{}, ErrProfileNotFound
paddy@44	291 }
paddy@44	292 return profile, nil
paddy@38	293 }
paddy@38	294
paddy@57	295 func (m *memstore) saveProfile(profile Profile) error {
paddy@38	296 m.profileLock.Lock()
paddy@38	297 defer m.profileLock.Unlock()
paddy@38	298 _, ok := m.profiles[profile.ID.String()]
paddy@38	299 if ok {
paddy@38	300 return ErrProfileAlreadyExists
paddy@38	301 }
paddy@38	302 m.profiles[profile.ID.String()] = profile
paddy@38	303 return nil
paddy@38	304 }
paddy@38	305
paddy@57	306 func (m *memstore) updateProfile(id uuid.ID, change ProfileChange) error {
paddy@38	307 m.profileLock.Lock()
paddy@38	308 defer m.profileLock.Unlock()
paddy@38	309 p, ok := m.profiles[id.String()]
paddy@38	310 if !ok {
paddy@38	311 return ErrProfileNotFound
paddy@38	312 }
paddy@38	313 p.ApplyChange(change)
paddy@38	314 m.profiles[id.String()] = p
paddy@38	315 return nil
paddy@38	316 }
paddy@38	317
paddy@57	318 func (m *memstore) updateProfiles(ids []uuid.ID, change BulkProfileChange) error {
paddy@44	319 m.profileLock.Lock()
paddy@44	320 defer m.profileLock.Unlock()
paddy@44	321 for id, profile := range m.profiles {
paddy@44	322 for _, i := range ids {
paddy@44	323 if id == i.String() {
paddy@44	324 profile.ApplyBulkChange(change)
paddy@44	325 m.profiles[id] = profile
paddy@44	326 break
paddy@44	327 }
paddy@44	328 }
paddy@44	329 }
paddy@44	330 return nil
paddy@44	331 }
paddy@44	332
paddy@161	333 func (m *memstore) deleteProfile(id uuid.ID) error {
paddy@161	334 m.profileLock.Lock()
paddy@161	335 defer m.profileLock.Unlock()
paddy@161	336 if _, ok := m.profiles[id.String()]; !ok {
paddy@161	337 return ErrProfileNotFound
paddy@161	338 }
paddy@161	339 delete(m.profiles, id.String())
paddy@161	340 return nil
paddy@161	341 }
paddy@161	342
paddy@57	343 func (m *memstore) addLogin(login Login) error {
paddy@44	344 m.loginLock.Lock()
paddy@44	345 defer m.loginLock.Unlock()
paddy@69	346 _, ok := m.logins[login.Value]
paddy@44	347 if ok {
paddy@44	348 return ErrLoginAlreadyExists
paddy@44	349 }
paddy@69	350 m.logins[login.Value] = login
paddy@69	351 m.profileLoginLookup[login.ProfileID.String()] = append(m.profileLoginLookup[login.ProfileID.String()], login.Value)
paddy@44	352 return nil
paddy@44	353 }
paddy@44	354
paddy@69	355 func (m *memstore) removeLogin(value string, profile uuid.ID) error {
paddy@44	356 m.loginLock.Lock()
paddy@44	357 defer m.loginLock.Unlock()
paddy@69	358 l, ok := m.logins[value]
paddy@44	359 if !ok {
paddy@44	360 return ErrLoginNotFound
paddy@44	361 }
paddy@44	362 if !l.ProfileID.Equal(profile) {
paddy@44	363 return ErrLoginNotFound
paddy@44	364 }
paddy@69	365 delete(m.logins, value)
paddy@44	366 pos := -1
paddy@44	367 for p, id := range m.profileLoginLookup[profile.String()] {
paddy@69	368 if id == value {
paddy@44	369 pos = p
paddy@44	370 break
paddy@44	371 }
paddy@44	372 }
paddy@44	373 if pos >= 0 {
paddy@44	374 m.profileLoginLookup[profile.String()] = append(m.profileLoginLookup[profile.String()][:pos], m.profileLoginLookup[profile.String()][pos+1:]...)
