auth
auth/profile.go
Use postgres arrays for scope associations. Use the new pqarrays library I wrote to store Scope associations for Tokens and AuthorizationCodes, instead of using our hacky and abstraction-breaking many-to-many code. We also created the authStore.deleteAuthorizationCodesByProfileID method, to clear out the AuthorizationCodes that belong to a Profile (used when the Profile is deleted). So we added the implementation for memstore and for our postgres store. Call Context.DeleteAuthorizationCodesByProfileID when deleting a Profile to clean up after it. Rename sortedScopes to Scopes, which we use pqarrays.StringArray's methods on to fulfill the sql.Scanner and driver.Valuer interfaces. This lets us store Scopes in postgres arrays. Create a stringsToScopes helper function that creates Scope objects, with their IDs filled by the strings specified. Update our GrantType.Validate function signature to return Scopes instead of []string. Create a Scopes.Strings() helper method that returns a []string of the IDs of the Scopes. Update our SQL init file to use the new postgres array definition, instead of the many-to-many definition.
1 package auth
3 import (
4 "encoding/json"
5 "errors"
6 "log"
7 "net/http"
8 "regexp"
9 "strings"
10 "time"
12 "code.secondbit.org/uuid.hg"
13 "github.com/gorilla/mux"
14 )
16 const (
17 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive.
18 MinPassphraseLength = 6
19 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive.
20 MaxPassphraseLength = 64
21 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme
22 CurPassphraseScheme = 1
23 // MaxNameLength is the maximum length, in bytes, of a name, exclusive.
24 MaxNameLength = 64
25 // MaxEmailLength is the maximum length, in bytes, of an email address, exclusive.
26 MaxEmailLength = 64
27 )
29 var (
30 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first.
31 ErrNoProfileStore = errors.New("no profileStore was specified for the Context")
32 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with
33 // the same ID already exists in the profileStore.
34 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore")
35 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore.
36 ErrProfileNotFound = errors.New("profile not found in profileStore")
37 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same
38 // Type and Value already exists in the profileStore.
39 ErrLoginAlreadyExists = errors.New("login already exists in profileStore")
40 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore.
41 ErrLoginNotFound = errors.New("login not found in profileStore")
43 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a
44 // Passphrase, and requires one.
45 ErrMissingPassphrase = errors.New("missing passphrase")
46 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain
47 // a PassphraseReset, and requires one.
48 ErrMissingPassphraseReset = errors.New("missing passphrase reset")
49 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not
50 // contain a PassphraseResetCreated, and requires one.
51 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp")
52 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase,
53 // but the Passphrase is shorter than MinPassphraseLength.
54 ErrPassphraseTooShort = errors.New("passphrase too short")
55 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase,
56 // but the Passphrase is longer than MaxPassphraseLength.
57 ErrPassphraseTooLong = errors.New("passphrase too long")
59 // ErrProfileCompromised is returned when a user tries to log in with a profile that is suspected
60 // of being compromised.
61 ErrProfileCompromised = errors.New("profile compromised")
62 // ErrProfileLocked is returned when a user tries to log in with a profile that is locked for a certain
63 // duration, to prevent brute force attacks.
64 ErrProfileLocked = errors.New("profile locked")
65 )
67 // Profile represents a single user of the service,
68 // including their authentication information.
69 type Profile struct {
70 ID uuid.ID `json:"id,omitempty"`
71 Name string `json:"name,omitempty"`
72 Passphrase string `json:"-"`
73 Iterations int `json:"-"`
74 Salt string `json:"-"`
75 PassphraseScheme int `json:"-"`
76 Compromised bool `json:"-"`
77 LockedUntil time.Time `json:"-"`
78 PassphraseReset string `json:"-"`
79 PassphraseResetCreated time.Time `json:"-"`
80 Created time.Time `json:"created,omitempty"`
81 LastSeen time.Time `json:"last_seen,omitempty"`
82 }
84 // ApplyChange applies the properties of the passed ProfileChange
85 // to the Profile it is called on.
