auth

Paddy 2014-11-11 Parent:e45bfa2abc00 Child:61a802849b51

69:42bc3e44f4fe Go to Latest

auth/token.go

Stub out sessions. Stop using the Login type when getting profile by Login, removing Logins, or recording Login use. The Login value has to be unique, anyways, and we don't actually know the Login type when getting a profile by Login. That's sort of the point. Create the concept of Sessions and a sessionStore type to manage our authentication sessions with the server. As per OWASP, we're basically just going to use a transparent, SHA256-generated random string as an ID, and store it client-side and server-side and just pass it back and forth. Add the ProfileID to the Grant type, because we need to remember who granted access. That's sort of important. Set a defaultGrantExpiration constant to an hour, so we have that one constant when creating new Grants. Create a helper that pulls the session ID out of an auth cookie, checks it against the sessionStore, and returns the Session if it's valid. Create a helper that pulls the username and password out of a basic auth header. Create a helper that authenticates a user's login and passphrase, checking them against the profileStore securely. Stub out how the cookie checking is going to work for getting grant approval. Fix the stored Grant RedirectURI to be the passed in redirect URI, not the RedirectURI that we ultimately redirect to. This is in accordance with the spec. Store the profile ID from our session in the created Grant. Stub out a GetTokenHandler that will allow users to exchange a Grant for a Token. Set a constant for the current passphrase scheme, which we will increment for each revision to the passphrase scheme, for backwards compatibility. Change the Profile iterations property to an int, not an int64, to match the code.secondbit.org/pass library (which is matching the PBKDF2 library).

Download raw file
View source Diff to previous Annotate
History
1 package auth
2
3 import (
4 "errors"
5 "time"
6
7 "code.secondbit.org/uuid"
8 )
9
10 const (
11 defaultTokenExpiration = 3600 // one hour
12 )
13
14 var (
15 // ErrNoTokenStore is returned when a Context tries to act on a tokenStore without setting one first.
16 ErrNoTokenStore = errors.New("no tokenStore was specified for the Context")
17 // ErrTokenNotFound is returned when a Token is requested but not found in a tokenStore.
18 ErrTokenNotFound = errors.New("token not found in tokenStore")
19 // ErrTokenAlreadyExists is returned when a Token is added to a tokenStore, but another Token with
20 // the same AccessToken property already exists in the tokenStore.
21 ErrTokenAlreadyExists = errors.New("token already exists in tokenStore")
22 )
23
24 // Token represents an access and/or refresh token that the Client can use to access user data
25 // or obtain a new access token.
26 type Token struct {
27 AccessToken string
28 RefreshToken string
29 Created time.Time
30 ExpiresIn int32
31 TokenType string
32 Scope string
33 ProfileID uuid.ID
34 }
35
36 type tokenStore interface {
37 getToken(token string, refresh bool) (Token, error)
38 saveToken(token Token) error
39 removeToken(token string) error
40 getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error)
41 }
42
43 func (m *memstore) getToken(token string, refresh bool) (Token, error) {
44 if refresh {
45 t, err := m.lookupTokenByRefresh(token)
46 if err != nil {
47 return Token{}, err
48 }
49 token = t
50 }
51 m.tokenLock.RLock()
52 defer m.tokenLock.RUnlock()
53 result, ok := m.tokens[token]
54 if !ok {
55 return Token{}, ErrTokenNotFound
56 }
57 return result, nil
58 }
59
60 func (m *memstore) saveToken(token Token) error {
61 m.tokenLock.Lock()
62 defer m.tokenLock.Unlock()
63 _, ok := m.tokens[token.AccessToken]
64 if ok {
65 return ErrTokenAlreadyExists
66 }
67 m.tokens[token.AccessToken] = token
68 if token.RefreshToken != "" {
69 m.refreshTokenLookup[token.RefreshToken] = token.AccessToken
70 }
71 if _, ok = m.profileTokenLookup[token.ProfileID.String()]; ok {
72 m.profileTokenLookup[token.ProfileID.String()] = append(m.profileTokenLookup[token.ProfileID.String()], token.AccessToken)
73 } else {
74 m.profileTokenLookup[token.ProfileID.String()] = []string{token.AccessToken}
75 }
76 return nil
77 }
78
79 func (m *memstore) removeToken(token string) error {
80 m.tokenLock.Lock()
81 defer m.tokenLock.Unlock()
82 t, ok := m.tokens[token]
83 if !ok {
84 return ErrTokenNotFound
85 }
86 delete(m.tokens, token)
87 if t.RefreshToken != "" {
88 delete(m.refreshTokenLookup, t.RefreshToken)
89 }
90 pos := -1
91 for p, item := range m.profileTokenLookup[t.ProfileID.String()] {
92 if item == token {
93 pos = p
94 break
95 }
96 }
97 if pos >= 0 {
98 m.profileTokenLookup[t.ProfileID.String()] = append(m.profileTokenLookup[t.ProfileID.String()][:pos], m.profileTokenLookup[t.ProfileID.String()][pos+1:]...)
99 }
100 return nil
101 }
102
103 func (m *memstore) getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error) {
104 ids, err := m.lookupTokensByProfileID(profileID.String())
105 if err != nil {
106 return []Token{}, err
107 }
108 if len(ids) > num+offset {
109 ids = ids[offset : num+offset]
110 } else if len(ids) > offset {
111 ids = ids[offset:]
112 } else {
113 return []Token{}, nil
114 }
115 tokens := []Token{}
116 for _, id := range ids {
117 token, err := m.getToken(id, false)
118 if err != nil {
119 return []Token{}, err
120 }
121 tokens = append(tokens, token)
122 }
123 return tokens, nil
124 }