auth
auth/profile.go
Clean up sessions and tokens after Profile is deleted. Add a terminateSessionsByProfile method to our sessionStore to mark Sessions associated with a Profile as inactive. Implement memstore and postgres implementations of the terminateSessionsByProfile method. Add a TerminateSessionsByProfile wrapper method to Context. Add a revokeTokensByProfileID method to our tokenStore to mark Tokens associated with a Profile as revoked. Implement memstore and postgres implementation of the revokeTokensByProfileID method. Add a RevokeTokensByProfileID wrapper method to Context. Call our RevokeTokensByProfileID and TerminateSessionsByProfile methods after a Profile is deleted, to clean up the Tokens and Sessions associated with it.
1 package auth
3 import (
4 "encoding/json"
5 "errors"
6 "log"
7 "net/http"
8 "regexp"
9 "strings"
10 "time"
12 "code.secondbit.org/uuid.hg"
13 "github.com/gorilla/mux"
14 )
16 const (
17 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive.
18 MinPassphraseLength = 6
19 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive.
20 MaxPassphraseLength = 64
21 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme
22 CurPassphraseScheme = 1
23 // MaxNameLength is the maximum length, in bytes, of a name, exclusive.
24 MaxNameLength = 64
25 // MaxEmailLength is the maximum length, in bytes, of an email address, exclusive.
26 MaxEmailLength = 64
27 )
29 var (
30 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first.
31 ErrNoProfileStore = errors.New("no profileStore was specified for the Context")
32 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with
33 // the same ID already exists in the profileStore.
34 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore")
35 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore.
36 ErrProfileNotFound = errors.New("profile not found in profileStore")
37 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same
38 // Type and Value already exists in the profileStore.
39 ErrLoginAlreadyExists = errors.New("login already exists in profileStore")
40 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore.
41 ErrLoginNotFound = errors.New("login not found in profileStore")
43 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a
44 // Passphrase, and requires one.
45 ErrMissingPassphrase = errors.New("missing passphrase")
46 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain
47 // a PassphraseReset, and requires one.
48 ErrMissingPassphraseReset = errors.New("missing passphrase reset")
49 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not
50 // contain a PassphraseResetCreated, and requires one.
51 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp")
52 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase,
53 // but the Passphrase is shorter than MinPassphraseLength.
54 ErrPassphraseTooShort = errors.New("passphrase too short")
55 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase,
56 // but the Passphrase is longer than MaxPassphraseLength.
57 ErrPassphraseTooLong = errors.New("passphrase too long")
59 // ErrProfileCompromised is returned when a user tries to log in with a profile that is suspected
60 // of being compromised.
61 ErrProfileCompromised = errors.New("profile compromised")
62 // ErrProfileLocked is returned when a user tries to log in with a profile that is locked for a certain
63 // duration, to prevent brute force attacks.
64 ErrProfileLocked = errors.New("profile locked")
65 )
67 // Profile represents a single user of the service,
68 // including their authentication information.
69 type Profile struct {
70 ID uuid.ID `json:"id,omitempty"`
71 Name string `json:"name,omitempty"`
72 Passphrase string `json:"-"`
73 Iterations int `json:"-"`
74 Salt string `json:"-"`
75 PassphraseScheme int `json:"-"`
76 Compromised bool `json:"-"`
77 LockedUntil time.Time `json:"-"`
78 PassphraseReset string `json:"-"`
79 PassphraseResetCreated time.Time `json:"-"`
80 Created time.Time `json:"created,omitempty"`
81 LastSeen time.Time `json:"last_seen,omitempty"`
82 }
84 // ApplyChange applies the properties of the passed ProfileChange
85 // to the Profile it is called on.
