2023-09-06 22:20:09 +01:00
|
|
|
package server
|
|
|
|
|
|
|
|
import (
|
2023-12-19 00:01:08 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"crypto/rsa"
|
|
|
|
"crypto/sha256"
|
|
|
|
"encoding/base64"
|
2023-09-06 22:20:09 +01:00
|
|
|
"fmt"
|
2023-09-15 13:06:31 +01:00
|
|
|
"github.com/1f349/tulip/database"
|
2023-09-06 22:20:09 +01:00
|
|
|
"github.com/go-session/session"
|
|
|
|
"github.com/google/uuid"
|
|
|
|
"github.com/julienschmidt/httprouter"
|
|
|
|
"net/http"
|
2023-09-09 01:38:10 +01:00
|
|
|
"net/url"
|
2023-09-24 18:24:16 +01:00
|
|
|
"strings"
|
2023-09-06 22:20:09 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
type UserHandler func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth)
|
|
|
|
|
|
|
|
type UserAuth struct {
|
|
|
|
Session session.Store
|
2023-09-09 01:38:10 +01:00
|
|
|
Data SessionData
|
|
|
|
}
|
|
|
|
|
|
|
|
type SessionData struct {
|
|
|
|
ID uuid.UUID
|
|
|
|
NeedOtp bool
|
|
|
|
}
|
|
|
|
|
|
|
|
func (u UserAuth) NextFlowUrl(origin *url.URL) *url.URL {
|
|
|
|
if u.Data.NeedOtp {
|
|
|
|
return PrepareRedirectUrl("/login/otp", origin)
|
|
|
|
}
|
|
|
|
return nil
|
2023-09-06 22:20:09 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (u UserAuth) IsGuest() bool {
|
2023-09-09 01:38:10 +01:00
|
|
|
return u.Data.ID == uuid.Nil
|
2023-09-06 22:20:09 +01:00
|
|
|
}
|
|
|
|
|
2023-09-09 01:38:10 +01:00
|
|
|
func (u UserAuth) SaveSessionData() error {
|
|
|
|
u.Session.Set("session-data", u.Data)
|
|
|
|
return u.Session.Save()
|
2023-09-06 22:20:09 +01:00
|
|
|
}
|
|
|
|
|
2023-09-15 13:06:31 +01:00
|
|
|
func (h *HttpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {
|
2023-12-19 00:01:08 +00:00
|
|
|
return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
|
2023-09-15 13:06:31 +01:00
|
|
|
var role database.UserRole
|
|
|
|
if h.DbTx(rw, func(tx *database.Tx) (err error) {
|
|
|
|
role, err = tx.GetUserRole(auth.Data.ID)
|
|
|
|
return
|
|
|
|
}) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if role != database.RoleAdmin {
|
|
|
|
http.Error(rw, "403 Forbidden", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
next(rw, req, params, auth)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2023-12-19 00:01:08 +00:00
|
|
|
func (h *HttpServer) RequireAuthentication(next UserHandler) httprouter.Handle {
|
|
|
|
return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
|
2023-09-06 22:20:09 +01:00
|
|
|
if auth.IsGuest() {
|
2023-09-09 01:38:10 +01:00
|
|
|
redirectUrl := PrepareRedirectUrl("/login", req.URL)
|
|
|
|
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
|
2023-09-06 22:20:09 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
next(rw, req, params, auth)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2023-12-19 00:01:08 +00:00
|
|
|
func (h *HttpServer) OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {
|
2023-09-06 22:20:09 +01:00
|
|
|
return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
|
2023-09-15 13:06:31 +01:00
|
|
|
auth, err := internalAuthenticationHandler(rw, req)
