auth

Paddy 2015-04-11 Parent:cf6c1f05eb21 Child:6f473576c6ae

160:48200d8c4036 Go to Latest

auth/session_postgres.go

Start to support deleting profiles through the API. Create a removeLoginsByProfile method on the profileStore, to allow an easy way to bulk-delete logins associated with a Profile after the Profile has been deleted. Create postgres and memstore implementations of the removeLoginsByProfile method. Create a cleanUpAfterProfileDeletion helper method that will clean up the child objects of a Profile (its Sessions, Tokens, Clients, etc.). The intended usage is to call this in a goroutine after a Profile has been deleted, to try and get things back in order. Detect when the UpdateProfileHandler API is used to set the Deleted flag of a Profile to true, and clean up after the Profile when that's the case. Add a DeleteProfileHandler API endpoint that is a shortcut to setting the Deleted flag of a Profile to true and cleaning up after the Profile. The problem with our approach thus far is that some of it is reversible and some is not. If a Profile is maliciously/accidentally deleted, it's simple enough to use the API as a superuser to restore the Profile. But doing that will not (and cannot) restore the Logins associated with that Profile, for example. While it would be nice to add a Deleted flag to our Logins that we could simply toggle, that would wreak havoc with our database constraints and ensuring uniqueness of Login values. I still don't have a solution for this, outside the superuser manually restoring a Login for the Profile, after which the user can authenticate themselves and add more Logins as desired. But there has to be a better way. I suppose since the passphrase is being stored with the Profile and not the Login, we could offer an endpoint that would automate this, but... well, that would be tricky. It would require the user remembering their Profile ID, and let's be honest, nobody's going to remember a UUID. Maybe such an endpoint would help from a customer service standpoint: we identify their Profile manually, then send them to /profiles/ID/restorelogin or something, and that lets them add a Login back to the Profile. I'll figure it out later. For now, we know we at least have enough information to identify a user is who they say they are and resolve the situation manually.

Download raw file
View source Diff to previous Annotate
History
1 package auth
2
3 import (
4 "time"
5
6 "code.secondbit.org/uuid.hg"
7
8 "github.com/lib/pq"
9 "github.com/secondbit/pan"
10 )
11
12 func (s Session) GetSQLTableName() string {
13 return "sessions"
14 }
15
16 func (p *postgres) createSessionSQL(session Session) *pan.Query {
17 fields, values := pan.GetFields(session)
18 query := pan.New(pan.POSTGRES, "INSERT INTO "+pan.GetTableName(session))
19 query.Include("(" + pan.QueryList(fields) + ")")
20 query.Include("VALUES")
21 query.Include("("+pan.VariableList(len(values))+")", values...)
22 return query.FlushExpressions(" ")
23 }
24
25 func (p *postgres) createSession(session Session) error {
26 query := p.createSessionSQL(session)
27 _, err := p.db.Exec(query.String(), query.Args...)
28 if e, ok := err.(*pq.Error); ok && e.Constraint == "sessions_pkey" {
29 err = ErrSessionAlreadyExists
30 }
31 return err
32 }
33
34 func (p *postgres) getSessionSQL(id string) *pan.Query {
35 var session Session
36 fields, _ := pan.GetFields(session)
37 query := pan.New(pan.POSTGRES, "SELECT "+pan.QueryList(fields)+" FROM "+pan.GetTableName(session))
38 query.IncludeWhere()
39 query.Include(pan.GetUnquotedColumn(session, "ID")+" = ?", id)
40 return query.FlushExpressions(" ")
41 }
42
43 func (p *postgres) getSession(id string) (Session, error) {
44 query := p.getSessionSQL(id)
45 rows, err := p.db.Query(query.String(), query.Args...)
46 if err != nil {
47 return Session{}, err
48 }
49 var session Session
50 var found bool
51 for rows.Next() {
52 err := pan.Unmarshal(rows, &session)
53 if err != nil {
54 return session, err
55 }
56 found = true
57 }
58 if err = rows.Err(); err != nil {
59 return session, err
60 }
61 if !found {
62 return session, ErrSessionNotFound
63 }
64 return session, nil
65 }
66
67 func (p *postgres) terminateSessionSQL(id string) *pan.Query {
68 var session Session
69 query := pan.New(pan.POSTGRES, "UPDATE "+pan.GetTableName(session)+" SET")
70 query.Include(pan.GetUnquotedColumn(session, "Active")+" = ?", false)
71 query.IncludeWhere()
72 query.Include(pan.GetUnquotedColumn(session, "ID")+" = ?", id)
73 return query.FlushExpressions(" ")
74 }
75
76 func (p *postgres) terminateSession(id string) error {
77 query := p.terminateSessionSQL(id)
78 res, err := p.db.Exec(query.String(), query.Args...)
79 if err != nil {
80 return err
81 }
82 rows, err := res.RowsAffected()
83 if err != nil {
84 return err
85 }
86 if rows < 1 {
87 return ErrSessionNotFound
88 }
89 return nil
90 }
91
92 func (p *postgres) removeSessionSQL(id string) *pan.Query {
93 var session Session
94 query := pan.New(pan.POSTGRES, "DELETE FROM "+pan.GetTableName(session))
95 query.IncludeWhere()
96 query.Include(pan.GetUnquotedColumn(session, "ID")+" = ?", id)
97 return query.FlushExpressions(" ")
98 }
99
100 func (p *postgres) removeSession(id string) error {
101 query := p.removeSessionSQL(id)
102 res, err := p.db.Exec(query.String(), query.Args...)
103 if err != nil {
104 return err
105 }
106 rows, err := res.RowsAffected()
107 if err != nil {
108 return err
109 }
110 if rows < 1 {
111 return ErrSessionNotFound
112 }
113 return nil
114 }
115
116 func (p *postgres) listSessionsSQL(profile uuid.ID, before time.Time, num int64) *pan.Query {
117 var session Session
118 fields, _ := pan.GetFields(session)
119 query := pan.New(pan.POSTGRES, "SELECT "+pan.QueryList(fields)+" FROM "+pan.GetTableName(session))
120 query.IncludeWhere()
121 query.Include(pan.GetUnquotedColumn(session, "ProfileID")+" = ?", profile)
122 if !before.IsZero() {
123 query.Include(pan.GetUnquotedColumn(session, "Created")+" < ?", before)
124 }
125 query.FlushExpressions(" AND ")
126 if num > 0 {
127 query.IncludeLimit(num)
128 }
129 return query.FlushExpressions(" ")
130 }
131
132 func (p *postgres) listSessions(profile uuid.ID, before time.Time, num int64) ([]Session, error) {
133 query := p.listSessionsSQL(profile, before, num)
134 rows, err := p.db.Query(query.String(), query.Args...)
135 if err != nil {
136 return []Session{}, err
137 }
138 var sessions []Session
139 for rows.Next() {
140 var session Session
141 err := pan.Unmarshal(rows, &session)
142 if err != nil {
143 return sessions, err
144 }
145 sessions = append(sessions, session)
146 }
147 if err = rows.Err(); err != nil {
148 return sessions, err
149 }
150 return sessions, nil
151 }