86 func (p *Profile) ApplyChange(change ProfileChange) {
87 if change.Name != nil {
88 p.Name = *change.Name
89 }
90 if change.Passphrase != nil {
91 p.Passphrase = *change.Passphrase
92 }
93 if change.Iterations != nil {
94 p.Iterations = *change.Iterations
95 }
96 if change.Salt != nil {
97 p.Salt = *change.Salt
98 }
99 if change.PassphraseScheme != nil {
100 p.PassphraseScheme = *change.PassphraseScheme
101 }
102 if change.Compromised != nil {
103 p.Compromised = *change.Compromised
104 }
105 if change.LockedUntil != nil {
106 p.LockedUntil = *change.LockedUntil
107 }
108 if change.PassphraseReset != nil {
109 p.PassphraseReset = *change.PassphraseReset
110 }
111 if change.PassphraseResetCreated != nil {
112 p.PassphraseResetCreated = *change.PassphraseResetCreated
113 }
114 if change.LastSeen != nil {
115 p.LastSeen = *change.LastSeen
116 }
117 }
119 // ApplyBulkChange applies the properties of the passed BulkProfileChange
120 // to the Profile it is called on.
121 func (p *Profile) ApplyBulkChange(change BulkProfileChange) {
122 if change.Compromised != nil {
123 p.Compromised = *change.Compromised
124 }
125 }
127 // ProfileChange represents a single atomic change to a Profile's mutable data.
128 type ProfileChange struct {
129 Name *string
130 Passphrase *string
131 Iterations *int
132 Salt *string
133 PassphraseScheme *int
134 Compromised *bool
135 LockedUntil *time.Time
136 PassphraseReset *string
137 PassphraseResetCreated *time.Time
138 LastSeen *time.Time
139 }
141 func (c ProfileChange) Empty() bool {
142 return (c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil)
143 }
145 // Validate checks the ProfileChange it is called on
146 // and asserts its internal validity, or lack thereof.
147 // A descriptive error will be returned in the case of
148 // an invalid change.
149 func (c ProfileChange) Validate() error {
150 if c.Empty() {
151 return ErrEmptyChange
152 }
153 if c.PassphraseScheme != nil && c.Passphrase == nil {
154 return ErrMissingPassphrase
155 }
156 if c.PassphraseReset != nil && c.PassphraseResetCreated == nil {
157 return ErrMissingPassphraseResetCreated
158 }
159 if c.PassphraseReset == nil && c.PassphraseResetCreated != nil {
160 return ErrMissingPassphraseReset
161 }
162 if c.Salt != nil && c.Passphrase == nil {
163 return ErrMissingPassphrase
164 }
165 if c.Iterations != nil && c.Passphrase == nil {
166 return ErrMissingPassphrase
167 }
168 return nil
169 }
171 // BulkProfileChange represents a single atomic change to many Profiles' mutable data.
172 // It is a subset of a ProfileChange, as it doesn't make sense to mutate some of the
173 // ProfileChange values across many Profiles all at once.
174 type BulkProfileChange struct {
175 Compromised *bool
176 }
178 func (b BulkProfileChange) Empty() bool {
179 return b.Compromised == nil
180 }
182 // Validate checks the BulkProfileChange it is called on
183 // and asserts its internal validity, or lack thereof.
184 // A descriptive error will be returned in the case of an
185 // invalid change.
186 func (b BulkProfileChange) Validate() error {
187 if b.Empty() {
188 return ErrEmptyChange
189 }
190 return nil
191 }
193 // Login represents a single human-friendly identifier for
194 // a given Profile that can be used to log into that Profile.
195 // Each Profile may only have one Login for each Type.
