auth
auth/profile.go
Implement UpdateProfileHandler. Implement a handler that will allow users to update their Profiles through the API.
| paddy@27 | 1 package auth |
| paddy@27 | 2 |
| paddy@27 | 3 import ( |
| paddy@99 | 4 "encoding/json" |
| paddy@38 | 5 "errors" |
| paddy@99 | 6 "net/http" |
| paddy@99 | 7 "regexp" |
| paddy@99 | 8 "strings" |
| paddy@27 | 9 "time" |
| paddy@27 | 10 |
| paddy@107 | 11 "code.secondbit.org/uuid.hg" |
| paddy@99 | 12 "github.com/extemporalgenome/slug" |
| paddy@105 | 13 "github.com/gorilla/mux" |
| paddy@27 | 14 ) |
| paddy@27 | 15 |
| paddy@48 | 16 const ( |
| paddy@57 | 17 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive. |
| paddy@48 | 18 MinPassphraseLength = 6 |
| paddy@57 | 19 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive. |
| paddy@48 | 20 MaxPassphraseLength = 64 |
| paddy@69 | 21 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme |
| paddy@69 | 22 CurPassphraseScheme = 1 |
| paddy@99 | 23 // MaxNameLength is the maximum length, in bytes, of a name, exclusive. |
| paddy@99 | 24 MaxNameLength = 64 |
| paddy@99 | 25 // MaxUsernameLength is the maximum length, in bytes, of a username, exclusive. |
| paddy@99 | 26 MaxUsernameLength = 16 |
| paddy@99 | 27 // MaxEmailLength is the maximum length, in bytes, of an email address, exclusive. |
| paddy@99 | 28 MaxEmailLength = 64 |
| paddy@48 | 29 ) |
| paddy@48 | 30 |
| paddy@38 | 31 var ( |
| paddy@57 | 32 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first. |
| paddy@57 | 33 ErrNoProfileStore = errors.New("no profileStore was specified for the Context") |
| paddy@57 | 34 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with |
| paddy@57 | 35 // the same ID already exists in the profileStore. |
| paddy@57 | 36 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore") |
| paddy@57 | 37 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore. |
| paddy@57 | 38 ErrProfileNotFound = errors.New("profile not found in profileStore") |
| paddy@57 | 39 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same |
| paddy@57 | 40 // Type and Value already exists in the profileStore. |
| paddy@57 | 41 ErrLoginAlreadyExists = errors.New("login already exists in profileStore") |
| paddy@57 | 42 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore. |
| paddy@57 | 43 ErrLoginNotFound = errors.New("login not found in profileStore") |
| paddy@48 | 44 |
| paddy@57 | 45 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a |
| paddy@57 | 46 // Passphrase, and requires one. |
| paddy@57 | 47 ErrMissingPassphrase = errors.New("missing passphrase") |
| paddy@57 | 48 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain |
| paddy@57 | 49 // a PassphraseReset, and requires one. |
| paddy@57 | 50 ErrMissingPassphraseReset = errors.New("missing passphrase reset") |
| paddy@57 | 51 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not |
| paddy@57 | 52 // contain a PassphraseResetCreated, and requires one. |
| paddy@48 | 53 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp") |
| paddy@57 | 54 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase, |
| paddy@57 | 55 // but the Passphrase is shorter than MinPassphraseLength. |
| paddy@57 | 56 ErrPassphraseTooShort = errors.New("passphrase too short") |
| paddy@57 | 57 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase, |
| paddy@57 | 58 // but the Passphrase is longer than MaxPassphraseLength. |
| paddy@57 | 59 ErrPassphraseTooLong = errors.New("passphrase too long") |
| paddy@99 | 60 |
| paddy@99 | 61 // ErrProfileCompromised is returned when a user tries to log in with a profile that is suspected |
| paddy@99 | 62 // of being compromised. |
| paddy@99 | 63 ErrProfileCompromised = errors.New("profile compromised") |
