auth
auth/context.go
Stub out sessions. Stop using the Login type when getting profile by Login, removing Logins, or recording Login use. The Login value has to be unique, anyways, and we don't actually know the Login type when getting a profile by Login. That's sort of the point. Create the concept of Sessions and a sessionStore type to manage our authentication sessions with the server. As per OWASP, we're basically just going to use a transparent, SHA256-generated random string as an ID, and store it client-side and server-side and just pass it back and forth. Add the ProfileID to the Grant type, because we need to remember who granted access. That's sort of important. Set a defaultGrantExpiration constant to an hour, so we have that one constant when creating new Grants. Create a helper that pulls the session ID out of an auth cookie, checks it against the sessionStore, and returns the Session if it's valid. Create a helper that pulls the username and password out of a basic auth header. Create a helper that authenticates a user's login and passphrase, checking them against the profileStore securely. Stub out how the cookie checking is going to work for getting grant approval. Fix the stored Grant RedirectURI to be the passed in redirect URI, not the RedirectURI that we ultimately redirect to. This is in accordance with the spec. Store the profile ID from our session in the created Grant. Stub out a GetTokenHandler that will allow users to exchange a Grant for a Token. Set a constant for the current passphrase scheme, which we will increment for each revision to the passphrase scheme, for backwards compatibility. Change the Profile iterations property to an int, not an int64, to match the code.secondbit.org/pass library (which is matching the PBKDF2 library).
1.1 --- a/context.go Sun Nov 09 00:22:38 2014 -0500 1.2 +++ b/context.go Tue Nov 11 21:13:16 2014 -0500 1.3 @@ -18,6 +18,7 @@ 1.4 grants grantStore 1.5 profiles profileStore 1.6 tokens tokenStore 1.7 + sessions sessionStore 1.8 } 1.9 1.10 // Render uses the HTML templates associated with the Context to render the 1.11 @@ -163,11 +164,11 @@ 1.12 1.13 // GetProfileByLogin returns the Profile associated with the specified Login from the profileStore associated 1.14 // with the Context. 1.15 -func (c Context) GetProfileByLogin(loginType, value string) (Profile, error) { 1.16 +func (c Context) GetProfileByLogin(value string) (Profile, error) { 1.17 if c.profiles == nil { 1.18 return Profile{}, ErrNoProfileStore 1.19 } 1.20 - return c.profiles.getProfileByLogin(loginType, value) 1.21 + return c.profiles.getProfileByLogin(value) 1.22 } 1.23 1.24 // SaveProfile inserts the passed Profile into the profileStore associated with the Context. 1.25 @@ -217,20 +218,20 @@ 1.26 // RemoveLogin removes the specified Login from the profileStore associated with the Context, provided 1.27 // the Login has a ProfileID property that matches the profile ID passed in. It also disassociates the 1.28 // deleted Login from the Profile in login.ProfileID. 1.29 -func (c Context) RemoveLogin(loginType, value string, profile uuid.ID) error { 1.30 +func (c Context) RemoveLogin(value string, profile uuid.ID) error { 1.31 if c.profiles == nil { 1.32 return ErrNoProfileStore 1.33 } 1.34 - return c.profiles.removeLogin(loginType, value, profile) 1.35 + return c.profiles.removeLogin(value, profile) 1.36 } 1.37 1.38 // RecordLoginUse sets the LastUsed property of the Login specified in the profileStore associated with 1.39 // the Context to the value passed in as when. 1.40 -func (c Context) RecordLoginUse(loginType, value string, when time.Time) error { 1.41 +func (c Context) RecordLoginUse(value string, when time.Time) error { 1.42 if c.profiles == nil { 1.43 return ErrNoProfileStore 1.44 } 1.45 - return c.profiles.recordLoginUse(loginType, value, when) 1.46 + return c.profiles.recordLoginUse(value, when) 1.47 } 1.48 1.49 // ListLogins returns a slice of up to num Logins associated with the specified Profile from the profileStore 1.50 @@ -277,3 +278,39 @@ 1.51 } 1.52 return c.tokens.getTokensByProfileID(profileID, num, offset) 1.53 } 1.54 + 1.55 +// CreateSession stores the passed Session in the sessionStore associated with the Context. 1.56 +func (c Context) CreateSession(session Session) error { 1.57 + if c.sessions == nil { 1.58 + return ErrNoSessionStore 1.59 + } 1.60 + return c.sessions.createSession(session) 1.61 +} 1.62 + 1.63 +// GetSession returns the Session specified from the sessionStore associated with the Context. 1.64 +func (c Context) GetSession(id string) (Session, error) { 1.65 + if c.sessions == nil { 1.66 + return Session{}, ErrNoSessionStore 1.67 + } 1.68 + return c.sessions.getSession(id) 1.69 +} 1.70 + 1.71 +// RemoveSession removes the Session identified by the passed ID from the sessionStore associated with 1.72 +// the Context. 1.73 +func (c Context) RemoveSession(id string) error { 1.74 + if c.sessions == nil { 1.75 + return ErrNoSessionStore 1.76 + } 1.77 + return c.sessions.removeSession(id) 1.78 +} 1.79 + 1.80 +// ListSessions returns a slice of up to num Sessions from the sessionStore associated with the Context, 1.81 +// ordered by the date they were created, descending. If before.IsZero() returns false, only Sessions 1.82 +// that were created before that time will be returned. If profile is not nil, only Sessions belonging to 1.83 +// that Profile will be returned. 1.84 +func (c Context) ListSessions(profile uuid.ID, before time.Time, num int64) ([]Session, error) { 1.85 + if c.sessions != nil { 1.86 + return []Session{}, ErrNoSessionStore 1.87 + } 1.88 + return c.sessions.listSessions(profile, before, num) 1.89 +}