86 func (p *Profile) ApplyChange(change ProfileChange) {
87 if change.Name != nil {
88 p.Name = *change.Name
89 }
90 if change.Passphrase != nil {
91 p.Passphrase = *change.Passphrase
92 }
93 if change.Iterations != nil {
94 p.Iterations = *change.Iterations
95 }
96 if change.Salt != nil {
97 p.Salt = *change.Salt
98 }
99 if change.PassphraseScheme != nil {
100 p.PassphraseScheme = *change.PassphraseScheme
101 }
102 if change.Compromised != nil {
103 p.Compromised = *change.Compromised
104 }
105 if change.LockedUntil != nil {
106 p.LockedUntil = *change.LockedUntil
107 }
108 if change.PassphraseReset != nil {
109 p.PassphraseReset = *change.PassphraseReset
110 }
111 if change.PassphraseResetCreated != nil {
112 p.PassphraseResetCreated = *change.PassphraseResetCreated
113 }
114 if change.LastSeen != nil {
115 p.LastSeen = *change.LastSeen
116 }
117 }
119 // ApplyBulkChange applies the properties of the passed BulkProfileChange
120 // to the Profile it is called on.
121 func (p *Profile) ApplyBulkChange(change BulkProfileChange) {
122 if change.Compromised != nil {
123 p.Compromised = *change.Compromised
124 }
125 }
127 // ProfileChange represents a single atomic change to a Profile's mutable data.
128 type ProfileChange struct {
129 Name *string
130 Passphrase *string
131 Iterations *int
132 Salt *string
133 PassphraseScheme *int
134 Compromised *bool
135 LockedUntil *time.Time
136 PassphraseReset *string
137 PassphraseResetCreated *time.Time
138 LastSeen *time.Time
139 }
141 func (c ProfileChange) Empty() bool {
142 return (c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil)
143 }
145 // Validate checks the ProfileChange it is called on
146 // and asserts its internal validity, or lack thereof.
147 // A descriptive error will be returned in the case of
148 // an invalid change.
149 func (c ProfileChange) Validate() error {
150 if c.Empty() {
151 return ErrEmptyChange
152 }
153 if c.PassphraseScheme != nil && c.Passphrase == nil {
154 return ErrMissingPassphrase
155 }
156 if c.PassphraseReset != nil && c.PassphraseResetCreated == nil {
157 return ErrMissingPassphraseResetCreated
158 }
159 if c.PassphraseReset == nil && c.PassphraseResetCreated != nil {
160 return ErrMissingPassphraseReset
161 }
162 if c.Salt != nil && c.Passphrase == nil {
163 return ErrMissingPassphrase
164 }
165 if c.Iterations != nil && c.Passphrase == nil {
166 return ErrMissingPassphrase
167 }
168 return nil
169 }
171 // BulkProfileChange represents a single atomic change to many Profiles' mutable data.
172 // It is a subset of a ProfileChange, as it doesn't make sense to mutate some of the
173 // ProfileChange values across many Profiles all at once.
174 type BulkProfileChange struct {
175 Compromised *bool
176 }
178 func (b BulkProfileChange) Empty() bool {
179 return b.Compromised == nil
180 }
182 // Validate checks the BulkProfileChange it is called on
183 // and asserts its internal validity, or lack thereof.
184 // A descriptive error will be returned in the case of an
185 // invalid change.
186 func (b BulkProfileChange) Validate() error {
187 if b.Empty() {
188 return ErrEmptyChange
189 }
190 return nil
191 }
193 // Login represents a single human-friendly identifier for
194 // a given Profile that can be used to log into that Profile.
195 // Each Profile may only have one Login for each Type.