| paddy@99 | 64 // ErrProfileLocked is returned when a user tries to log in with a profile that is locked for a certain |
| paddy@99 | 65 // duration, to prevent brute force attacks. |
| paddy@99 | 66 ErrProfileLocked = errors.New("profile locked") |
| paddy@38 | 67 ) |
| paddy@38 | 68 |
| paddy@57 | 69 // Profile represents a single user of the service, |
| paddy@57 | 70 // including their authentication information, but not |
| paddy@57 | 71 // including their username or email. |
| paddy@27 | 72 type Profile struct { |
| paddy@105 | 73 ID uuid.ID `json:"id,omitempty"` |
| paddy@105 | 74 Name string `json:"name,omitempty"` |
| paddy@105 | 75 Passphrase string `json:"-"` |
| paddy@105 | 76 Iterations int `json:"-"` |
| paddy@105 | 77 Salt string `json:"-"` |
| paddy@105 | 78 PassphraseScheme int `json:"-"` |
| paddy@105 | 79 Compromised bool `json:"-"` |
| paddy@105 | 80 LockedUntil time.Time `json:"-"` |
| paddy@105 | 81 PassphraseReset string `json:"-"` |
| paddy@105 | 82 PassphraseResetCreated time.Time `json:"-"` |
| paddy@105 | 83 Created time.Time `json:"created,omitempty"` |
| paddy@105 | 84 LastSeen time.Time `json:"last_seen,omitempty"` |
| paddy@38 | 85 } |
| paddy@38 | 86 |
| paddy@57 | 87 // ApplyChange applies the properties of the passed ProfileChange |
| paddy@57 | 88 // to the Profile it is called on. |
| paddy@38 | 89 func (p *Profile) ApplyChange(change ProfileChange) { |
| paddy@38 | 90 if change.Name != nil { |
| paddy@38 | 91 p.Name = *change.Name |
| paddy@38 | 92 } |
| paddy@38 | 93 if change.Passphrase != nil { |
| paddy@38 | 94 p.Passphrase = *change.Passphrase |
| paddy@38 | 95 } |
| paddy@38 | 96 if change.Iterations != nil { |
| paddy@38 | 97 p.Iterations = *change.Iterations |
| paddy@38 | 98 } |
| paddy@38 | 99 if change.Salt != nil { |
| paddy@38 | 100 p.Salt = *change.Salt |
| paddy@38 | 101 } |
| paddy@38 | 102 if change.PassphraseScheme != nil { |
| paddy@38 | 103 p.PassphraseScheme = *change.PassphraseScheme |
| paddy@38 | 104 } |
| paddy@38 | 105 if change.Compromised != nil { |
| paddy@38 | 106 p.Compromised = *change.Compromised |
| paddy@38 | 107 } |
| paddy@38 | 108 if change.LockedUntil != nil { |
| paddy@38 | 109 p.LockedUntil = *change.LockedUntil |
| paddy@38 | 110 } |
| paddy@38 | 111 if change.PassphraseReset != nil { |
| paddy@38 | 112 p.PassphraseReset = *change.PassphraseReset |
| paddy@38 | 113 } |
| paddy@38 | 114 if change.PassphraseResetCreated != nil { |
| paddy@38 | 115 p.PassphraseResetCreated = *change.PassphraseResetCreated |
| paddy@38 | 116 } |
| paddy@38 | 117 if change.LastSeen != nil { |
| paddy@38 | 118 p.LastSeen = *change.LastSeen |
| paddy@38 | 119 } |
| paddy@38 | 120 } |
| paddy@38 | 121 |
| paddy@57 | 122 // ApplyBulkChange applies the properties of the passed BulkProfileChange |
| paddy@57 | 123 // to the Profile it is called on. |
| paddy@44 | 124 func (p *Profile) ApplyBulkChange(change BulkProfileChange) { |
| paddy@44 | 125 if change.Compromised != nil { |
| paddy@44 | 126 p.Compromised = *change.Compromised |
| paddy@44 | 127 } |
| paddy@44 | 128 } |
| paddy@44 | 129 |
| paddy@57 | 130 // ProfileChange represents a single atomic change to a Profile's mutable data. |
| paddy@38 | 131 type ProfileChange struct { |
| paddy@38 | 132 Name *string |
| paddy@38 | 133 Passphrase *string |
| paddy@69 | 134 Iterations *int |
| paddy@38 | 135 Salt *string |
| paddy@38 | 136 PassphraseScheme *int |
| paddy@38 | 137 Compromised *bool |
| paddy@38 | 138 LockedUntil *time.Time |
| paddy@38 | 139 PassphraseReset *string |
| paddy@38 | 140 PassphraseResetCreated *time.Time |
| paddy@38 | 141 LastSeen *time.Time |
| paddy@38 | 142 } |
| paddy@38 | 143 |