196 type Login struct {
197 Type string `json:"type,omitempty"`
198 Value string `json:"value,omitempty"`
199 ProfileID uuid.ID `json:"profile_id,omitempty"`
200 Created time.Time `json:"created,omitempty"`
201 LastUsed time.Time `json:"last_used,omitempty"`
202 }
204 type newProfileRequest struct {
205 Email string `json:"email"`
206 Passphrase string `json:"passphrase"`
207 Name string `json:"name"`
208 }
210 func validateNewProfileRequest(req *newProfileRequest) []requestError {
211 errors := []requestError{}
212 req.Name = strings.TrimSpace(req.Name)
213 req.Email = strings.TrimSpace(req.Email)
214 if len(req.Passphrase) < MinPassphraseLength {
215 errors = append(errors, requestError{
216 Slug: requestErrInsufficient,
217 Field: "/passphrase",
218 })
219 }
220 if len(req.Passphrase) > MaxPassphraseLength {
221 errors = append(errors, requestError{
222 Slug: requestErrOverflow,
223 Field: "/passphrase",
224 })
225 }
226 if len(req.Name) > MaxNameLength {
227 errors = append(errors, requestError{
228 Slug: requestErrOverflow,
229 Field: "/name",
230 })
231 }
232 if req.Email == "" {
233 errors = append(errors, requestError{
234 Slug: requestErrMissing,
235 Field: "/email",
236 })
237 }
238 if len(req.Email) > MaxEmailLength {
239 errors = append(errors, requestError{
240 Slug: requestErrOverflow,
241 Field: "/email",
242 })
243 }
244 re := regexp.MustCompile(".+@.+\\..+")
245 if !re.Match([]byte(req.Email)) {
246 errors = append(errors, requestError{
247 Slug: requestErrInvalidFormat,
248 Field: "/email",
249 })
250 }
251 return errors
252 }
254 type profileStore interface {
255 getProfileByID(id uuid.ID) (Profile, error)
256 getProfileByLogin(value string) (Profile, error)
257 saveProfile(profile Profile) error
258 updateProfile(id uuid.ID, change ProfileChange) error
259 updateProfiles(ids []uuid.ID, change BulkProfileChange) error
260 deleteProfile(id uuid.ID) error
262 addLogin(login Login) error
263 removeLogin(value string, profile uuid.ID) error
264 removeLoginsByProfile(profile uuid.ID) error
265 recordLoginUse(value string, when time.Time) error
266 listLogins(profile uuid.ID, num, offset int) ([]Login, error)
267 }
269 func (m *memstore) getProfileByID(id uuid.ID) (Profile, error) {
270 m.profileLock.RLock()
271 defer m.profileLock.RUnlock()
272 p, ok := m.profiles[id.String()]
273 if !ok {
274 return Profile{}, ErrProfileNotFound
275 }
276 return p, nil
277 }
279 func (m *memstore) getProfileByLogin(value string) (Profile, error) {
280 m.loginLock.RLock()
281 defer m.loginLock.RUnlock()
282 login, ok := m.logins[value]
283 if !ok {
284 return Profile{}, ErrLoginNotFound
285 }
286 m.profileLock.RLock()
287 defer m.profileLock.RUnlock()
288 profile, ok := m.profiles[login.ProfileID.String()]
289 if !ok {
290 return Profile{}, ErrProfileNotFound
291 }
292 return profile, nil
293 }
295 func (m *memstore) saveProfile(profile Profile) error {
296 m.profileLock.Lock()
297 defer m.profileLock.Unlock()
298 _, ok := m.profiles[profile.ID.String()]
299 if ok {
300 return ErrProfileAlreadyExists
301 }
302 m.profiles[profile.ID.String()] = profile
303 return nil
304 }
306 func (m *memstore) updateProfile(id uuid.ID, change ProfileChange) error {
307 m.profileLock.Lock()
308 defer m.profileLock.Unlock()
309 p, ok := m.profiles[id.String()]
310 if !ok {
311 return ErrProfileNotFound
312 }
313 p.ApplyChange(change)
314 m.profiles[id.String()] = p
315 return nil
316 }
318 func (m *memstore) updateProfiles(ids []uuid.ID, change BulkProfileChange) error {
319 m.profileLock.Lock()
320 defer m.profileLock.Unlock()
321 for id, profile := range m.profiles {