196 type Login struct {
197 Type string `json:"type,omitempty"`
198 Value string `json:"value,omitempty"`
199 ProfileID uuid.ID `json:"profile_id,omitempty"`
200 Created time.Time `json:"created,omitempty"`
201 LastUsed time.Time `json:"last_used,omitempty"`
202 }
204 type newProfileRequest struct {
205 Email string `json:"email"`
206 Passphrase string `json:"passphrase"`
207 Name string `json:"name"`
208 }
210 func validateNewProfileRequest(req *newProfileRequest) []requestError {
211 errors := []requestError{}
212 req.Name = strings.TrimSpace(req.Name)
213 req.Email = strings.TrimSpace(req.Email)
214 if len(req.Passphrase) < MinPassphraseLength {
215 errors = append(errors, requestError{
216 Slug: requestErrInsufficient,
217 Field: "/passphrase",
218 })
219 }
220 if len(req.Passphrase) > MaxPassphraseLength {
221 errors = append(errors, requestError{
222 Slug: requestErrOverflow,
223 Field: "/passphrase",
224 })
225 }
226 if len(req.Name) > MaxNameLength {
227 errors = append(errors, requestError{
228 Slug: requestErrOverflow,
229 Field: "/name",
230 })
231 }
232 if req.Email == "" {
233 errors = append(errors, requestError{
234 Slug: requestErrMissing,
235 Field: "/email",
236 })
237 }
238 if len(req.Email) > MaxEmailLength {
239 errors = append(errors, requestError{
240 Slug: requestErrOverflow,
241 Field: "/email",
242 })
243 }
244 re := regexp.MustCompile(".+@.+\\..+")
245 if !re.Match([]byte(req.Email)) {
246 errors = append(errors, requestError{
247 Slug: requestErrInvalidFormat,
248 Field: "/email",
249 })
250 }
251 return errors
252 }
254 type profileStore interface {
255 getProfileByID(id uuid.ID) (Profile, error)
256 getProfileByLogin(value string) (Profile, error)
257 saveProfile(profile Profile) error
258 updateProfile(id uuid.ID, change ProfileChange) error
259 updateProfiles(ids []uuid.ID, change BulkProfileChange) error
260 deleteProfile(id uuid.ID) error
262 addLogin(login Login) error
263 removeLogin(value string, profile uuid.ID) error
264 removeLoginsByProfile(profile uuid.ID) error
265 recordLoginUse(value string, when time.Time) error
266 listLogins(profile uuid.ID, num, offset int) ([]Login, error)
267 }
269 func (m *memstore) getProfileByID(id uuid.ID) (Profile, error) {
270 m.profileLock.RLock()
271 defer m.profileLock.RUnlock()
272 p, ok := m.profiles[id.String()]
273 if !ok {
274 return Profile{}, ErrProfileNotFound
275 }
276 return p, nil
277 }
279 func (m *memstore) getProfileByLogin(value string) (Profile, error) {
280 m.loginLock.RLock()
281 defer m.loginLock.RUnlock()
282 login, ok := m.logins[value]
283 if !ok {
284 return Profile{}, ErrLoginNotFound
285 }
286 m.profileLock.RLock()
287 defer m.profileLock.RUnlock()
288 profile, ok := m.profiles[login.ProfileID.String()]
289 if !ok {
290 return Profile{}, ErrProfileNotFound
291 }
292 return profile, nil
293 }
295 func (m *memstore) saveProfile(profile Profile) error {
296 m.profileLock.Lock()
297 defer m.profileLock.Unlock()
298 _, ok := m.profiles[profile.ID.String()]
299 if ok {
300 return ErrProfileAlreadyExists
301 }
302 m.profiles[profile.ID.String()] = profile
303 return nil
304 }
306 func (m *memstore) updateProfile(id uuid.ID, change ProfileChange) error {
307 m.profileLock.Lock()
308 defer m.profileLock.Unlock()
309 p, ok := m.profiles[id.String()]
310 if !ok {
311 return ErrProfileNotFound
312 }
313 p.ApplyChange(change)
314 m.profiles[id.String()] = p
315 return nil
316 }
318 func (m *memstore) updateProfiles(ids []uuid.ID, change BulkProfileChange) error {
319 m.profileLock.Lock()
320 defer m.profileLock.Unlock()
321 for id, profile := range m.profiles {
322 for _, i := range ids {
323 if id == i.String() {
324 profile.ApplyBulkChange(change)