| paddy@57 | 144 // Validate checks the ProfileChange it is called on |
| paddy@57 | 145 // and asserts its internal validity, or lack thereof. |
| paddy@57 | 146 // A descriptive error will be returned in the case of |
| paddy@57 | 147 // an invalid change. |
| paddy@38 | 148 func (c ProfileChange) Validate() error { |
| paddy@48 | 149 if c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil { |
| paddy@48 | 150 return ErrEmptyChange |
| paddy@48 | 151 } |
| paddy@48 | 152 if c.PassphraseScheme != nil && c.Passphrase == nil { |
| paddy@48 | 153 return ErrMissingPassphrase |
| paddy@48 | 154 } |
| paddy@48 | 155 if c.PassphraseReset != nil && c.PassphraseResetCreated == nil { |
| paddy@48 | 156 return ErrMissingPassphraseResetCreated |
| paddy@48 | 157 } |
| paddy@48 | 158 if c.PassphraseReset == nil && c.PassphraseResetCreated != nil { |
| paddy@48 | 159 return ErrMissingPassphraseReset |
| paddy@48 | 160 } |
| paddy@48 | 161 if c.Salt != nil && c.Passphrase == nil { |
| paddy@48 | 162 return ErrMissingPassphrase |
| paddy@48 | 163 } |
| paddy@48 | 164 if c.Iterations != nil && c.Passphrase == nil { |
| paddy@48 | 165 return ErrMissingPassphrase |
| paddy@48 | 166 } |
| paddy@38 | 167 return nil |
| paddy@27 | 168 } |
| paddy@27 | 169 |
| paddy@57 | 170 // BulkProfileChange represents a single atomic change to many Profiles' mutable data. |
| paddy@57 | 171 // It is a subset of a ProfileChange, as it doesn't make sense to mutate some of the |
| paddy@57 | 172 // ProfileChange values across many Profiles all at once. |
| paddy@44 | 173 type BulkProfileChange struct { |
| paddy@44 | 174 Compromised *bool |
| paddy@44 | 175 } |
| paddy@44 | 176 |
| paddy@57 | 177 // Validate checks the BulkProfileChange it is called on |
| paddy@57 | 178 // and asserts its internal validity, or lack thereof. |
| paddy@57 | 179 // A descriptive error will be returned in the case of an |
| paddy@57 | 180 // invalid change. |
| paddy@44 | 181 func (b BulkProfileChange) Validate() error { |
| paddy@48 | 182 if b.Compromised == nil { |
| paddy@48 | 183 return ErrEmptyChange |
| paddy@48 | 184 } |
| paddy@44 | 185 return nil |
| paddy@44 | 186 } |
| paddy@44 | 187 |
| paddy@57 | 188 // Login represents a single human-friendly identifier for |
| paddy@57 | 189 // a given Profile that can be used to log into that Profile. |
| paddy@57 | 190 // Each Profile may only have one Login for each Type. |
| paddy@27 | 191 type Login struct { |
| paddy@105 | 192 Type string `json:"type,omitempty"` |
| paddy@105 | 193 Value string `json:"value,omitempty"` |
| paddy@105 | 194 ProfileID uuid.ID `json:"profile_id,omitempty"` |
| paddy@105 | 195 Created time.Time `json:"created,omitempty"` |
| paddy@105 | 196 LastUsed time.Time `json:"last_used,omitempty"` |
| paddy@27 | 197 } |
| paddy@27 | 198 |
| paddy@99 | 199 type newProfileRequest struct { |
| paddy@99 | 200 Username string `json:"username"` |
| paddy@99 | 201 Email string `json:"email"` |
| paddy@99 | 202 Passphrase string `json:"passphrase"` |
| paddy@99 | 203 Name string `json:"name"` |
| paddy@99 | 204 } |
| paddy@99 | 205 |
| paddy@99 | 206 func validateNewProfileRequest(req *newProfileRequest) []requestError { |
| paddy@99 | 207 errors := []requestError{} |
| paddy@99 | 208 req.Name = strings.TrimSpace(req.Name) |
| paddy@99 | 209 req.Email = strings.TrimSpace(req.Email) |
| paddy@99 | 210 req.Username = slug.SlugAscii(strings.TrimSpace(req.Username)) |
| paddy@99 | 211 if len(req.Passphrase) < MinPassphraseLength { |
| paddy@99 | 212 errors = append(errors, requestError{ |
| paddy@99 | 213 Slug: requestErrInsufficient, |
| paddy@99 | 214 Field: "/passphrase", |
| paddy@99 | 215 }) |
| paddy@99 | 216 } |