322 for _, i := range ids {
323 if id == i.String() {
324 profile.ApplyBulkChange(change)
325 m.profiles[id] = profile
326 break
327 }
328 }
329 }
330 return nil
331 }
333 func (m *memstore) deleteProfile(id uuid.ID) error {
334 m.profileLock.Lock()
335 defer m.profileLock.Unlock()
336 if _, ok := m.profiles[id.String()]; !ok {
337 return ErrProfileNotFound
338 }
339 delete(m.profiles, id.String())
340 return nil
341 }
343 func (m *memstore) addLogin(login Login) error {
344 m.loginLock.Lock()
345 defer m.loginLock.Unlock()
346 _, ok := m.logins[login.Value]
347 if ok {
348 return ErrLoginAlreadyExists
349 }
350 m.logins[login.Value] = login
351 m.profileLoginLookup[login.ProfileID.String()] = append(m.profileLoginLookup[login.ProfileID.String()], login.Value)
352 return nil
353 }
355 func (m *memstore) removeLogin(value string, profile uuid.ID) error {
356 m.loginLock.Lock()
357 defer m.loginLock.Unlock()
358 l, ok := m.logins[value]
359 if !ok {
360 return ErrLoginNotFound
361 }
362 if !l.ProfileID.Equal(profile) {
363 return ErrLoginNotFound
364 }
365 delete(m.logins, value)
366 pos := -1
367 for p, id := range m.profileLoginLookup[profile.String()] {
368 if id == value {
369 pos = p
370 break
371 }
372 }
373 if pos >= 0 {
374 m.profileLoginLookup[profile.String()] = append(m.profileLoginLookup[profile.String()][:pos], m.profileLoginLookup[profile.String()][pos+1:]...)
375 }
376 return nil
377 }
379 func (m *memstore) removeLoginsByProfile(profile uuid.ID) error {
380 m.loginLock.Lock()
381 defer m.loginLock.Unlock()
382 logins, ok := m.profileLoginLookup[profile.String()]
383 if !ok {
384 return ErrProfileNotFound
385 }
386 delete(m.profileLoginLookup, profile.String())
387 for _, login := range logins {
388 delete(m.logins, login)
389 }
390 return nil
391 }
393 func (m *memstore) recordLoginUse(value string, when time.Time) error {
394 m.loginLock.Lock()
395 defer m.loginLock.Unlock()
396 l, ok := m.logins[value]
397 if !ok {
398 return ErrLoginNotFound
399 }
400 l.LastUsed = when
401 m.logins[value] = l
402 return nil
403 }
405 func (m *memstore) listLogins(profile uuid.ID, num, offset int) ([]Login, error) {
406 m.loginLock.RLock()
407 defer m.loginLock.RUnlock()
408 ids, ok := m.profileLoginLookup[profile.String()]
409 if !ok {
410 return []Login{}, nil
411 }
412 if len(ids) > num+offset {
413 ids = ids[offset : num+offset]
414 } else if len(ids) > offset {
415 ids = ids[offset:]
416 } else {
417 return []Login{}, nil
418 }
419 logins := []Login{}
420 for _, id := range ids {
421 login, ok := m.logins[id]
422 if !ok {
423 continue
424 }
425 logins = append(logins, login)
426 }
427 return logins, nil
428 }
430 func cleanUpAfterProfileDeletion(profile uuid.ID, context Context) {
431 err := context.RemoveLoginsByProfile(profile)
432 if err != nil {
433 log.Printf("Error removing logins from profile %s: %+v\n", profile, err)
434 }
435 err = context.TerminateSessionsByProfile(profile)
436 if err != nil {
437 log.Printf("Error terminating sessions associated with profile %s: %+v\n", profile, err)
438 }
439 err = context.RevokeTokensByProfileID(profile)
440 if err != nil {
441 log.Printf("Error revoking tokens associated with profile %s: %+v\n", profile, err)
442 }
443 err = context.DeleteAuthorizationCodesByProfileID(profile)
444 if err != nil {
445 log.Printf("Error deleting authorization codes associated with profile %s: %+v\n", profile, err)
446 }
447 // BUG(paddy): need to delete all clients associated with the Profile
448 }
450 // RegisterProfileHandlers adds handlers to the passed router to handle the profile endpoints, like registration and user retrieval.
