tulip/server/otp.go

package server

import (
	"bytes"
	"context"
	"encoding/base64"
	"github.com/1f349/tulip/database"
	"github.com/1f349/tulip/pages"
	"github.com/julienschmidt/httprouter"
	"github.com/skip2/go-qrcode"
	"github.com/xlzd/gotp"
	"html/template"
	"image/png"
	"net/http"
	"time"
)

func (h *HttpServer) LoginOtpGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	if !auth.NeedOtp {
		h.SafeRedirect(rw, req)
		return
	}

	pages.RenderPageTemplate(rw, "login-otp", map[string]any{
		"ServiceName": h.conf.ServiceName,
		"Redirect":    req.URL.Query().Get("redirect"),
	})
}

func (h *HttpServer) LoginOtpPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	if !auth.NeedOtp {
		http.Redirect(rw, req, "/", http.StatusFound)
		return
	}

	otpInput := req.FormValue("code")
	if h.fetchAndValidateOtp(rw, auth.Subject, otpInput) {
		return
	}

	auth.NeedOtp = false

	h.setLoginDataCookie(rw, auth)
	h.SafeRedirect(rw, req)
}

func (h *HttpServer) fetchAndValidateOtp(rw http.ResponseWriter, sub, code string) bool {
	var hasOtp bool
	var otpRow database.GetOtpRow
	var secret string
	var digits int64
	if h.DbTx(rw, func(tx *database.Queries) (err error) {
		hasOtp, err = tx.HasOtp(context.Background(), sub)
		if err != nil {
			return
		}
		if hasOtp {
			otpRow, err = tx.GetOtp(context.Background(), sub)
			secret = otpRow.Secret
			digits = otpRow.Digits
		}
		return
	}) {
		return true
	}

	if hasOtp {
		totp := gotp.NewTOTP(secret, int(digits), 30, nil)
		if !verifyTotp(totp, code) {
			http.Error(rw, "400 Bad Request: Invalid OTP code", http.StatusBadRequest)
			return true
		}
	}

	return false
}

func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	if req.Method == http.MethodPost && req.FormValue("remove") == "1" {
		if !req.Form.Has("code") {
			// render page
			pages.RenderPageTemplate(rw, "remove-otp", map[string]any{
				"ServiceName": h.conf.ServiceName,
			})
			return
		}

		otpInput := req.Form.Get("code")
		if h.fetchAndValidateOtp(rw, auth.Subject, otpInput) {
			return
		}

		if h.DbTx(rw, func(tx *database.Queries) error {
			return tx.SetOtp(req.Context(), database.SetOtpParams{
				Subject: auth.Subject,
				Secret:  "",
				Digits:  0,
			})
		}) {
			return
		}

		http.Redirect(rw, req, "/", http.StatusFound)
		return
	}

	var digits int
	switch req.FormValue("digits") {
	case "6":
		digits = 6
	case "7":
		digits = 7
	case "8":
		digits = 8
	default:
		http.Error(rw, "400 Bad Request: Invalid number of digits for OTP code", http.StatusBadRequest)
		return
	}

	secret := req.FormValue("secret")
	if !gotp.IsSecretValid(secret) {
		http.Error(rw, "400 Bad Request: Invalid secret", http.StatusBadRequest)
		return
	}

	if secret == "" {
		// get user email
		var email string
		if h.DbTx(rw, func(tx *database.Queries) error {
			var err error
			email, err = tx.GetUserEmail(req.Context(), auth.Subject)
			return err
		}) {
			return
		}

		secret = gotp.RandomSecret(64)
		if secret == "" {
			http.Error(rw, "500 Internal Server Error: failed to generate OTP secret", http.StatusInternalServerError)
			return
		}
		totp := gotp.NewTOTP(secret, digits, 30, nil)
		otpUri := totp.ProvisioningUri(email, h.conf.OtpIssuer)
		code, err := qrcode.New(otpUri, qrcode.Medium)
		if err != nil {
			http.Error(rw, "500 Internal Server Error: failed to generate QR code", http.StatusInternalServerError)
			return
		}
		qrImg := code.Image(60 * 4)
		qrBounds := qrImg.Bounds()
		qrWidth := qrBounds.Dx()

		qrBuf := new(bytes.Buffer)
		if png.Encode(qrBuf, qrImg) != nil {
			http.Error(rw, "500 Internal Server Error: failed to generate PNG image of QR code", http.StatusInternalServerError)
			return
		}