|
2023-09-06 22:20:09 +01:00
|
|
|
if err != nil {
|
|
|
|
http.Error(rw, err.Error(), http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
2023-09-09 01:38:10 +01:00
|
|
|
if n := auth.NextFlowUrl(req.URL); n != nil && !flowPart {
|
|
|
|
http.Redirect(rw, req, n.String(), http.StatusFound)
|
|
|
|
return
|
|
|
|
}
|
2023-12-19 00:01:08 +00:00
|
|
|
if auth.IsGuest() {
|
|
|
|
if loginCookie, err := req.Cookie("login-data"); err == nil {
|
|
|
|
if decryptedBytes, err := base64.RawStdEncoding.DecodeString(loginCookie.Value); err == nil {
|
|
|
|
if decryptedData, err := rsa.DecryptOAEP(sha256.New(), rand.Reader, h.signingKey.PrivateKey(), decryptedBytes, []byte("login-data")); err == nil {
|
|
|
|
if len(decryptedData) == 16 {
|
|
|
|
var u uuid.UUID
|
|
|
|
copy(u[:], decryptedData[:])
|
|
|
|
auth.Data.ID = u
|
|
|
|
auth.Data.NeedOtp = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-09-06 22:20:09 +01:00
|
|
|
next(rw, req, params, auth)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-15 13:06:31 +01:00
|
|
|
func internalAuthenticationHandler(rw http.ResponseWriter, req *http.Request) (UserAuth, error) {
|
2023-09-06 22:20:09 +01:00
|
|
|
ss, err := session.Start(req.Context(), rw, req)
|
|
|
|
if err != nil {
|
|
|
|
return UserAuth{}, fmt.Errorf("failed to start session")
|
|
|
|
}
|
|
|
|
|
2023-09-09 01:38:10 +01:00
|
|
|
// get auth object
|
|
|
|
userIdRaw, ok := ss.Get("session-data")
|
2023-09-06 22:20:09 +01:00
|
|
|
if !ok {
|
|
|
|
return UserAuth{Session: ss}, nil
|
|
|
|
}
|
2023-09-09 01:38:10 +01:00
|
|
|
userData, ok := userIdRaw.(SessionData)
|
2023-09-06 22:20:09 +01:00
|
|
|
if !ok {
|
2023-09-09 01:38:10 +01:00
|
|
|
ss.Delete("session-data")
|
2023-09-06 22:20:09 +01:00
|
|
|
err := ss.Save()
|
|
|
|
if err != nil {
|
|
|
|
return UserAuth{Session: ss}, fmt.Errorf("failed to reset invalid session data")
|
|
|
|
}
|
|
|
|
}
|
2023-09-09 01:38:10 +01:00
|
|
|
|
|
|
|
return UserAuth{Session: ss, Data: userData}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func PrepareRedirectUrl(targetPath string, origin *url.URL) *url.URL {
|
2023-09-24 18:24:16 +01:00
|
|
|
// find start of query parameters in target path
|
|
|
|
n := strings.IndexByte(targetPath, '?')
|
2023-09-09 01:38:10 +01:00
|
|
|
v := url.Values{}
|
2023-09-24 18:24:16 +01:00
|
|
|
|
|
|
|
// parse existing query parameters
|
|
|
|
if n != -1 {
|
|
|
|
q, err := url.ParseQuery(targetPath[n+1:])
|
|
|
|
if err != nil {
|
|
|
|
panic("PrepareRedirectUrl: invalid hardcoded target path query parameters")
|
|
|
|
}
|
|
|
|
v = q
|
|
|
|
targetPath = targetPath[:n]
|
|
|
|
}
|
|
|
|
|
|
|
|
// add path of origin as a new query parameter
|
2023-09-09 01:38:10 +01:00
|
|
|
orig := origin.Path
|
|
|
|
if origin.RawQuery != "" || origin.ForceQuery {
|
|
|
|
orig += "?" + origin.RawQuery
|
|
|
|
}
|
|
|
|
if orig != "" {
|
|
|
|
v.Set("redirect", orig)
|
|
|
|
}
|
|
|
|
return &url.URL{Path: targetPath, RawQuery: v.Encode()}
|
2023-09-06 22:20:09 +01:00
|
|
|
}
|