451 func RegisterProfileHandlers(r *mux.Router, context Context) {
452 r.Handle("/profiles", wrap(context, CreateProfileHandler)).Methods("POST")
453 // BUG(paddy): We need to implement a handler that will return information about a profile or set of profiles.
454 r.Handle("/profiles/{id}", wrap(context, UpdateProfileHandler)).Methods("PATCH")
455 r.Handle("/profiles/{id}", wrap(context, DeleteProfileHandler)).Methods("DELETE")
456 // BUG(paddy): We need to implement a handler that will add a login to a profile.
457 // BUG(paddy): We need to implement a handler that will remove a login from a profile. What happens to sessions created with that login?
458 // BUG(paddy): We need to implement a handler that will list the logins attached to a profile.
459 }
461 // CreateProfileHandler is an HTTP handler for registering new profiles.
462 func CreateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
463 scheme, ok := passphraseSchemes[CurPassphraseScheme]
464 if !ok {
465 log.Printf("Error selecting passphrase scheme #%d\n", CurPassphraseScheme)
466 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
467 return
468 }
469 var req newProfileRequest
470 errors := []requestError{}
471 decoder := json.NewDecoder(r.Body)
472 err := decoder.Decode(&req)
473 if err != nil {
474 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
475 return
476 }
477 errors = append(errors, validateNewProfileRequest(&req)...)
478 if len(errors) > 0 {
479 encode(w, r, http.StatusBadRequest, response{Errors: errors})
480 return
481 }
482 passphrase, salt, err := scheme.create(req.Passphrase, context.config.iterations)
483 if err != nil {
484 log.Printf("Error creating encoded passphrase: %#+v\n", err)
485 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
486 return
487 }
488 profile := Profile{
489 ID: uuid.NewID(),
490 Name: req.Name,
491 Passphrase: string(passphrase),
492 Iterations: context.config.iterations,
493 Salt: string(salt),
494 PassphraseScheme: CurPassphraseScheme,
495 Created: time.Now(),
496 LastSeen: time.Now(),
497 }
498 err = context.SaveProfile(profile)
499 if err != nil {
500 if err == ErrProfileAlreadyExists {
501 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/id"}}})
502 return
503 }
504 log.Printf("Error saving profile: %#+v\n", err)
505 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
506 return
507 }
508 logins := []Login{}
509 login := Login{
510 Type: "email",
511 Value: req.Email,
512 Created: profile.Created,
513 LastUsed: profile.Created,
514 ProfileID: profile.ID,
515 }
516 err = context.AddLogin(login)
517 if err != nil {
518 if err == ErrLoginAlreadyExists {
519 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/email"}}})
520 return
521 }
522 log.Printf("Error adding login: %#+v\n", err)
523 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
524 return
525 }
526 logins = append(logins, login)
527 resp := response{
528 Logins: logins,
529 Profiles: []Profile{profile},
530 }
531 encode(w, r, http.StatusCreated, resp)
532 // TODO(paddy): should we kick off the email validation flow?
