tulip/server/auth.go

package server

import (
	"github.com/1f349/mjwt"
	"github.com/1f349/mjwt/auth"
	"github.com/1f349/tulip/database"
	"github.com/1f349/tulip/database/types"
	"github.com/julienschmidt/httprouter"
	"net/http"
	"net/url"
	"strings"
)

type UserHandler func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth)

type UserAuth struct {
	ID      string
	NeedOtp bool
}

func (u UserAuth) NextFlowUrl(origin *url.URL) *url.URL {
	if u.NeedOtp {
		return PrepareRedirectUrl("/login/otp", origin)
	}
	return nil
}

func (u UserAuth) IsGuest() bool {
	return u.ID == ""
}

func (h *HttpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {
	return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
		var role types.UserRole
		if h.DbTx(rw, func(tx *database.Queries) (err error) {
			role, err = tx.GetUserRole(req.Context(), auth.ID)
			return
		}) {
			return
		}
		if role != types.RoleAdmin {
			http.Error(rw, "403 Forbidden", http.StatusForbidden)
			return
		}
		next(rw, req, params, auth)
	})
}

func (h *HttpServer) RequireAuthentication(next UserHandler) httprouter.Handle {
	return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
		if auth.IsGuest() {
			redirectUrl := PrepareRedirectUrl("/login", req.URL)
			http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
			return
		}
		next(rw, req, params, auth)
	})
}

func (h *HttpServer) OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {
	return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
		authData, err := h.internalAuthenticationHandler(req)
		if err == nil {
			if n := authData.NextFlowUrl(req.URL); n != nil && !flowPart {
				http.Redirect(rw, req, n.String(), http.StatusFound)
				return
			}
		}
		next(rw, req, params, authData)
	}
}

func (h *HttpServer) internalAuthenticationHandler(req *http.Request) (UserAuth, error) {
	if loginCookie, err := req.Cookie("tulip-login-data"); err == nil {
		_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](h.signingKey, loginCookie.Value)
		if err != nil {
			return UserAuth{}, err
		}
		return UserAuth{ID: b.Subject, NeedOtp: b.Claims.Perms.Has("needs-otp")}, nil
	}
	// not logged in
	return UserAuth{}, nil
}

func PrepareRedirectUrl(targetPath string, origin *url.URL) *url.URL {
	// find start of query parameters in target path
	n := strings.IndexByte(targetPath, '?')
	v := url.Values{}

	// parse existing query parameters
	if n != -1 {
		q, err := url.ParseQuery(targetPath[n+1:])
		if err != nil {
			panic("PrepareRedirectUrl: invalid hardcoded target path query parameters")
		}
		v = q
		targetPath = targetPath[:n]
	}

	// add path of origin as a new query parameter
	orig := origin.Path
	if origin.RawQuery != "" || origin.ForceQuery {
		orig += "?" + origin.RawQuery
	}
	if orig != "" {
		v.Set("redirect", orig)
	}
	return &url.URL{Path: targetPath, RawQuery: v.Encode()}
}
Lots of code changes 2023-09-06 22:20:09 +01:00			`package server`

			`import (`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`"github.com/1f349/mjwt"`
			`"github.com/1f349/mjwt/auth"`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`"github.com/1f349/tulip/database"`
Correct refactored database calls 2024-03-11 12:39:52 +00:00			`"github.com/1f349/tulip/database/types"`
Lots of code changes 2023-09-06 22:20:09 +01:00			`"github.com/julienschmidt/httprouter"`
			`"net/http"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`"net/url"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"strings"`
Lots of code changes 2023-09-06 22:20:09 +01:00			`)`

			`type UserHandler func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth)`

			`type UserAuth struct {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`ID string`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`NeedOtp bool`
			`}`

			`func (u UserAuth) NextFlowUrl(origin url.URL) url.URL {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`if u.NeedOtp {`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`return PrepareRedirectUrl("/login/otp", origin)`
			`}`
			`return nil`
Lots of code changes 2023-09-06 22:20:09 +01:00			`}`

			`func (u UserAuth) IsGuest() bool {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`return u.ID == ""`
Lots of code changes 2023-09-06 22:20:09 +01:00			`}`

Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`func (h *HttpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {`
Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {`
Correct refactored database calls 2024-03-11 12:39:52 +00:00			`var role types.UserRole`
			`if h.DbTx(rw, func(tx *database.Queries) (err error) {`
			`role, err = tx.GetUserRole(req.Context(), auth.ID)`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`return`
			`}) {`
			`return`
			`}`
Correct refactored database calls 2024-03-11 12:39:52 +00:00			`if role != types.RoleAdmin {`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`http.Error(rw, "403 Forbidden", http.StatusForbidden)`
			`return`
			`}`
			`next(rw, req, params, auth)`
			`})`
			`}`

Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`func (h *HttpServer) RequireAuthentication(next UserHandler) httprouter.Handle {`
			`return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {`
Lots of code changes 2023-09-06 22:20:09 +01:00			`if auth.IsGuest() {`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`redirectUrl := PrepareRedirectUrl("/login", req.URL)`
			`http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)`
Lots of code changes 2023-09-06 22:20:09 +01:00			`return`
			`}`
			`next(rw, req, params, auth)`
			`})`
			`}`

Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`func (h *HttpServer) OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {`
Lots of code changes 2023-09-06 22:20:09 +01:00			`return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`authData, err := h.internalAuthenticationHandler(req)`
			`if err == nil {`
			`if n := authData.NextFlowUrl(req.URL); n != nil && !flowPart {`
			`http.Redirect(rw, req, n.String(), http.StatusFound)`
			`return`
Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`}`
			`}`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`next(rw, req, params, authData)`
Lots of code changes 2023-09-06 22:20:09 +01:00			`}`
			`}`

Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`func (h HttpServer) internalAuthenticationHandler(req http.Request) (UserAuth, error) {`
			`if loginCookie, err := req.Cookie("tulip-login-data"); err == nil {`
			`_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](h.signingKey, loginCookie.Value)`
Lots of code changes 2023-09-06 22:20:09 +01:00			`if err != nil {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`return UserAuth{}, err`
Lots of code changes 2023-09-06 22:20:09 +01:00			`}`
Fix claim perm typo 2024-02-13 18:47:59 +00:00			`return UserAuth{ID: b.Subject, NeedOtp: b.Claims.Perms.Has("needs-otp")}, nil`
Lots of code changes 2023-09-06 22:20:09 +01:00			`}`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`// not logged in`
			`return UserAuth{}, nil`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`}`

			`func PrepareRedirectUrl(targetPath string, origin url.URL) url.URL {`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`// find start of query parameters in target path`
			`n := strings.IndexByte(targetPath, '?')`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`v := url.Values{}`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00
			`// parse existing query parameters`
			`if n != -1 {`
			`q, err := url.ParseQuery(targetPath[n+1:])`
			`if err != nil {`
			`panic("PrepareRedirectUrl: invalid hardcoded target path query parameters")`
			`}`
			`v = q`
			`targetPath = targetPath[:n]`
			`}`

			`// add path of origin as a new query parameter`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`orig := origin.Path`
			`if origin.RawQuery != "" \|\| origin.ForceQuery {`
			`orig += "?" + origin.RawQuery`
			`}`
			`if orig != "" {`
			`v.Set("redirect", orig)`
			`}`
			`return &url.URL{Path: targetPath, RawQuery: v.Encode()}`
Lots of code changes 2023-09-06 22:20:09 +01:00			`}`