		// render page
		pages.RenderPageTemplate(rw, "edit-otp", map[string]any{
			"ServiceName": h.conf.ServiceName,
			"OtpQr":       template.URL("data:qrImg/png;base64," + base64.StdEncoding.EncodeToString(qrBuf.Bytes())),
			"QrWidth":     qrWidth,
			"OtpUrl":      otpUri,
			"OtpSecret":   secret,
			"OtpDigits":   digits,
		})
		return
	}

	totp := gotp.NewTOTP(secret, digits, 30, nil)

	if !verifyTotp(totp, req.FormValue("code")) {
		http.Error(rw, "400 Bad Request: invalid OTP code", http.StatusBadRequest)
		return
	}

	if h.DbTx(rw, func(tx *database.Queries) error {
		return tx.SetOtp(req.Context(), database.SetOtpParams{
			Subject: auth.Subject,
			Secret:  secret,
			Digits:  int64(digits),
		})
	}) {
		return
	}

	http.Redirect(rw, req, "/", http.StatusFound)
}

func verifyTotp(totp *gotp.TOTP, code string) bool {
	t := time.Now()
	if totp.VerifyTime(code, t) {
		return true
	}
	if totp.VerifyTime(code, t.Add(-30*time.Second)) {
		return true
	}
	return totp.VerifyTime(code, t.Add(30*time.Second))
}
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`package server`

			`import (`
Smaller QR image on edit OTP page 2023-10-16 15:18:34 +01:00			`"bytes"`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`"context"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`"encoding/base64"`
			`"github.com/1f349/tulip/database"`
			`"github.com/1f349/tulip/pages"`
			`"github.com/julienschmidt/httprouter"`
Swap out TOTP library 2023-10-16 16:47:18 +01:00			`"github.com/skip2/go-qrcode"`
			`"github.com/xlzd/gotp"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`"html/template"`
Smaller QR image on edit OTP page 2023-10-16 15:18:34 +01:00			`"image/png"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`"net/http"`
Swap out TOTP library 2023-10-16 16:47:18 +01:00			`"time"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`)`

			`func (h HttpServer) LoginOtpGet(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`if !auth.NeedOtp {`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`h.SafeRedirect(rw, req)`
			`return`
			`}`

			`pages.RenderPageTemplate(rw, "login-otp", map[string]any{`
Pass config directly to server 2023-10-10 18:06:43 +01:00			`"ServiceName": h.conf.ServiceName,`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`"Redirect": req.URL.Query().Get("redirect"),`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`})`
			`}`

			`func (h HttpServer) LoginOtpPost(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`if !auth.NeedOtp {`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`http.Redirect(rw, req, "/", http.StatusFound)`
			`return`
			`}`

			`otpInput := req.FormValue("code")`
Redesign token authentication 2024-05-31 14:57:54 +01:00			`if h.fetchAndValidateOtp(rw, auth.Subject, otpInput) {`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`return`
			`}`

Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`auth.NeedOtp = false`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`h.setLoginDataCookie(rw, auth)`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`h.SafeRedirect(rw, req)`
			`}`

Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`func (h *HttpServer) fetchAndValidateOtp(rw http.ResponseWriter, sub, code string) bool {`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`var hasOtp bool`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`var otpRow database.GetOtpRow`
Swap out TOTP library 2023-10-16 16:47:18 +01:00			`var secret string`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`var digits int64`
Correct refactored database calls 2024-03-11 12:39:52 +00:00			`if h.DbTx(rw, func(tx *database.Queries) (err error) {`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`hasOtp, err = tx.HasOtp(context.Background(), sub)`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`if err != nil {`
			`return`
			`}`
			`if hasOtp {`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`otpRow, err = tx.GetOtp(context.Background(), sub)`
			`secret = otpRow.Secret`
			`digits = otpRow.Digits`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`}`
			`return`
			`}) {`
			`return true`
			`}`

			`if hasOtp {`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`totp := gotp.NewTOTP(secret, int(digits), 30, nil)`
Swap out TOTP library 2023-10-16 16:47:18 +01:00			`if !verifyTotp(totp, code) {`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`http.Error(rw, "400 Bad Request: Invalid OTP code", http.StatusBadRequest)`
			`return true`
			`}`
			`}`

			`return false`
			`}`

Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`func (h HttpServer) EditOtpPost(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
Remove OTP code 2023-12-17 15:28:00 +00:00			`if req.Method == http.MethodPost && req.FormValue("remove") == "1" {`
			`if !req.Form.Has("code") {`
			`// render page`
			`pages.RenderPageTemplate(rw, "remove-otp", map[string]any{`
			`"ServiceName": h.conf.ServiceName,`
			`})`
			`return`
			`}`

			`otpInput := req.Form.Get("code")`
Redesign token authentication 2024-05-31 14:57:54 +01:00			`if h.fetchAndValidateOtp(rw, auth.Subject, otpInput) {`
Remove OTP code 2023-12-17 15:28:00 +00:00			`return`
			`}`