533 }
535 func UpdateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
536 errors := []requestError{}
537 vars := mux.Vars(r)
538 if vars["id"] == "" {
539 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
540 encode(w, r, http.StatusBadRequest, response{Errors: errors})
541 return
542 }
543 id, err := uuid.Parse(vars["id"])
544 if err != nil {
545 errors = append(errors, requestError{Slug: requestErrAccessDenied})
546 encode(w, r, http.StatusBadRequest, response{Errors: errors})
547 return
548 }
549 username, password, ok := r.BasicAuth()
550 if !ok {
551 errors = append(errors, requestError{Slug: requestErrAccessDenied})
552 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
553 return
554 }
555 profile, err := authenticate(username, password, context)
556 if err != nil {
557 if isAuthError(err) {
558 errors = append(errors, requestError{Slug: requestErrAccessDenied})
559 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
560 } else {
561 errors = append(errors, requestError{Slug: requestErrActOfGod})
562 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
563 }
564 return
565 }
566 if !profile.ID.Equal(id) {
567 errors = append(errors, requestError{Slug: requestErrAccessDenied})
568 encode(w, r, http.StatusForbidden, response{Errors: errors})
569 return
570 }
571 var req ProfileChange
572 decoder := json.NewDecoder(r.Body)
573 err = decoder.Decode(&req)
574 if err != nil {
575 log.Printf("Error decoding request: %#+v\n", err)
576 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
577 return
578 }
579 req.Iterations = nil
580 req.Salt = nil
581 req.PassphraseScheme = nil
582 req.Compromised = nil // BUG(paddy): Need a way for admins to mark accounts as compromised
583 req.LockedUntil = nil
584 req.LastSeen = nil
585 if req.Passphrase != nil {
586 if len(*req.Passphrase) < MinPassphraseLength {
587 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/passphrase"})
588 encode(w, r, http.StatusBadRequest, response{Errors: errors})
589 return
590 }
591 if len(*req.Passphrase) > MaxPassphraseLength {
592 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/passphrase"})
593 encode(w, r, http.StatusBadRequest, response{Errors: errors})
594 return
595 }
596 iterations := context.config.iterations
597 scheme, ok := passphraseSchemes[CurPassphraseScheme]
598 if !ok {
599 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
600 return
601 }
602 curScheme := CurPassphraseScheme
603 req.PassphraseScheme = &curScheme
604 passphrase, salt, err := scheme.create(*req.Passphrase, iterations)
605 if err != nil {
606 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
607 return
608 }
609 req.Passphrase = &passphrase
610 req.Salt = &salt
611 req.Iterations = &iterations
612 }
613 if req.PassphraseReset != nil {
614 now := time.Now()
615 req.PassphraseResetCreated = &now
616 }
617 err = req.Validate()
618 if err != nil {
619 var status int
620 var resp response
621 switch err {
622 case ErrEmptyChange:
623 resp.Profiles = []Profile{profile}
624 status = http.StatusOK
625 default:
626 errors = append(errors, requestError{Slug: requestErrActOfGod})
627 resp.Errors = errors
628 status = http.StatusInternalServerError
629 }
630 encode(w, r, status, resp)
631 return
632 }
633 err = context.UpdateProfile(id, req)
634 if err != nil {
635 if err == ErrProfileNotFound {
636 errors = append(errors, requestError{Slug: requestErrNotFound})
637 encode(w, r, http.StatusNotFound, response{Errors: errors})
638 return
639 }
640 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
641 return
642 }
643 profile.ApplyChange(req)
644 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
645 return
646 }
648 func DeleteProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
649 errors := []requestError{}
650 vars := mux.Vars(r)
651 if vars["id"] == "" {
652 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
653 encode(w, r, http.StatusBadRequest, response{Errors: errors})
654 return
655 }
656 id, err := uuid.Parse(vars["id"])
657 if err != nil {
658 errors = append(errors, requestError{Slug: requestErrAccessDenied})
659 encode(w, r, http.StatusBadRequest, response{Errors: errors})
660 return
661 }
662 username, password, ok := r.BasicAuth()
663 if !ok {
664 errors = append(errors, requestError{Slug: requestErrAccessDenied})
665 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
666 return
667 }
668 profile, err := authenticate(username, password, context)
669 if err != nil {
670 if isAuthError(err) {
671 errors = append(errors, requestError{Slug: requestErrAccessDenied})
672 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
673 } else {
674 errors = append(errors, requestError{Slug: requestErrActOfGod})
675 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
676 }
677 return
678 }
679 if !profile.ID.Equal(id) {
680 errors = append(errors, requestError{Slug: requestErrAccessDenied})
681 encode(w, r, http.StatusForbidden, response{Errors: errors})
682 return
683 }
684 err = context.DeleteProfile(id)
685 if err != nil {
686 if err == ErrProfileNotFound {
687 errors = append(errors, requestError{Slug: requestErrNotFound})
688 encode(w, r, http.StatusNotFound, response{Errors: errors})
689 return
690 }
691 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
692 return
693 }
694 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
695 go cleanUpAfterProfileDeletion(profile.ID, context)
696 }