| paddy@99 | 217 if len(req.Passphrase) > MaxPassphraseLength { |
| paddy@99 | 218 errors = append(errors, requestError{ |
| paddy@99 | 219 Slug: requestErrOverflow, |
| paddy@99 | 220 Field: "/passphrase", |
| paddy@99 | 221 }) |
| paddy@99 | 222 } |
| paddy@99 | 223 if len(req.Name) > MaxNameLength { |
| paddy@99 | 224 errors = append(errors, requestError{ |
| paddy@99 | 225 Slug: requestErrOverflow, |
| paddy@99 | 226 Field: "/name", |
| paddy@99 | 227 }) |
| paddy@99 | 228 } |
| paddy@99 | 229 if len(req.Username) > MaxUsernameLength { |
| paddy@99 | 230 errors = append(errors, requestError{ |
| paddy@99 | 231 Slug: requestErrOverflow, |
| paddy@99 | 232 Field: "/username", |
| paddy@99 | 233 }) |
| paddy@99 | 234 } |
| paddy@99 | 235 if req.Email == "" { |
| paddy@99 | 236 errors = append(errors, requestError{ |
| paddy@99 | 237 Slug: requestErrMissing, |
| paddy@99 | 238 Field: "/email", |
| paddy@99 | 239 }) |
| paddy@99 | 240 } |
| paddy@99 | 241 if len(req.Email) > MaxEmailLength { |
| paddy@99 | 242 errors = append(errors, requestError{ |
| paddy@99 | 243 Slug: requestErrOverflow, |
| paddy@99 | 244 Field: "/email", |
| paddy@99 | 245 }) |
| paddy@99 | 246 } |
| paddy@99 | 247 re := regexp.MustCompile(".+@.+\\..+") |
| paddy@99 | 248 if !re.Match([]byte(req.Email)) { |
| paddy@99 | 249 errors = append(errors, requestError{ |
| paddy@105 | 250 Slug: requestErrInvalidFormat, |
| paddy@99 | 251 Field: "/email", |
| paddy@99 | 252 }) |
| paddy@99 | 253 } |
| paddy@99 | 254 return errors |
| paddy@99 | 255 } |
| paddy@99 | 256 |
| paddy@57 | 257 type profileStore interface { |
| paddy@57 | 258 getProfileByID(id uuid.ID) (Profile, error) |
| paddy@69 | 259 getProfileByLogin(value string) (Profile, error) |
| paddy@57 | 260 saveProfile(profile Profile) error |
| paddy@57 | 261 updateProfile(id uuid.ID, change ProfileChange) error |
| paddy@57 | 262 updateProfiles(ids []uuid.ID, change BulkProfileChange) error |
| paddy@57 | 263 deleteProfile(id uuid.ID) error |
| paddy@44 | 264 |
| paddy@57 | 265 addLogin(login Login) error |
| paddy@69 | 266 removeLogin(value string, profile uuid.ID) error |
| paddy@69 | 267 recordLoginUse(value string, when time.Time) error |
| paddy@57 | 268 listLogins(profile uuid.ID, num, offset int) ([]Login, error) |
| paddy@38 | 269 } |
| paddy@27 | 270 |
| paddy@57 | 271 func (m *memstore) getProfileByID(id uuid.ID) (Profile, error) { |
| paddy@38 | 272 m.profileLock.RLock() |
| paddy@38 | 273 defer m.profileLock.RUnlock() |
| paddy@38 | 274 p, ok := m.profiles[id.String()] |
| paddy@38 | 275 if !ok { |
| paddy@38 | 276 return Profile{}, ErrProfileNotFound |
| paddy@38 | 277 } |
| paddy@38 | 278 return p, nil |
| paddy@27 | 279 } |
| paddy@38 | 280 |
| paddy@69 | 281 func (m *memstore) getProfileByLogin(value string) (Profile, error) { |
| paddy@44 | 282 m.loginLock.RLock() |
| paddy@44 | 283 defer m.loginLock.RUnlock() |
| paddy@69 | 284 login, ok := m.logins[value] |
| paddy@44 | 285 if !ok { |
| paddy@44 | 286 return Profile{}, ErrLoginNotFound |
| paddy@44 | 287 } |
| paddy@44 | 288 m.profileLock.RLock() |
| paddy@44 | 289 defer m.profileLock.RUnlock() |
| paddy@44 | 290 profile, ok := m.profiles[login.ProfileID.String()] |
| paddy@44 | 291 if !ok { |
| paddy@44 | 292 return Profile{}, ErrProfileNotFound |
| paddy@44 | 293 } |
| paddy@44 | 294 return profile, nil |
| paddy@38 | 295 } |
| paddy@38 | 296 |
| paddy@57 | 297 func (m *memstore) saveProfile(profile Profile) error { |
| paddy@38 | 298 m.profileLock.Lock() |
| paddy@38 | 299 defer m.profileLock.Unlock() |
| paddy@38 | 300 _, ok := m.profiles[profile.ID.String()] |
| paddy@38 | 301 if ok { |
| paddy@38 | 302 return ErrProfileAlreadyExists |
| paddy@38 | 303 } |