Correct refactored database calls 2024-03-11 12:39:52 +00:00			`if h.DbTx(rw, func(tx *database.Queries) error {`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`return tx.SetOtp(req.Context(), database.SetOtpParams{`
Redesign token authentication 2024-05-31 14:57:54 +01:00			`Subject: auth.Subject,`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`Secret: "",`
			`Digits: 0,`
			`})`
Remove OTP code 2023-12-17 15:28:00 +00:00			`}) {`
			`return`
			`}`

			`http.Redirect(rw, req, "/", http.StatusFound)`
			`return`
			`}`

Swap out TOTP library 2023-10-16 16:47:18 +01:00			`var digits int`
Use form value for the digits parameter 2023-10-16 18:21:42 +01:00			`switch req.FormValue("digits") {`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`case "6":`
			`digits = 6`
			`case "7":`
			`digits = 7`
			`case "8":`
			`digits = 8`
			`default:`
			`http.Error(rw, "400 Bad Request: Invalid number of digits for OTP code", http.StatusBadRequest)`
			`return`
			`}`

Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`secret := req.FormValue("secret")`
			`if !gotp.IsSecretValid(secret) {`
			`http.Error(rw, "400 Bad Request: Invalid secret", http.StatusBadRequest)`
Swap out TOTP library 2023-10-16 16:47:18 +01:00			`return`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`}`

Swap out TOTP library 2023-10-16 16:47:18 +01:00			`if secret == "" {`
Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`// get user email`
			`var email string`
Correct refactored database calls 2024-03-11 12:39:52 +00:00			`if h.DbTx(rw, func(tx *database.Queries) error {`
Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`var err error`
Redesign token authentication 2024-05-31 14:57:54 +01:00			`email, err = tx.GetUserEmail(req.Context(), auth.Subject)`
Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`return err`
			`}) {`
			`return`
			`}`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00
Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`secret = gotp.RandomSecret(64)`
			`if secret == "" {`
			`http.Error(rw, "500 Internal Server Error: failed to generate OTP secret", http.StatusInternalServerError)`
			`return`
			`}`
			`totp := gotp.NewTOTP(secret, digits, 30, nil)`
			`otpUri := totp.ProvisioningUri(email, h.conf.OtpIssuer)`
			`code, err := qrcode.New(otpUri, qrcode.Medium)`
			`if err != nil {`
			`http.Error(rw, "500 Internal Server Error: failed to generate QR code", http.StatusInternalServerError)`
			`return`
			`}`
			`qrImg := code.Image(60 * 4)`
			`qrBounds := qrImg.Bounds()`
			`qrWidth := qrBounds.Dx()`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00
Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`qrBuf := new(bytes.Buffer)`
			`if png.Encode(qrBuf, qrImg) != nil {`
			`http.Error(rw, "500 Internal Server Error: failed to generate PNG image of QR code", http.StatusInternalServerError)`
			`return`
			`}`
Swap out TOTP library 2023-10-16 16:47:18 +01:00
Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`// render page`
			`pages.RenderPageTemplate(rw, "edit-otp", map[string]any{`
			`"ServiceName": h.conf.ServiceName,`
			`"OtpQr": template.URL("data:qrImg/png;base64," + base64.StdEncoding.EncodeToString(qrBuf.Bytes())),`
			`"QrWidth": qrWidth,`
			`"OtpUrl": otpUri,`
			`"OtpSecret": secret,`
			`"OtpDigits": digits,`
			`})`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`return`
			`}`

Swap out TOTP library 2023-10-16 16:47:18 +01:00			`totp := gotp.NewTOTP(secret, digits, 30, nil)`

			`if !verifyTotp(totp, req.FormValue("code")) {`
			`http.Error(rw, "400 Bad Request: invalid OTP code", http.StatusBadRequest)`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`return`
			`}`

Correct refactored database calls 2024-03-11 12:39:52 +00:00			`if h.DbTx(rw, func(tx *database.Queries) error {`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`return tx.SetOtp(req.Context(), database.SetOtpParams{`
Redesign token authentication 2024-05-31 14:57:54 +01:00			`Subject: auth.Subject,`
Finish up initdb implementation 2024-03-12 21:04:25 +00:00			`Secret: secret,`
			`Digits: int64(digits),`
			`})`
Convert edit OTP to all post requests 2023-10-16 18:20:31 +01:00			`}) {`
			`return`
			`}`

Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`http.Redirect(rw, req, "/", http.StatusFound)`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`}`
Swap out TOTP library 2023-10-16 16:47:18 +01:00
			`func verifyTotp(totp *gotp.TOTP, code string) bool {`
			`t := time.Now()`
			`if totp.VerifyTime(code, t) {`
			`return true`
			`}`
			`if totp.VerifyTime(code, t.Add(-30*time.Second)) {`
			`return true`
			`}`
			`return totp.VerifyTime(code, t.Add(30*time.Second))`
			`}`