paddy@44	375 }
paddy@44	376 return nil
paddy@44	377 }
paddy@44	378
paddy@160	379 func (m *memstore) removeLoginsByProfile(profile uuid.ID) error {
paddy@160	380 m.loginLock.Lock()
paddy@160	381 defer m.loginLock.Unlock()
paddy@160	382 logins, ok := m.profileLoginLookup[profile.String()]
paddy@160	383 if !ok {
paddy@160	384 return ErrProfileNotFound
paddy@160	385 }
paddy@160	386 delete(m.profileLoginLookup, profile.String())
paddy@160	387 for _, login := range logins {
paddy@160	388 delete(m.logins, login)
paddy@160	389 }
paddy@160	390 return nil
paddy@160	391 }
paddy@160	392
paddy@69	393 func (m *memstore) recordLoginUse(value string, when time.Time) error {
paddy@44	394 m.loginLock.Lock()
paddy@44	395 defer m.loginLock.Unlock()
paddy@69	396 l, ok := m.logins[value]
paddy@44	397 if !ok {
paddy@44	398 return ErrLoginNotFound
paddy@44	399 }
paddy@44	400 l.LastUsed = when
paddy@69	401 m.logins[value] = l
paddy@44	402 return nil
paddy@44	403 }
paddy@44	404
paddy@57	405 func (m *memstore) listLogins(profile uuid.ID, num, offset int) ([]Login, error) {
paddy@44	406 m.loginLock.RLock()
paddy@44	407 defer m.loginLock.RUnlock()
paddy@44	408 ids, ok := m.profileLoginLookup[profile.String()]
paddy@44	409 if !ok {
paddy@44	410 return []Login{}, nil
paddy@44	411 }
paddy@44	412 if len(ids) > num+offset {
paddy@44	413 ids = ids[offset : num+offset]
paddy@44	414 } else if len(ids) > offset {
paddy@44	415 ids = ids[offset:]
paddy@44	416 } else {
paddy@44	417 return []Login{}, nil
paddy@44	418 }
paddy@44	419 logins := []Login{}
paddy@44	420 for _, id := range ids {
paddy@44	421 login, ok := m.logins[id]
paddy@44	422 if !ok {
paddy@44	423 continue
paddy@44	424 }
paddy@44	425 logins = append(logins, login)
paddy@44	426 }
paddy@44	427 return logins, nil
paddy@44	428 }
paddy@99	429
paddy@160	430 func cleanUpAfterProfileDeletion(profile uuid.ID, context Context) {
paddy@160	431 err := context.RemoveLoginsByProfile(profile)
paddy@160	432 if err != nil {
paddy@160	433 log.Printf("Error removing logins from profile %s: %+v\n", profile, err)
paddy@160	434 }
paddy@162	435 err = context.TerminateSessionsByProfile(profile)
paddy@162	436 if err != nil {
paddy@162	437 log.Printf("Error terminating sessions associated with profile %s: %+v\n", profile, err)
paddy@162	438 }
paddy@162	439 err = context.RevokeTokensByProfileID(profile)
paddy@162	440 if err != nil {
paddy@162	441 log.Printf("Error revoking tokens associated with profile %s: %+v\n", profile, err)
paddy@162	442 }
paddy@163	443 err = context.DeleteAuthorizationCodesByProfileID(profile)
paddy@163	444 if err != nil {
paddy@163	445 log.Printf("Error deleting authorization codes associated with profile %s: %+v\n", profile, err)
paddy@163	446 }
paddy@164	447 clients, err := context.ListClientsByOwner(profile, -1, 0)
paddy@164	448 if err != nil {
paddy@164	449 log.Printf("Error listing clients by profile %s: %+v\n", profile, err)
paddy@164	450 }
paddy@164	451 err = context.DeleteClientsByOwner(profile)
paddy@164	452 if err != nil {
paddy@164	453 log.Printf("Error deleting clients by profile %s: %+v\n", profile, err)
paddy@164	454 }
paddy@164	455 for _, client := range clients {
paddy@164	456 cleanUpAfterClientDeletion(client.ID, context)
paddy@164	457 }
paddy@160	458 }
paddy@160	459
paddy@105	460 // RegisterProfileHandlers adds handlers to the passed router to handle the profile endpoints, like registration and user retrieval.