325 m.profiles[id] = profile
326 break
327 }
328 }
329 }
330 return nil
331 }
333 func (m *memstore) deleteProfile(id uuid.ID) error {
334 m.profileLock.Lock()
335 defer m.profileLock.Unlock()
336 if _, ok := m.profiles[id.String()]; !ok {
337 return ErrProfileNotFound
338 }
339 delete(m.profiles, id.String())
340 return nil
341 }
343 func (m *memstore) addLogin(login Login) error {
344 m.loginLock.Lock()
345 defer m.loginLock.Unlock()
346 _, ok := m.logins[login.Value]
347 if ok {
348 return ErrLoginAlreadyExists
349 }
350 m.logins[login.Value] = login
351 m.profileLoginLookup[login.ProfileID.String()] = append(m.profileLoginLookup[login.ProfileID.String()], login.Value)
352 return nil
353 }
355 func (m *memstore) removeLogin(value string, profile uuid.ID) error {
356 m.loginLock.Lock()
357 defer m.loginLock.Unlock()
358 l, ok := m.logins[value]
359 if !ok {
360 return ErrLoginNotFound
361 }
362 if !l.ProfileID.Equal(profile) {
363 return ErrLoginNotFound
364 }
365 delete(m.logins, value)
366 pos := -1
367 for p, id := range m.profileLoginLookup[profile.String()] {
368 if id == value {
369 pos = p
370 break
371 }
372 }
373 if pos >= 0 {
374 m.profileLoginLookup[profile.String()] = append(m.profileLoginLookup[profile.String()][:pos], m.profileLoginLookup[profile.String()][pos+1:]...)
375 }
376 return nil
377 }
379 func (m *memstore) removeLoginsByProfile(profile uuid.ID) error {
380 m.loginLock.Lock()
381 defer m.loginLock.Unlock()
382 logins, ok := m.profileLoginLookup[profile.String()]
383 if !ok {
384 return ErrProfileNotFound
385 }
386 delete(m.profileLoginLookup, profile.String())
387 for _, login := range logins {
388 delete(m.logins, login)
389 }
390 return nil
391 }
393 func (m *memstore) recordLoginUse(value string, when time.Time) error {
394 m.loginLock.Lock()
395 defer m.loginLock.Unlock()
396 l, ok := m.logins[value]
397 if !ok {
398 return ErrLoginNotFound
399 }
400 l.LastUsed = when
401 m.logins[value] = l
402 return nil
403 }
405 func (m *memstore) listLogins(profile uuid.ID, num, offset int) ([]Login, error) {
406 m.loginLock.RLock()
407 defer m.loginLock.RUnlock()
408 ids, ok := m.profileLoginLookup[profile.String()]
409 if !ok {
410 return []Login{}, nil
411 }
412 if len(ids) > num+offset {
413 ids = ids[offset : num+offset]
414 } else if len(ids) > offset {
415 ids = ids[offset:]
416 } else {
417 return []Login{}, nil
418 }
419 logins := []Login{}
420 for _, id := range ids {
421 login, ok := m.logins[id]
422 if !ok {
423 continue
424 }
425 logins = append(logins, login)
426 }
427 return logins, nil
428 }
430 func cleanUpAfterProfileDeletion(profile uuid.ID, context Context) {
431 err := context.RemoveLoginsByProfile(profile)
432 if err != nil {
433 log.Printf("Error removing logins from profile %s: %+v\n", profile, err)
434 }
435 err = context.TerminateSessionsByProfile(profile)
436 if err != nil {
437 log.Printf("Error terminating sessions associated with profile %s: %+v\n", profile, err)
438 }
439 err = context.RevokeTokensByProfileID(profile)
440 if err != nil {
441 log.Printf("Error revoking tokens associated with profile %s: %+v\n", profile, err)
442 }
443 // BUG(paddy): need to delete all the grants associated with the Profile
444 // BUG(paddy): need to delete all clients associated with the Profile
445 }
447 // RegisterProfileHandlers adds handlers to the passed router to handle the profile endpoints, like registration and user retrieval.
448 func RegisterProfileHandlers(r *mux.Router, context Context) {
449 r.Handle("/profiles", wrap(context, CreateProfileHandler)).Methods("POST")
450 // BUG(paddy): We need to implement a handler that will return information about a profile or set of profiles.