| paddy@38 | 304 m.profiles[profile.ID.String()] = profile |
| paddy@38 | 305 return nil |
| paddy@38 | 306 } |
| paddy@38 | 307 |
| paddy@57 | 308 func (m *memstore) updateProfile(id uuid.ID, change ProfileChange) error { |
| paddy@38 | 309 m.profileLock.Lock() |
| paddy@38 | 310 defer m.profileLock.Unlock() |
| paddy@38 | 311 p, ok := m.profiles[id.String()] |
| paddy@38 | 312 if !ok { |
| paddy@38 | 313 return ErrProfileNotFound |
| paddy@38 | 314 } |
| paddy@38 | 315 p.ApplyChange(change) |
| paddy@38 | 316 m.profiles[id.String()] = p |
| paddy@38 | 317 return nil |
| paddy@38 | 318 } |
| paddy@38 | 319 |
| paddy@57 | 320 func (m *memstore) updateProfiles(ids []uuid.ID, change BulkProfileChange) error { |
| paddy@44 | 321 m.profileLock.Lock() |
| paddy@44 | 322 defer m.profileLock.Unlock() |
| paddy@44 | 323 for id, profile := range m.profiles { |
| paddy@44 | 324 for _, i := range ids { |
| paddy@44 | 325 if id == i.String() { |
| paddy@44 | 326 profile.ApplyBulkChange(change) |
| paddy@44 | 327 m.profiles[id] = profile |
| paddy@44 | 328 break |
| paddy@44 | 329 } |
| paddy@44 | 330 } |
| paddy@44 | 331 } |
| paddy@44 | 332 return nil |
| paddy@44 | 333 } |
| paddy@44 | 334 |
| paddy@57 | 335 func (m *memstore) deleteProfile(id uuid.ID) error { |
| paddy@38 | 336 m.profileLock.Lock() |
| paddy@38 | 337 defer m.profileLock.Unlock() |
| paddy@38 | 338 _, ok := m.profiles[id.String()] |
| paddy@38 | 339 if !ok { |
| paddy@38 | 340 return ErrProfileNotFound |
| paddy@38 | 341 } |
| paddy@38 | 342 delete(m.profiles, id.String()) |
| paddy@38 | 343 return nil |
| paddy@38 | 344 } |
| paddy@40 | 345 |
| paddy@57 | 346 func (m *memstore) addLogin(login Login) error { |
| paddy@44 | 347 m.loginLock.Lock() |
| paddy@44 | 348 defer m.loginLock.Unlock() |
| paddy@69 | 349 _, ok := m.logins[login.Value] |
| paddy@44 | 350 if ok { |
| paddy@44 | 351 return ErrLoginAlreadyExists |
| paddy@44 | 352 } |
| paddy@69 | 353 m.logins[login.Value] = login |
| paddy@69 | 354 m.profileLoginLookup[login.ProfileID.String()] = append(m.profileLoginLookup[login.ProfileID.String()], login.Value) |
| paddy@44 | 355 return nil |
| paddy@44 | 356 } |
| paddy@44 | 357 |
| paddy@69 | 358 func (m *memstore) removeLogin(value string, profile uuid.ID) error { |
| paddy@44 | 359 m.loginLock.Lock() |
| paddy@44 | 360 defer m.loginLock.Unlock() |
| paddy@69 | 361 l, ok := m.logins[value] |
| paddy@44 | 362 if !ok { |
| paddy@44 | 363 return ErrLoginNotFound |
| paddy@44 | 364 } |
| paddy@44 | 365 if !l.ProfileID.Equal(profile) { |
| paddy@44 | 366 return ErrLoginNotFound |
| paddy@44 | 367 } |
| paddy@69 | 368 delete(m.logins, value) |
| paddy@44 | 369 pos := -1 |
| paddy@44 | 370 for p, id := range m.profileLoginLookup[profile.String()] { |
| paddy@69 | 371 if id == value { |
| paddy@44 | 372 pos = p |
| paddy@44 | 373 break |
| paddy@44 | 374 } |
| paddy@44 | 375 } |
| paddy@44 | 376 if pos >= 0 { |
| paddy@44 | 377 m.profileLoginLookup[profile.String()] = append(m.profileLoginLookup[profile.String()][:pos], m.profileLoginLookup[profile.String()][pos+1:]...) |
| paddy@44 | 378 } |
| paddy@44 | 379 return nil |
| paddy@44 | 380 } |
| paddy@44 | 381 |
| paddy@69 | 382 func (m *memstore) recordLoginUse(value string, when time.Time) error { |
| paddy@44 | 383 m.loginLock.Lock() |
| paddy@44 | 384 defer m.loginLock.Unlock() |
| paddy@69 | 385 l, ok := m.logins[value] |
| paddy@44 | 386 if !ok { |
| paddy@44 | 387 return ErrLoginNotFound |
| paddy@44 | 388 } |
| paddy@44 | 389 l.LastUsed = when |
| paddy@69 | 390 m.logins[value] = l |
| paddy@44 | 391 return nil |
| paddy@44 | 392 } |
| paddy@44 | 393 |
| paddy@57 | 394 func (m *memstore) listLogins(profile uuid.ID, num, offset int) ([]Login, error) { |