paddy@105	461 func RegisterProfileHandlers(r *mux.Router, context Context) {
paddy@165	462 r.Handle("/profiles", wrap(context, CreateProfileHandler)).Methods("POST", "OPTIONS")
paddy@166	463 r.Handle("/profiles/{id}", wrap(context, GetProfileHandler)).Methods("GET", "OPTIONS")
paddy@165	464 r.Handle("/profiles/{id}", wrap(context, UpdateProfileHandler)).Methods("PATCH", "OPTIONS")
paddy@165	465 r.Handle("/profiles/{id}", wrap(context, DeleteProfileHandler)).Methods("DELETE", "OPTIONS")
paddy@128	466 // BUG(paddy): We need to implement a handler that will add a login to a profile.
paddy@128	467 // BUG(paddy): We need to implement a handler that will remove a login from a profile. What happens to sessions created with that login?
paddy@128	468 // BUG(paddy): We need to implement a handler that will list the logins attached to a profile.
paddy@105	469 }
paddy@105	470
paddy@166	471 // GetProfileHandler is an HTTP handler for retrieving a profile.
paddy@166	472 func GetProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
paddy@166	473 errors := []requestError{}
paddy@166	474 authz := r.Header.Get("Authorization")
paddy@166	475 if !strings.HasPrefix(authz, "Bearer ") {
paddy@166	476 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@166	477 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@166	478 return
paddy@166	479 }
paddy@166	480 authz = strings.TrimPrefix(authz, "Bearer ")
paddy@166	481 vars := mux.Vars(r)
paddy@166	482 if vars["id"] == "" {
paddy@166	483 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
paddy@166	484 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@166	485 return
paddy@166	486 }
paddy@166	487 id, err := uuid.Parse(vars["id"])
paddy@166	488 if err != nil {
paddy@166	489 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Param: "id"})
paddy@166	490 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@166	491 return
paddy@166	492 }
paddy@166	493 token, err := context.GetToken(authz, false)
paddy@166	494 if err != nil \|\| token.Revoked {
paddy@166	495 if err == ErrTokenNotFound \|\| token.Revoked {
paddy@166	496 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@166	497 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@166	498 return
paddy@166	499 } else {
paddy@166	500 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@166	501 return
paddy@166	502 }
paddy@166	503 }
paddy@166	504 if !id.Equal(token.ProfileID) {
paddy@166	505 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@166	506 encode(w, r, http.StatusForbidden, response{Errors: errors})
paddy@166	507 return
paddy@166	508 }
paddy@166	509 profile, err := context.GetProfileByID(id)
paddy@166	510 if err != nil {
paddy@166	511 if err == ErrProfileNotFound {
paddy@166	512 errors = append(errors, requestError{Slug: requestErrNotFound, Param: "id"})
paddy@166	513 encode(w, r, http.StatusNotFound, response{Errors: errors})
paddy@166	514 return
paddy@166	515 }
paddy@166	516 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@166	517 return
paddy@166	518 }
paddy@166	519 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
paddy@166	520 return
paddy@166	521 }
paddy@166	522
paddy@99	523 // CreateProfileHandler is an HTTP handler for registering new profiles.
paddy@99	524 func CreateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
paddy@99	525 scheme, ok := passphraseSchemes[CurPassphraseScheme]
paddy@99	526 if !ok {
paddy@149	527 log.Printf("Error selecting passphrase scheme #%d\n", CurPassphraseScheme)
paddy@105	528 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@99	529 return
paddy@99	530 }
paddy@99	531 var req newProfileRequest
paddy@99	532 errors := []requestError{}
paddy@99	533 decoder := json.NewDecoder(r.Body)
paddy@99	534 err := decoder.Decode(&req)
paddy@99	535 if err != nil {
paddy@105	536 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
paddy@99	537 return
paddy@99	538 }
paddy@99	539 errors = append(errors, validateNewProfileRequest(&req)...)
