auth
auth/session.go
Flesh out auth code grant (in)validation. Flesh out our tests for functions that do the validation and invalidation of the authorization code grant type's authorization codes. Basically, make sure that the auth code's are being checked right and that marking them as used after they're used works.
1 package auth
3 import (
4 "crypto/sha256"
5 "encoding/hex"
6 "errors"
7 "log"
8 "net/http"
9 "sort"
10 "time"
12 "code.secondbit.org/pass.hg"
13 "code.secondbit.org/uuid.hg"
14 "github.com/gorilla/mux"
15 )
17 const (
18 loginTemplateName = "login"
19 )
21 var (
22 // ErrNoSessionStore is returned when a Context tries to act on a sessionStore without setting on first.
23 ErrNoSessionStore = errors.New("no sessionStore was specified for the Context")
24 // ErrSessionNotFound is returned when a Session is requested but not found in the sessionStore.
25 ErrSessionNotFound = errors.New("session not found in sessionStore")
26 // ErrInvalidSession is returned when a Session is specified but is not valid.
27 ErrInvalidSession = errors.New("session is not valid")
28 // ErrSessionAlreadyExists is returned when a sessionStore tries to store a Session with an ID that already exists in the sessionStore.
29 ErrSessionAlreadyExists = errors.New("session already exists")
31 passphraseSchemes = map[int]passphraseScheme{
32 1: {
33 check: pbkdf2sha256check,
34 create: pbkdf2sha256create,
35 calculateIterations: pbkdf2sha256calc,
36 },
37 }
38 )
40 type passphraseScheme struct {
41 check func(profile Profile, passphrase string) (bool, error)
42 create func(passphrase string, iterations int) (result, salt string, err error)
43 calculateIterations func() (int, error)
44 }
46 // Session represents a user's authenticated session, associating it with a profile
47 // and some audit data.
48 type Session struct {
49 ID string
50 IP string
51 UserAgent string
52 ProfileID uuid.ID
53 Login string
54 Created time.Time
55 Active bool
56 }
58 type sortedSessions []Session
60 func (s sortedSessions) Len() int {
61 return len(s)
62 }
64 func (s sortedSessions) Less(i, j int) bool {
65 return s[i].Created.After(s[j].Created)
66 }
68 func (s sortedSessions) Swap(i, j int) {
69 s[i], s[j] = s[j], s[i]
70 }
72 type sessionStore interface {
73 createSession(session Session) error
74 getSession(id string) (Session, error)
75 removeSession(id string) error
76 listSessions(profile uuid.ID, before time.Time, num int64) ([]Session, error)
77 }
79 func (m *memstore) createSession(session Session) error {
80 m.sessionLock.Lock()
81 defer m.sessionLock.Unlock()
82 if _, ok := m.sessions[session.ID]; ok {
83 return ErrSessionAlreadyExists
84 }
85 m.sessions[session.ID] = session
86 return nil
87 }
89 func (m *memstore) getSession(id string) (Session, error) {
90 m.sessionLock.RLock()
91 defer m.sessionLock.RUnlock()
92 if _, ok := m.sessions[id]; !ok {
93 return Session{}, ErrSessionNotFound
94 }
95 return m.sessions[id], nil
96 }
98 func (m *memstore) removeSession(id string) error {
99 m.sessionLock.Lock()
100 defer m.sessionLock.Unlock()
101 if _, ok := m.sessions[id]; !ok {
102 return ErrSessionNotFound
103 }
104 delete(m.sessions, id)
105 return nil
106 }
108 func (m *memstore) listSessions(profile uuid.ID, before time.Time, num int64) ([]Session, error) {
109 m.sessionLock.RLock()
110 defer m.sessionLock.RUnlock()
111 res := []Session{}
112 for _, session := range m.sessions {
113 if int64(len(res)) >= num {
114 break
115 }
116 if profile != nil && !profile.Equal(session.ProfileID) {
117 continue
118 }
119 if !before.IsZero() && session.Created.After(before) {
120 continue
121 }
122 res = append(res, session)
123 }
124 sorted := sortedSessions(res)
125 sort.Sort(sorted)
126 res = []Session(sorted)
127 return res, nil
128 }
130 // RegisterSessionHandlers adds handlers to the passed router to handle the session endpoints, like login and logout.