451 r.Handle("/profiles/{id}", wrap(context, UpdateProfileHandler)).Methods("PATCH")
452 r.Handle("/profiles/{id}", wrap(context, DeleteProfileHandler)).Methods("DELETE")
453 // BUG(paddy): We need to implement a handler that will add a login to a profile.
454 // BUG(paddy): We need to implement a handler that will remove a login from a profile. What happens to sessions created with that login?
455 // BUG(paddy): We need to implement a handler that will list the logins attached to a profile.
456 }
458 // CreateProfileHandler is an HTTP handler for registering new profiles.
459 func CreateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
460 scheme, ok := passphraseSchemes[CurPassphraseScheme]
461 if !ok {
462 log.Printf("Error selecting passphrase scheme #%d\n", CurPassphraseScheme)
463 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
464 return
465 }
466 var req newProfileRequest
467 errors := []requestError{}
468 decoder := json.NewDecoder(r.Body)
469 err := decoder.Decode(&req)
470 if err != nil {
471 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
472 return
473 }
474 errors = append(errors, validateNewProfileRequest(&req)...)
475 if len(errors) > 0 {
476 encode(w, r, http.StatusBadRequest, response{Errors: errors})
477 return
478 }
479 passphrase, salt, err := scheme.create(req.Passphrase, context.config.iterations)
480 if err != nil {
481 log.Printf("Error creating encoded passphrase: %#+v\n", err)
482 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
483 return
484 }
485 profile := Profile{
486 ID: uuid.NewID(),
487 Name: req.Name,
488 Passphrase: string(passphrase),
489 Iterations: context.config.iterations,
490 Salt: string(salt),
491 PassphraseScheme: CurPassphraseScheme,
492 Created: time.Now(),
493 LastSeen: time.Now(),
494 }
495 err = context.SaveProfile(profile)
496 if err != nil {
497 if err == ErrProfileAlreadyExists {
498 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/id"}}})
499 return
500 }
501 log.Printf("Error saving profile: %#+v\n", err)
502 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
503 return
504 }
505 logins := []Login{}
506 login := Login{
507 Type: "email",
508 Value: req.Email,
509 Created: profile.Created,
510 LastUsed: profile.Created,
511 ProfileID: profile.ID,
512 }
513 err = context.AddLogin(login)
514 if err != nil {
515 if err == ErrLoginAlreadyExists {
516 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/email"}}})
517 return
518 }
519 log.Printf("Error adding login: %#+v\n", err)
520 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
521 return
522 }
523 logins = append(logins, login)
524 resp := response{
525 Logins: logins,
526 Profiles: []Profile{profile},
527 }
528 encode(w, r, http.StatusCreated, resp)
529 // TODO(paddy): should we kick off the email validation flow?