paddy@99	540 if len(errors) > 0 {
paddy@105	541 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@99	542 return
paddy@99	543 }
paddy@99	544 passphrase, salt, err := scheme.create(req.Passphrase, context.config.iterations)
paddy@99	545 if err != nil {
paddy@149	546 log.Printf("Error creating encoded passphrase: %#+v\n", err)
paddy@105	547 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@99	548 return
paddy@99	549 }
paddy@99	550 profile := Profile{
paddy@99	551 ID: uuid.NewID(),
paddy@99	552 Name: req.Name,
paddy@99	553 Passphrase: string(passphrase),
paddy@99	554 Iterations: context.config.iterations,
paddy@99	555 Salt: string(salt),
paddy@99	556 PassphraseScheme: CurPassphraseScheme,
paddy@99	557 Created: time.Now(),
paddy@99	558 LastSeen: time.Now(),
paddy@99	559 }
paddy@99	560 err = context.SaveProfile(profile)
paddy@99	561 if err != nil {
paddy@105	562 if err == ErrProfileAlreadyExists {
paddy@105	563 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/id"}}})
paddy@105	564 return
paddy@105	565 }
paddy@149	566 log.Printf("Error saving profile: %#+v\n", err)
paddy@105	567 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@99	568 return
paddy@99	569 }
paddy@99	570 logins := []Login{}
paddy@99	571 login := Login{
paddy@99	572 Type: "email",
paddy@99	573 Value: req.Email,
paddy@99	574 Created: profile.Created,
paddy@99	575 LastUsed: profile.Created,
paddy@99	576 ProfileID: profile.ID,
paddy@99	577 }
paddy@99	578 err = context.AddLogin(login)
paddy@99	579 if err != nil {
paddy@105	580 if err == ErrLoginAlreadyExists {
paddy@105	581 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/email"}}})
paddy@105	582 return
paddy@105	583 }
paddy@149	584 log.Printf("Error adding login: %#+v\n", err)
paddy@105	585 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@99	586 return
paddy@99	587 }
paddy@99	588 logins = append(logins, login)
paddy@105	589 resp := response{
paddy@105	590 Logins: logins,
paddy@105	591 Profiles: []Profile{profile},
paddy@105	592 }
paddy@105	593 encode(w, r, http.StatusCreated, resp)
paddy@99	594 // TODO(paddy): should we kick off the email validation flow?
paddy@99	595 }
paddy@145	596
paddy@145	597 func UpdateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
paddy@145	598 errors := []requestError{}
paddy@145	599 vars := mux.Vars(r)
paddy@145	600 if vars["id"] == "" {
paddy@145	601 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
paddy@145	602 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@145	603 return
paddy@145	604 }
paddy@145	605 id, err := uuid.Parse(vars["id"])
paddy@145	606 if err != nil {
paddy@145	607 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@145	608 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@145	609 return
paddy@145	610 }
paddy@145	611 username, password, ok := r.BasicAuth()
paddy@145	612 if !ok {
paddy@145	613 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@145	614 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@145	615 return
paddy@145	616 }
paddy@145	617 profile, err := authenticate(username, password, context)
paddy@145	618 if err != nil {
paddy@145	619 if isAuthError(err) {
paddy@145	620 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@145	621 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@145	622 } else {
paddy@145	623 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@145	624 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@145	625 }
paddy@145	626 return
paddy@145	627 }
paddy@145	628 if !profile.ID.Equal(id) {
paddy@145	629 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@145	630 encode(w, r, http.StatusForbidden, response{Errors: errors})
paddy@145	631 return
paddy@145	632 }
paddy@145	633 var req ProfileChange
paddy@145	634 decoder := json.NewDecoder(r.Body)
paddy@145	635 err = decoder.Decode(&req)
paddy@145	636 if err != nil {
paddy@149	637 log.Printf("Error decoding request: %#+v\n", err)
paddy@145	638 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
paddy@145	639 return
paddy@145	640 }
paddy@145	641 req.Iterations = nil
paddy@145	642 req.Salt = nil
paddy@145	643 req.PassphraseScheme = nil
paddy@145	644 req.Compromised = nil // BUG(paddy): Need a way for admins to mark accounts as compromised
paddy@145	645 req.LockedUntil = nil
paddy@145	646 req.LastSeen = nil
paddy@145	647 if req.Passphrase != nil {
paddy@145	648 if len(*req.Passphrase) < MinPassphraseLength {