131 func RegisterSessionHandlers(r *mux.Router, context Context) {
132 r.Handle("/login", wrap(context, CreateSessionHandler))
133 }
135 func checkCookie(r *http.Request, context Context) (Session, error) {
136 cookie, err := r.Cookie(authCookieName)
137 if err == http.ErrNoCookie {
138 return Session{}, ErrNoSession
139 } else if err != nil {
140 log.Println(err)
141 return Session{}, err
142 }
143 sess, err := context.GetSession(cookie.Value)
144 if err == ErrSessionNotFound {
145 return Session{}, ErrInvalidSession
146 } else if err != nil {
147 return Session{}, err
148 }
149 if !sess.Active {
150 return Session{}, ErrInvalidSession
151 }
152 return sess, nil
153 }
155 func buildLoginRedirect(r *http.Request, context Context) string {
156 if context.loginURI == nil {
157 return ""
158 }
159 uri := *context.loginURI
160 q := uri.Query()
161 q.Set("from", r.URL.String())
162 uri.RawQuery = q.Encode()
163 return uri.String()
164 }
166 func pbkdf2sha256check(profile Profile, passphrase string) (bool, error) {
167 realPass, err := hex.DecodeString(profile.Passphrase)
168 if err != nil {
169 return false, err
170 }
171 realSalt, err := hex.DecodeString(profile.Salt)
172 if err != nil {
173 return false, err
174 }
175 candidate := pass.Check(sha256.New, profile.Iterations, []byte(passphrase), []byte(realSalt))
176 if !pass.Compare(candidate, realPass) {
177 return false, ErrIncorrectAuth
178 }
179 return true, nil
180 }
182 func pbkdf2sha256create(passphrase string, iters int) (result, salt string, err error) {
183 passBytes, saltBytes, err := pass.Create(sha256.New, iters, []byte(passphrase))
184 if err != nil {
185 return "", "", err
186 }
187 result = hex.EncodeToString(passBytes)
188 salt = hex.EncodeToString(saltBytes)
189 return result, salt, err
190 }
192 func pbkdf2sha256calc() (int, error) {
193 return pass.CalculateIterations(sha256.New)
194 }
196 func authenticate(user, passphrase string, context Context) (Profile, error) {
197 profile, err := context.GetProfileByLogin(user)
198 if err != nil {
199 if err == ErrProfileNotFound || err == ErrLoginNotFound {
200 return Profile{}, ErrIncorrectAuth
201 }
202 return Profile{}, err
203 }
204 if profile.Compromised {
205 return Profile{}, ErrProfileCompromised
206 }
207 if !profile.LockedUntil.IsZero() && profile.LockedUntil.After(time.Now()) {
208 return profile, ErrProfileLocked
209 }
210 scheme, ok := passphraseSchemes[profile.PassphraseScheme]
211 if !ok {
212 return Profile{}, ErrInvalidPassphraseScheme
213 }
214 result, err := scheme.check(profile, passphrase)
215 if !result {
216 return Profile{}, err
217 }
218 return profile, nil
219 }
221 // CreateSessionHandler allows the user to log into their account and create their session.
222 func CreateSessionHandler(w http.ResponseWriter, r *http.Request, context Context) {
223 // BUG(paddy): Creating a session needs CSRF protection, right? This whole thing should get a security audit
224 errors := []error{}
225 if r.Method == "POST" {
226 profile, err := authenticate(r.PostFormValue("login"), r.PostFormValue("passphrase"), context)
227 if err == nil {
228 ip := r.Header.Get("X-Forwarded-For")
229 if ip == "" {
230 ip = r.RemoteAddr
231 }
232 session := Session{
233 ID: uuid.NewID().String(),
234 IP: ip,
235 UserAgent: r.UserAgent(),
236 ProfileID: profile.ID,
237 Login: r.PostFormValue("login"),
238 Created: time.Now(),
239 Active: true,
240 }
241 err = context.CreateSession(session)
242 if err != nil {
243 w.WriteHeader(http.StatusInternalServerError)
244 w.Write([]byte(err.Error()))
245 return
246 }
247 // BUG(paddy): really need to do a security audit on our cookie
248 cookie := http.Cookie{
249 Name: authCookieName,
250 Value: session.ID,
251 Expires: time.Now().Add(24 * 7 * time.Hour),
252 HttpOnly: true,
253 }
254 http.SetCookie(w, &cookie)
255 redirectTo := r.URL.Query().Get("from")
256 if redirectTo == "" {
257 redirectTo = "/"
258 }
259 http.Redirect(w, r, redirectTo, http.StatusFound)
260 return
261 } else if err != ErrIncorrectAuth && err != ErrProfileCompromised && err != ErrProfileLocked {
262 w.WriteHeader(http.StatusInternalServerError)
263 w.Write([]byte(err.Error()))
264 return
265 } else {
266 errors = append(errors, err)
267 }
268 }
269 context.Render(w, loginTemplateName, map[string]interface{}{
270 "errors": errors,
271 })
272 }