| paddy@44 | 395 m.loginLock.RLock() |
| paddy@44 | 396 defer m.loginLock.RUnlock() |
| paddy@44 | 397 ids, ok := m.profileLoginLookup[profile.String()] |
| paddy@44 | 398 if !ok { |
| paddy@44 | 399 return []Login{}, nil |
| paddy@44 | 400 } |
| paddy@44 | 401 if len(ids) > num+offset { |
| paddy@44 | 402 ids = ids[offset : num+offset] |
| paddy@44 | 403 } else if len(ids) > offset { |
| paddy@44 | 404 ids = ids[offset:] |
| paddy@44 | 405 } else { |
| paddy@44 | 406 return []Login{}, nil |
| paddy@44 | 407 } |
| paddy@44 | 408 logins := []Login{} |
| paddy@44 | 409 for _, id := range ids { |
| paddy@44 | 410 login, ok := m.logins[id] |
| paddy@44 | 411 if !ok { |
| paddy@44 | 412 continue |
| paddy@44 | 413 } |
| paddy@44 | 414 logins = append(logins, login) |
| paddy@44 | 415 } |
| paddy@44 | 416 return logins, nil |
| paddy@44 | 417 } |
| paddy@99 | 418 |
| paddy@105 | 419 // RegisterProfileHandlers adds handlers to the passed router to handle the profile endpoints, like registration and user retrieval. |
| paddy@105 | 420 func RegisterProfileHandlers(r *mux.Router, context Context) { |
| paddy@105 | 421 r.Handle("/profiles", wrap(context, CreateProfileHandler)).Methods("POST") |
| paddy@128 | 422 // BUG(paddy): We need to implement a handler that will return information about a profile or set of profiles. |
| paddy@145 | 423 r.Handle("/profiles/{id}", wrap(context, UpdateProfileHandler)).Methods("PATCH") |
| paddy@128 | 424 // BUG(paddy): We need to implement a handler that will delete a profile. What happens to clients/tokens/grants/sessions when a profile is deleted? |
| paddy@128 | 425 // BUG(paddy): We need to implement a handler that will add a login to a profile. |
| paddy@128 | 426 // BUG(paddy): We need to implement a handler that will remove a login from a profile. What happens to sessions created with that login? |
| paddy@128 | 427 // BUG(paddy): We need to implement a handler that will list the logins attached to a profile. |
| paddy@105 | 428 } |
| paddy@105 | 429 |
| paddy@99 | 430 // CreateProfileHandler is an HTTP handler for registering new profiles. |
| paddy@99 | 431 func CreateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) { |
| paddy@99 | 432 scheme, ok := passphraseSchemes[CurPassphraseScheme] |
| paddy@99 | 433 if !ok { |
| paddy@105 | 434 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@99 | 435 return |
| paddy@99 | 436 } |
| paddy@99 | 437 var req newProfileRequest |
| paddy@99 | 438 errors := []requestError{} |
| paddy@99 | 439 decoder := json.NewDecoder(r.Body) |
| paddy@99 | 440 err := decoder.Decode(&req) |
| paddy@99 | 441 if err != nil { |
| paddy@105 | 442 encode(w, r, http.StatusBadRequest, invalidFormatResponse) |
| paddy@99 | 443 return |
| paddy@99 | 444 } |
| paddy@99 | 445 errors = append(errors, validateNewProfileRequest(&req)...) |
| paddy@99 | 446 if len(errors) > 0 { |
| paddy@105 | 447 encode(w, r, http.StatusBadRequest, response{Errors: errors}) |
| paddy@99 | 448 return |
| paddy@99 | 449 } |
| paddy@99 | 450 passphrase, salt, err := scheme.create(req.Passphrase, context.config.iterations) |
| paddy@99 | 451 if err != nil { |
| paddy@105 | 452 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@99 | 453 return |
| paddy@99 | 454 } |
| paddy@99 | 455 profile := Profile{ |
| paddy@99 | 456 ID: uuid.NewID(), |
| paddy@99 | 457 Name: req.Name, |
| paddy@99 | 458 Passphrase: string(passphrase), |
| paddy@99 | 459 Iterations: context.config.iterations, |
| paddy@99 | 460 Salt: string(salt), |
| paddy@99 | 461 PassphraseScheme: CurPassphraseScheme, |
| paddy@99 | 462 Created: time.Now(), |
| paddy@99 | 463 LastSeen: time.Now(), |
| paddy@99 | 464 } |