paddy@145	649 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/passphrase"})
paddy@145	650 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@145	651 return
paddy@145	652 }
paddy@145	653 if len(*req.Passphrase) > MaxPassphraseLength {
paddy@145	654 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/passphrase"})
paddy@145	655 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@145	656 return
paddy@145	657 }
paddy@145	658 iterations := context.config.iterations
paddy@145	659 scheme, ok := passphraseSchemes[CurPassphraseScheme]
paddy@145	660 if !ok {
paddy@145	661 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@145	662 return
paddy@145	663 }
paddy@145	664 curScheme := CurPassphraseScheme
paddy@145	665 req.PassphraseScheme = &curScheme
paddy@145	666 passphrase, salt, err := scheme.create(*req.Passphrase, iterations)
paddy@145	667 if err != nil {
paddy@145	668 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@145	669 return
paddy@145	670 }
paddy@145	671 req.Passphrase = &passphrase
paddy@145	672 req.Salt = &salt
paddy@145	673 req.Iterations = &iterations
paddy@145	674 }
paddy@145	675 if req.PassphraseReset != nil {
paddy@145	676 now := time.Now()
paddy@145	677 req.PassphraseResetCreated = &now
paddy@145	678 }
paddy@145	679 err = req.Validate()
paddy@145	680 if err != nil {
paddy@145	681 var status int
paddy@145	682 var resp response
paddy@145	683 switch err {
paddy@145	684 case ErrEmptyChange:
paddy@145	685 resp.Profiles = []Profile{profile}
paddy@145	686 status = http.StatusOK
paddy@145	687 default:
paddy@145	688 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@145	689 resp.Errors = errors
paddy@145	690 status = http.StatusInternalServerError
paddy@145	691 }
paddy@145	692 encode(w, r, status, resp)
paddy@145	693 return
paddy@145	694 }
paddy@145	695 err = context.UpdateProfile(id, req)
paddy@145	696 if err != nil {
paddy@145	697 if err == ErrProfileNotFound {
paddy@145	698 errors = append(errors, requestError{Slug: requestErrNotFound})
paddy@145	699 encode(w, r, http.StatusNotFound, response{Errors: errors})
paddy@145	700 return
paddy@145	701 }
paddy@145	702 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@145	703 return
paddy@145	704 }
paddy@145	705 profile.ApplyChange(req)
paddy@145	706 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
paddy@145	707 return
paddy@145	708 }
paddy@160	709
paddy@160	710 func DeleteProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
paddy@160	711 errors := []requestError{}
paddy@160	712 vars := mux.Vars(r)
paddy@160	713 if vars["id"] == "" {
paddy@160	714 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
paddy@160	715 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@160	716 return
paddy@160	717 }
paddy@160	718 id, err := uuid.Parse(vars["id"])
paddy@160	719 if err != nil {
paddy@160	720 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@160	721 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@160	722 return
paddy@160	723 }
paddy@160	724 username, password, ok := r.BasicAuth()
paddy@160	725 if !ok {
paddy@160	726 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@160	727 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@160	728 return
paddy@160	729 }
paddy@160	730 profile, err := authenticate(username, password, context)
paddy@160	731 if err != nil {
paddy@160	732 if isAuthError(err) {
paddy@160	733 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@160	734 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@160	735 } else {
paddy@160	736 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@160	737 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@160	738 }
paddy@160	739 return
paddy@160	740 }
paddy@160	741 if !profile.ID.Equal(id) {
paddy@160	742 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@160	743 encode(w, r, http.StatusForbidden, response{Errors: errors})
paddy@160	744 return
paddy@160	745 }
paddy@161	746 err = context.DeleteProfile(id)
paddy@160	747 if err != nil {
paddy@160	748 if err == ErrProfileNotFound {
paddy@160	749 errors = append(errors, requestError{Slug: requestErrNotFound})
paddy@160	750 encode(w, r, http.StatusNotFound, response{Errors: errors})
paddy@160	751 return
paddy@160	752 }
paddy@160	753 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@160	754 return
paddy@160	755 }
paddy@160	756 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
paddy@160	757 go cleanUpAfterProfileDeletion(profile.ID, context)
paddy@160	758 }