530 }
532 func UpdateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
533 errors := []requestError{}
534 vars := mux.Vars(r)
535 if vars["id"] == "" {
536 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
537 encode(w, r, http.StatusBadRequest, response{Errors: errors})
538 return
539 }
540 id, err := uuid.Parse(vars["id"])
541 if err != nil {
542 errors = append(errors, requestError{Slug: requestErrAccessDenied})
543 encode(w, r, http.StatusBadRequest, response{Errors: errors})
544 return
545 }
546 username, password, ok := r.BasicAuth()
547 if !ok {
548 errors = append(errors, requestError{Slug: requestErrAccessDenied})
549 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
550 return
551 }
552 profile, err := authenticate(username, password, context)
553 if err != nil {
554 if isAuthError(err) {
555 errors = append(errors, requestError{Slug: requestErrAccessDenied})
556 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
557 } else {
558 errors = append(errors, requestError{Slug: requestErrActOfGod})
559 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
560 }
561 return
562 }
563 if !profile.ID.Equal(id) {
564 errors = append(errors, requestError{Slug: requestErrAccessDenied})
565 encode(w, r, http.StatusForbidden, response{Errors: errors})
566 return
567 }
568 var req ProfileChange
569 decoder := json.NewDecoder(r.Body)
570 err = decoder.Decode(&req)
571 if err != nil {
572 log.Printf("Error decoding request: %#+v\n", err)
573 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
574 return
575 }
576 req.Iterations = nil
577 req.Salt = nil
578 req.PassphraseScheme = nil
579 req.Compromised = nil // BUG(paddy): Need a way for admins to mark accounts as compromised
580 req.LockedUntil = nil
581 req.LastSeen = nil
582 if req.Passphrase != nil {
583 if len(*req.Passphrase) < MinPassphraseLength {
584 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/passphrase"})
585 encode(w, r, http.StatusBadRequest, response{Errors: errors})
586 return
587 }
588 if len(*req.Passphrase) > MaxPassphraseLength {
589 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/passphrase"})
590 encode(w, r, http.StatusBadRequest, response{Errors: errors})
591 return
592 }
593 iterations := context.config.iterations
594 scheme, ok := passphraseSchemes[CurPassphraseScheme]
595 if !ok {
596 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
597 return
598 }
599 curScheme := CurPassphraseScheme
600 req.PassphraseScheme = &curScheme
601 passphrase, salt, err := scheme.create(*req.Passphrase, iterations)
602 if err != nil {
603 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
604 return
605 }
606 req.Passphrase = &passphrase
607 req.Salt = &salt
608 req.Iterations = &iterations
609 }
610 if req.PassphraseReset != nil {
611 now := time.Now()
612 req.PassphraseResetCreated = &now
613 }
614 err = req.Validate()
615 if err != nil {
616 var status int
617 var resp response
618 switch err {
619 case ErrEmptyChange:
620 resp.Profiles = []Profile{profile}
621 status = http.StatusOK
622 default:
623 errors = append(errors, requestError{Slug: requestErrActOfGod})
624 resp.Errors = errors
625 status = http.StatusInternalServerError
626 }
627 encode(w, r, status, resp)
628 return
629 }
630 err = context.UpdateProfile(id, req)
631 if err != nil {
632 if err == ErrProfileNotFound {
633 errors = append(errors, requestError{Slug: requestErrNotFound})
634 encode(w, r, http.StatusNotFound, response{Errors: errors})
635 return
636 }
637 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
638 return
639 }
640 profile.ApplyChange(req)
641 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
642 return
643 }
645 func DeleteProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
646 errors := []requestError{}
647 vars := mux.Vars(r)
648 if vars["id"] == "" {
649 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
650 encode(w, r, http.StatusBadRequest, response{Errors: errors})
651 return
652 }
653 id, err := uuid.Parse(vars["id"])
654 if err != nil {
655 errors = append(errors, requestError{Slug: requestErrAccessDenied})
656 encode(w, r, http.StatusBadRequest, response{Errors: errors})
657 return
658 }
659 username, password, ok := r.BasicAuth()
660 if !ok {
661 errors = append(errors, requestError{Slug: requestErrAccessDenied})
662 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
663 return
664 }
665 profile, err := authenticate(username, password, context)
666 if err != nil {
667 if isAuthError(err) {
668 errors = append(errors, requestError{Slug: requestErrAccessDenied})
669 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
670 } else {
671 errors = append(errors, requestError{Slug: requestErrActOfGod})
672 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
673 }
674 return
675 }
676 if !profile.ID.Equal(id) {
677 errors = append(errors, requestError{Slug: requestErrAccessDenied})
678 encode(w, r, http.StatusForbidden, response{Errors: errors})
679 return
680 }
681 err = context.DeleteProfile(id)
682 if err != nil {
683 if err == ErrProfileNotFound {
684 errors = append(errors, requestError{Slug: requestErrNotFound})
685 encode(w, r, http.StatusNotFound, response{Errors: errors})
686 return
687 }
688 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
689 return
690 }
691 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
692 go cleanUpAfterProfileDeletion(profile.ID, context)
693 }