| paddy@99 | 465 err = context.SaveProfile(profile) |
| paddy@99 | 466 if err != nil { |
| paddy@105 | 467 if err == ErrProfileAlreadyExists { |
| paddy@105 | 468 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/id"}}}) |
| paddy@105 | 469 return |
| paddy@105 | 470 } |
| paddy@105 | 471 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@99 | 472 return |
| paddy@99 | 473 } |
| paddy@99 | 474 logins := []Login{} |
| paddy@99 | 475 login := Login{ |
| paddy@99 | 476 Type: "email", |
| paddy@99 | 477 Value: req.Email, |
| paddy@99 | 478 Created: profile.Created, |
| paddy@99 | 479 LastUsed: profile.Created, |
| paddy@99 | 480 ProfileID: profile.ID, |
| paddy@99 | 481 } |
| paddy@99 | 482 err = context.AddLogin(login) |
| paddy@99 | 483 if err != nil { |
| paddy@105 | 484 if err == ErrLoginAlreadyExists { |
| paddy@105 | 485 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/email"}}}) |
| paddy@105 | 486 return |
| paddy@105 | 487 } |
| paddy@105 | 488 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@99 | 489 return |
| paddy@99 | 490 } |
| paddy@99 | 491 logins = append(logins, login) |
| paddy@99 | 492 if req.Username != "" { |
| paddy@99 | 493 login.Type = "username" |
| paddy@99 | 494 login.Value = req.Username |
| paddy@99 | 495 err = context.AddLogin(login) |
| paddy@99 | 496 if err != nil { |
| paddy@105 | 497 if err == ErrLoginAlreadyExists { |
| paddy@105 | 498 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/username"}}}) |
| paddy@105 | 499 return |
| paddy@105 | 500 } |
| paddy@105 | 501 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@99 | 502 return |
| paddy@99 | 503 } |
| paddy@99 | 504 logins = append(logins, login) |
| paddy@99 | 505 } |
| paddy@105 | 506 resp := response{ |
| paddy@105 | 507 Logins: logins, |
| paddy@105 | 508 Profiles: []Profile{profile}, |
| paddy@105 | 509 } |
| paddy@105 | 510 encode(w, r, http.StatusCreated, resp) |
| paddy@99 | 511 // TODO(paddy): should we kick off the email validation flow? |
| paddy@99 | 512 } |
| paddy@145 | 513 |
| paddy@145 | 514 func UpdateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) { |
| paddy@145 | 515 errors := []requestError{} |
| paddy@145 | 516 vars := mux.Vars(r) |
| paddy@145 | 517 if vars["id"] == "" { |
| paddy@145 | 518 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"}) |
| paddy@145 | 519 encode(w, r, http.StatusBadRequest, response{Errors: errors}) |
| paddy@145 | 520 return |
| paddy@145 | 521 } |
| paddy@145 | 522 id, err := uuid.Parse(vars["id"]) |
| paddy@145 | 523 if err != nil { |
| paddy@145 | 524 errors = append(errors, requestError{Slug: requestErrAccessDenied}) |
| paddy@145 | 525 encode(w, r, http.StatusBadRequest, response{Errors: errors}) |
| paddy@145 | 526 return |
| paddy@145 | 527 } |
| paddy@145 | 528 username, password, ok := r.BasicAuth() |
| paddy@145 | 529 if !ok { |
| paddy@145 | 530 errors = append(errors, requestError{Slug: requestErrAccessDenied}) |
| paddy@145 | 531 encode(w, r, http.StatusUnauthorized, response{Errors: errors}) |
| paddy@145 | 532 return |
| paddy@145 | 533 } |
| paddy@145 | 534 profile, err := authenticate(username, password, context) |
| paddy@145 | 535 if err != nil { |
| paddy@145 | 536 if isAuthError(err) { |
| paddy@145 | 537 errors = append(errors, requestError{Slug: requestErrAccessDenied}) |
| paddy@145 | 538 encode(w, r, http.StatusUnauthorized, response{Errors: errors}) |
| paddy@145 | 539 } else { |
| paddy@145 | 540 errors = append(errors, requestError{Slug: requestErrActOfGod}) |
| paddy@145 | 541 encode(w, r, http.StatusInternalServerError, response{Errors: errors}) |
| paddy@145 | 542 } |
| paddy@145 | 543 return |
| paddy@145 | 544 } |
| paddy@145 | 545 if !profile.ID.Equal(id) { |
