auth

Paddy 2014-11-11 Parent:e45bfa2abc00 Child:5bccbed6631b

auth/profile.go

Stub out sessions. Stop using the Login type when getting profile by Login, removing Logins, or recording Login use. The Login value has to be unique, anyways, and we don't actually know the Login type when getting a profile by Login. That's sort of the point. Create the concept of Sessions and a sessionStore type to manage our authentication sessions with the server. As per OWASP, we're basically just going to use a transparent, SHA256-generated random string as an ID, and store it client-side and server-side and just pass it back and forth. Add the ProfileID to the Grant type, because we need to remember who granted access. That's sort of important. Set a defaultGrantExpiration constant to an hour, so we have that one constant when creating new Grants. Create a helper that pulls the session ID out of an auth cookie, checks it against the sessionStore, and returns the Session if it's valid. Create a helper that pulls the username and password out of a basic auth header. Create a helper that authenticates a user's login and passphrase, checking them against the profileStore securely. Stub out how the cookie checking is going to work for getting grant approval. Fix the stored Grant RedirectURI to be the passed in redirect URI, not the RedirectURI that we ultimately redirect to. This is in accordance with the spec. Store the profile ID from our session in the created Grant. Stub out a GetTokenHandler that will allow users to exchange a Grant for a Token. Set a constant for the current passphrase scheme, which we will increment for each revision to the passphrase scheme, for backwards compatibility. Change the Profile iterations property to an int, not an int64, to match the code.secondbit.org/pass library (which is matching the PBKDF2 library).

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "errors"

5 "time"

7 "code.secondbit.org/uuid"

8 )

10 const (

11 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive.

12 MinPassphraseLength = 6

13 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive.

14 MaxPassphraseLength = 64

15 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme

16 CurPassphraseScheme = 1

17 )

19 var (

20 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first.

21 ErrNoProfileStore = errors.New("no profileStore was specified for the Context")

22 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with

23 // the same ID already exists in the profileStore.

24 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore")

25 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore.

26 ErrProfileNotFound = errors.New("profile not found in profileStore")

27 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same

28 // Type and Value already exists in the profileStore.

29 ErrLoginAlreadyExists = errors.New("login already exists in profileStore")

30 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore.

31 ErrLoginNotFound = errors.New("login not found in profileStore")

33 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a

34 // Passphrase, and requires one.

35 ErrMissingPassphrase = errors.New("missing passphrase")

36 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain

37 // a PassphraseReset, and requires one.

38 ErrMissingPassphraseReset = errors.New("missing passphrase reset")

39 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not

40 // contain a PassphraseResetCreated, and requires one.

41 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp")

42 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase,

43 // but the Passphrase is shorter than MinPassphraseLength.

44 ErrPassphraseTooShort = errors.New("passphrase too short")

45 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase,

46 // but the Passphrase is longer than MaxPassphraseLength.

47 ErrPassphraseTooLong = errors.New("passphrase too long")

48 )

50 // Profile represents a single user of the service,

51 // including their authentication information, but not

52 // including their username or email.

53 type Profile struct {

54 ID uuid.ID

55 Name string

56 Passphrase string

57 Iterations int

58 Salt string

59 PassphraseScheme int

60 Compromised bool

61 LockedUntil time.Time

62 PassphraseReset string

63 PassphraseResetCreated time.Time

64 Created time.Time

65 LastSeen time.Time

66 }

68 // ApplyChange applies the properties of the passed ProfileChange

69 // to the Profile it is called on.

70 func (p *Profile) ApplyChange(change ProfileChange) {

71 if change.Name != nil {

72 p.Name = *change.Name

73 }

74 if change.Passphrase != nil {

75 p.Passphrase = *change.Passphrase

76 }

77 if change.Iterations != nil {

78 p.Iterations = *change.Iterations

79 }

80 if change.Salt != nil {

81 p.Salt = *change.Salt

82 }

83 if change.PassphraseScheme != nil {

84 p.PassphraseScheme = *change.PassphraseScheme

85 }

86 if change.Compromised != nil {

87 p.Compromised = *change.Compromised

88 }

89 if change.LockedUntil != nil {

90 p.LockedUntil = *change.LockedUntil

91 }

92 if change.PassphraseReset != nil {

93 p.PassphraseReset = *change.PassphraseReset

94 }

95 if change.PassphraseResetCreated != nil {

96 p.PassphraseResetCreated = *change.PassphraseResetCreated

97 }

98 if change.LastSeen != nil {

99 p.LastSeen = *change.LastSeen

100 }

101 }

102

103 // ApplyBulkChange applies the properties of the passed BulkProfileChange

104 // to the Profile it is called on.

105 func (p *Profile) ApplyBulkChange(change BulkProfileChange) {

106 if change.Compromised != nil {

107 p.Compromised = *change.Compromised

108 }

109 }

110

111 // ProfileChange represents a single atomic change to a Profile's mutable data.

112 type ProfileChange struct {

113 Name *string

114 Passphrase *string

115 Iterations *int

116 Salt *string

117 PassphraseScheme *int

118 Compromised *bool

119 LockedUntil *time.Time

120 PassphraseReset *string

121 PassphraseResetCreated *time.Time

122 LastSeen *time.Time

123 }

124

125 // Validate checks the ProfileChange it is called on

126 // and asserts its internal validity, or lack thereof.

127 // A descriptive error will be returned in the case of

128 // an invalid change.

129 func (c ProfileChange) Validate() error {

130 if c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil {

131 return ErrEmptyChange

132 }

133 if c.PassphraseScheme != nil && c.Passphrase == nil {

134 return ErrMissingPassphrase

135 }

136 if c.PassphraseReset != nil && c.PassphraseResetCreated == nil {

137 return ErrMissingPassphraseResetCreated

138 }

139 if c.PassphraseReset == nil && c.PassphraseResetCreated != nil {

140 return ErrMissingPassphraseReset

141 }

142 if c.Salt != nil && c.Passphrase == nil {