| paddy@145 | 546 errors = append(errors, requestError{Slug: requestErrAccessDenied}) |
| paddy@145 | 547 encode(w, r, http.StatusForbidden, response{Errors: errors}) |
| paddy@145 | 548 return |
| paddy@145 | 549 } |
| paddy@145 | 550 var req ProfileChange |
| paddy@145 | 551 decoder := json.NewDecoder(r.Body) |
| paddy@145 | 552 err = decoder.Decode(&req) |
| paddy@145 | 553 if err != nil { |
| paddy@145 | 554 encode(w, r, http.StatusBadRequest, invalidFormatResponse) |
| paddy@145 | 555 return |
| paddy@145 | 556 } |
| paddy@145 | 557 req.Iterations = nil |
| paddy@145 | 558 req.Salt = nil |
| paddy@145 | 559 req.PassphraseScheme = nil |
| paddy@145 | 560 req.Compromised = nil // BUG(paddy): Need a way for admins to mark accounts as compromised |
| paddy@145 | 561 req.LockedUntil = nil |
| paddy@145 | 562 req.LastSeen = nil |
| paddy@145 | 563 if req.Passphrase != nil { |
| paddy@145 | 564 if len(*req.Passphrase) < MinPassphraseLength { |
| paddy@145 | 565 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/passphrase"}) |
| paddy@145 | 566 encode(w, r, http.StatusBadRequest, response{Errors: errors}) |
| paddy@145 | 567 return |
| paddy@145 | 568 } |
| paddy@145 | 569 if len(*req.Passphrase) > MaxPassphraseLength { |
| paddy@145 | 570 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/passphrase"}) |
| paddy@145 | 571 encode(w, r, http.StatusBadRequest, response{Errors: errors}) |
| paddy@145 | 572 return |
| paddy@145 | 573 } |
| paddy@145 | 574 iterations := context.config.iterations |
| paddy@145 | 575 scheme, ok := passphraseSchemes[CurPassphraseScheme] |
| paddy@145 | 576 if !ok { |
| paddy@145 | 577 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@145 | 578 return |
| paddy@145 | 579 } |
| paddy@145 | 580 curScheme := CurPassphraseScheme |
| paddy@145 | 581 req.PassphraseScheme = &curScheme |
| paddy@145 | 582 passphrase, salt, err := scheme.create(*req.Passphrase, iterations) |
| paddy@145 | 583 if err != nil { |
| paddy@145 | 584 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@145 | 585 return |
| paddy@145 | 586 } |
| paddy@145 | 587 req.Passphrase = &passphrase |
| paddy@145 | 588 req.Salt = &salt |
| paddy@145 | 589 req.Iterations = &iterations |
| paddy@145 | 590 } |
| paddy@145 | 591 if req.PassphraseReset != nil { |
| paddy@145 | 592 now := time.Now() |
| paddy@145 | 593 req.PassphraseResetCreated = &now |
| paddy@145 | 594 } |
| paddy@145 | 595 err = req.Validate() |
| paddy@145 | 596 if err != nil { |
| paddy@145 | 597 var status int |
| paddy@145 | 598 var resp response |
| paddy@145 | 599 switch err { |
| paddy@145 | 600 case ErrEmptyChange: |
| paddy@145 | 601 resp.Profiles = []Profile{profile} |
| paddy@145 | 602 status = http.StatusOK |
| paddy@145 | 603 default: |
| paddy@145 | 604 errors = append(errors, requestError{Slug: requestErrActOfGod}) |
| paddy@145 | 605 resp.Errors = errors |
| paddy@145 | 606 status = http.StatusInternalServerError |
| paddy@145 | 607 } |
| paddy@145 | 608 encode(w, r, status, resp) |
| paddy@145 | 609 return |
| paddy@145 | 610 } |
| paddy@145 | 611 err = context.UpdateProfile(id, req) |
| paddy@145 | 612 if err != nil { |
| paddy@145 | 613 if err == ErrProfileNotFound { |
| paddy@145 | 614 errors = append(errors, requestError{Slug: requestErrNotFound}) |
| paddy@145 | 615 encode(w, r, http.StatusNotFound, response{Errors: errors}) |
| paddy@145 | 616 return |
| paddy@145 | 617 } |
| paddy@145 | 618 encode(w, r, http.StatusInternalServerError, actOfGodResponse) |
| paddy@145 | 619 return |
| paddy@145 | 620 } |
| paddy@145 | 621 profile.ApplyChange(req) |
| paddy@145 | 622 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}}) |
| paddy@145 | 623 return |
| paddy@145 | 624 } |